-
May 15th, 2014, 09:00 AM
#1
Sending authenticated sessionID cookie from browser to notifyUser
Hi,
I am currently implementing authentication for my lightstreamer instance.
notifyUser is being called with a request, for example:
{ id: 'd100000145fea61d8d',
verb: 'notifyUser',
userName: 'some',
userPassword: 'thing',
headers:
{ 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
'cache-control': 'no-cache',
connection: 'keep-alive',
host: 'localhost',
'accept-language': 'en-US,en;q=0.5',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'content-length': '218',
origin: 'https://localhost:4433',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
'accept-encoding': 'gzip, deflate',
referer: 'https://localhost:4433/view1',
pragma: 'no-cache',
REQUEST_ID: '277' } }
I understand that this is triggered by the client.connect() which is executed on the client from within the webpage that has been served my server.
In order to proceed with the authentication inside notifyUser I need access to the sessionID that has been set by the server in the form of a cookie. This cookie is currently specified as httpOnly so that the browser does not allow programmatic access to it. What I would like is recommendations for the best/most secure approach to handle the authentication in this manner. Specifically I need access to this sessionId inside the notifyUser method so that I can authenticate effectively and return from the function.
Maybe there is also some consideration relating to the withCredentials parameter that is typically set when making https requests. However as the https request to start the session is made from within the lightstreamer library itself I do not know any way to set this field.
Advice would be much appreciated.
Thank you.
-
May 16th, 2014, 10:11 AM
#2
Hi,
You may enable the forwarding of the cookies to the Metadata Adapter, setting to 'Y' the <forward_cookies> configuration element in the SECURITY CONFIGURATION section of the lightstreamer_conf.xml file.
If set to 'Y', the cookies are forwarded to the Metadata Adapter through the httpHeaders argument of the "notifyUser" method.
But keep in mind that, as stated in the notes, you should also set to 'Y' the <use_protected_js> configuration element, because otherwise you may expose the server to CSRF attacks, and you should also configure the <cross_domain_policy> element with a less permissive rule.
hth
Marco
-
May 16th, 2014, 02:56 PM
#3
Hi,
thanks for the reply.
I set <use_protected_js>Y</use_protected_js> and <forward_cookies>Y</forward_cookies>
but still in the request i only see the following:
{ id: '40000014605500b77',
verb: 'notifyUser',
userName: null,
userPassword: null,
headers:
{ 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
'cache-control': 'no-cache',
connection: 'keep-alive',
host: 'localhost',
'accept-language': 'en-US,en;q=0.5',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'content-length': '151',
origin: 'https://localhost:4433',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
'accept-encoding': 'gzip, deflate',
referer: 'https://localhost:4433/view1',
pragma: 'no-cache',
REQUEST_ID: '16' } }
Here is my notify user method:
metadataProvider.on('notifyUser', function(request, response){
console.log(request);
});
and here is the adapters config:
<metadata_provider>
<adapter_class>com.lightstreamer.adapters.remote.m etadata.RobustNetworkedMetadataProvider</adapter_class>
<classloader>log-enabled</classloader>
<param name="request_reply_port">6662</param>
<param name="timeout">36000000</param>
</metadata_provider>
Is there something else that I need to do?
Thanks for the help.
-
May 19th, 2014, 11:42 AM
#4
Hi,
It might depend on the browser in use; be sure to call lightstreamerClientInstance.connectionOptions.setC ookieHandlingRequired(true) on the client
See
http://www.lightstreamer.com/docs/cl...ndlingRequired
and
https://docs.google.com/a/lightstrea...rive_web#gid=1
If still in trouble verify that the cookie is sent by the browser (check the creatre_session.js request) and get back to us.
-
May 19th, 2014, 12:11 PM
#5
that did the trick, thanks for the help!
