Hi,

I am currently implementing authentication for my lightstreamer instance.

notifyUser is being called with a request, for example:

{ id: 'd100000145fea61d8d',
verb: 'notifyUser',
userName: 'some',
userPassword: 'thing',
headers:
{ 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
'cache-control': 'no-cache',
connection: 'keep-alive',
host: 'localhost',
'accept-language': 'en-US,en;q=0.5',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'content-length': '218',
origin: 'https://localhost:4433',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
'accept-encoding': 'gzip, deflate',
referer: 'https://localhost:4433/view1',
pragma: 'no-cache',
REQUEST_ID: '277' } }

I understand that this is triggered by the client.connect() which is executed on the client from within the webpage that has been served my server.

In order to proceed with the authentication inside notifyUser I need access to the sessionID that has been set by the server in the form of a cookie. This cookie is currently specified as httpOnly so that the browser does not allow programmatic access to it. What I would like is recommendations for the best/most secure approach to handle the authentication in this manner. Specifically I need access to this sessionId inside the notifyUser method so that I can authenticate effectively and return from the function.

Maybe there is also some consideration relating to the withCredentials parameter that is typically set when making https requests. However as the https request to start the session is made from within the lightstreamer library itself I do not know any way to set this field.

Advice would be much appreciated.

Thank you.