Leopold Joy
Reputation: 4660
Is this a sound authentication scheme for Node.js and Socket.io?
I am trying to setup a user login system with Node.js (Express), Socket.io, and Redux/ReactJS. This is the approach I'm taking:
- The user connects through Socket.io as soon as he/she gets to the web app.
- Through socketio-auth the user is required to authenticate and passes their username and password to the server.
- Then, using socket.io-express-session, like in this example, I set a cookie with the user's username and password, so that every time they come back to the website they can be re-authenticated through socketio-auth. (I realize I could probably save a unique token in the cookie instead, would this be better?)
- On the server, upon authentication, I just save their details with their socketId to the Redux store for use with every Socket.io request while the session lasts.
Assuming this is all done over SSL, is this safe? What changes would you suggest? I'm trying to make it as simple as possible yet still very safe.
Upvotes: 2
Views: 200
Answers (1)
Mr.Pe
Reputation: 739
It seems like point 3, with Local Storage, is the best way to go for now.
See someone else interrogation: https://github.com/hueniverse/hawk/issues/138#issuecomment-196989520
Upvotes: 0
Related Questions
- How do I pass command line arguments to a Node.js program and receive them?
- Invalidating JSON Web Tokens
- How can I update Node.js and npm to their latest versions?
- How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)
- Why is it common to put CSRF prevention tokens in cookies?
- Differences between socket.io and websockets
- How do I debug error ECONNRESET in Node.js?
- What is the purpose of Node.js module.exports and how do you use it?
- Authenticate user for socket.io/nodejs
- Most secure node.js / express authentication mechanism