-
May 20th, 2014, 08:55 AM
#6
Actually, that fixed one problem and exposed another one. I now have the required cookies, and I parse them and use the result to perform a lookup in a database which is an async call. Is it OK to call async code inside the notifyUser method? It seems that this is causing an issue currently as then I change the method body to simply:
response.success(100000000,false);
... everything works just fine.
However then I call response.success(100000000,false); from the database callback function the LSClient will no longer connect.
What is the recommended approach here?
-
May 20th, 2014, 09:11 AM
#7
Have looked into this further - when client.connectionOptions.setCookieHandlingRequired (true); is set by the client the request headers that are sent to the notifyUser method are different. For example:
When client.connectionOptions.setCookieHandlingRequired is set to true:
headers:
{ cookie: 'connect.sid=s%3A8RiLRECNKkGGSJOQnKGdGizY.iqYm2IPN gzJph7Qk%2BrG1pEqktnlm0KVLtpXEVZ5L2Yw; XSRF-TOKEN=jhIQq6AYLGxE2DrjxiK8L1zg67RfV0eaCt0N0%3D',
connection: 'keep-alive',
host: 'localhost',
'accept-language': 'en-US,en;q=0.5',
accept: '*/*',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
'accept-encoding': 'gzip, deflate',
referer: 'https://localhost:4433/view1',
REQUEST_ID: '7' } }
.... and when client.connectionOptions.setCookieHandlingRequired is set to false:
headers:
{ 'content-type': 'application/x-www-form-urlencoded; charset=UTF-8',
'cache-control': 'no-cache',
connection: 'keep-alive',
host: 'localhost',
'accept-language': 'en-US,en;q=0.5',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'content-length': '147',
origin: 'https://localhost:4433',
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0',
'accept-encoding': 'gzip, deflate',
referer: 'https://localhost:4433/view1',
pragma: 'no-cache',
REQUEST_ID: '4' } }
As we can see above the headers are different by more than just the cookie. For example when setCookieHandlingRequired is true the origin field is not specified.
When setCookieHandlingRequired is true my LS client can't connect; I have a feeling that the problem is related to the differences mentioned above.
Please can you advise?
Thanks.
-
May 20th, 2014, 09:26 AM
#8
To call success asynchronously is legal but it must execute "fast" or else the client will discard the connection as not working and will create a new session: can you confirm that this is what happens?
How long does it take for the asynchronous response from the database to come back? You might increase the connect timeout to wait a bit longer for the DB response but this has a negative impact on the automatic fallback mechanisms for cases where there are real network issues so you should first try to make the DB faster. See http://www.lightstreamer.com/distros...ConnectTimeout
-
May 20th, 2014, 09:35 AM
#9
Thanks for the info - that is useful to know. however when I set setCookieHandlingRequired to true the client still won't connect even if I remove the DB call completely (i.e. change the body of notifyUser simply to response.success(100000000,false); )
Maybe there is a separate issue?
-
May 20th, 2014, 10:11 AM
#10
I have just double checked: it is simply the following line that when its un-commented seems to prevent the LS client from connecting.
client.connectionOptions.setCookieHandlingRequired (true);
If I comment this out and refresh the site in the browser without changing anything else, everything works fine (albeit with the body of the notifyUser method simply being response.success(1000000,false); at the moment).
Similar Threads
-
By milad.j in forum Adapter SDKs
Replies: 1
Last Post: November 4th, 2013, 09:23 AM
-
By cwt237 in forum Client SDKs
Replies: 6
Last Post: September 19th, 2013, 01:05 PM
-
By gal_nitzan in forum Adapter SDKs
Replies: 1
Last Post: February 12th, 2013, 09:16 PM
-
By eoinoc in forum Client SDKs
Replies: 1
Last Post: October 15th, 2012, 09:21 AM
-
By brianjohnson in forum Adapter SDKs
Replies: 2
Last Post: April 5th, 2010, 12:02 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
All times are GMT +1. The time now is 09:38 PM.
Bookmarks