Reputation: 128
User authentication in tornado websocket application
Now, i improve my tornado skills and have a question about user auth.
And my solution is create secure token on first page and next send it with other data, from javascript to tornado server where do checking and auth user.
i think about cookie but i don't know how i can read cookies in WebSocketHandler.on_message
what you think ? and where i wrong ? Thanks
Upvotes: 9
Views: 12641
Answers (2)
Reputation: 14791
A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'
I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user
class WebSocketHandler(tornado.websocket.WebSocketHandler):
def open(self):
user_id = self.get_secure_cookie("user")
if not user_id: return None
...
Upvotes: 6
Reputation: 100766
I suggest you read the overview section in the documentation.
There should be some relevant content there:
EDIT
I just realized your question is about websockets. I believe you can use the approach you outline:
- Create a cookie in the non-websocket part of your app
- Check the cookie in the websocket handler
You should be able to access the request headers inside the websocket handler using self.request.headers.
Upvotes: 11
Related Questions
- Django websockets auth
- Websockets with Tornado: Get access from the "outside" to send messages to clients
- Tornado with Django authentication
- How do I ensure that Tornado will only open a websocket with authenticated users?
- How to Authenticate WebSockets in Tornado
- RESTful Authentication with Tornado
- What are the possible ways to authenticate user when websocket connection is used?
- Django user in tornado
- WebService with Tornado.web and Authentication. Do you have Example?
- Getting Secure Websockets working on Tornado