It's possible to reconnect websocket connection after page refresh?
Attach function works only with BOSH.
Request for password on every page refresh is such uncomfortable way.
Strophe can connect only with plain password so there is no way to pass password from database.
Or is safe way to store plain password?
Related
I am trying to build a chat web application. When the user sends a new message (HTTP Request) to the server, I want to send WebSocket notification to the receiver of the message (Angular Client). When the user logs in to the app it opens a websocket connection with the server. I would like to ask you if my logic is right or I can do something better. I want to intercept the handshake before it gets established and grab the session id of the websocket and the Session JWT cookie of the user, so I can store them in my database. So when a user sends a message, the backend should lookup database if there is active websocket connection or not. ALthough, I find this solution difficult to build as I am not sure a websocket session ID is enough to rebuild the Websocket session object from the start. Is there any better way to solve this?
Thank you in advance!
I am creating an application using Flask-SocketIO at the server side and a javascript Socket.IO client. (There will also be a Python client later). I want to ensure users are authenticated before they connect to the web socket server.
I have created a PHP login form to check the username and password. If these are valid then a unique token is returned and the token is also inserted into a table on the server. The token is passed to the client side javascript, where it is submitted with the request to create a web socket connection.
As I understand it Flask-SocketIO will simply accept the connection and I need to put my validation code under the #socketio.on('connect') decorator. (I assume a server based implementation of Socket.IO works in a similar way). Therefore my code checks the submitted token against the database table and if it is valid the web socket connection is simply allowed to happen. However if the token is not valid I issue a disconnect() command. The javascript client does not try the connection again, which is what I want in this scenario.
Here is where it gets tricky...
I would like to write a disconnect handler on the client side using socket.on('disconnect', function() { //do something }); to allow the user to reconnect when the socket is broken due to a poor mobile connection for example. How can I distinguish an accidental disconnection from an intentional one due to failed validation?
Conversely, I would like to alert the user to the fact that their validation process failed. But how to distinguish that from a scenario where the the socket is broken due to a poor mobile connection?
I would like to write a disconnect handler on the client side using socket.on('disconnect', function() { //do something }); to allow the user to reconnect when the socket is broken due to a poor mobile connection for example.
There is no need for you to worry about reconnection. The Socket.IO client protocol includes reconnection support and will always try to reconnect when the connection is lost. To verify this, start your server, connect with a client, and then kill your server. A little bit later restart the server and you will see that in a matter of seconds the connection is reestablished.
I'm having a problem using websockets in my backend. I have to re-write some old with golang and old developer using websocket while one client tracking other client's location.
both client connecting websocket with given url
"\(URLConstants.webSocketURL)?token=\(token)&jobId=\(jobId)"
So I thought both client connecting websocket with her/his own token and I need to reflect user's message to other user. I can open two sockets with given url.
It's the first time that I'm using websocket so I'm not sure I'm asking the right question.
You need to send the information to the existing sessions that you stored from opened connection and distribute the information to other users.
Try to go through this solution to get some inspiration https://github.com/suricatatalk/core/blob/master/core.go.
I'm writing a web client that needs to deal with lost connection.
If you are connected to a server using HTTPS and Internet connection drops, will the server lose the session information?
Once Internet connection is restored, does the client need to re-login to the server or does it depend on the server?
Usually the server determines how long a session lives (by defining a session timeout) and how a session (if at all) is persisted between single requests. The server sends a cookie with the session information (a session key) back to the client, so when the client sends the next request including the session cookie, the server knows which session to use.
Having said is - there is no information between two requests, whether the internet connection was lost in the meantime. As long as the server still has the session and the client still has the corresponding cookie, everything should work as expected.
On the other hand, even if there was no interrupt in the connection at all and both server and client were up and running, but without talking to each other (i.e. without requests), the session might be lost because of a simple timeout on the server side.
So on the server you might receive requests for resources that are secured or need a certain session state - and there is no such session. And on the client side you always might receive responses that indicate that a login is necessary.
Both cases must be implemented properly.
The HTTP protocol itself is stateless i.e. each request is served as is without any relation to previous of future requests.
To overcome this you can use client Cookies. Your cookie can keep a session state identifier which can be sent back to the server after a connection drop to resume the previous state.
In addition to that you can build a session management module which handles session persistence.
first it depends on the type of session you are talking:
ssl session
This can cause an shortend renegotiation. If the Server support it.
That mean it save CPU time.
http sessions
here it does not only depend on the server but also on your web page code.
For example if the session drop's while delivering the page conntent.
The servlet receive an connection reset during flush and may invalidate the session.
Also id depends if the session is bound to the ip adress. Than it depends if the
new connection use the same ip adress.
There is no simple answer as you maybe expected. Since it depends on to many points.
As the others already stated you can "persist" a connection by using a SessionID, which is recommended to be stored in a cookie. Most of the modern Environments like PHP and ASP.NET use this mechanism which can deal with lost connections.
Please refer to https://www.owasp.org/index.php/Session_Management_Cheat_Sheet for security considerations for implementing a secure Session Management.
Additionally what you can do with SSL is to build the Session Management using client certificates. The user is identified by the unique certificate which is issued to him. This has the advantages that the client does not have to login first. On the other hand you have to issue a client cert to every client, which might be complex.
Use cookies to store the session information, once connection is lost you can easily get the information from the cookies. call the cookies using condition i.e. if session lost call for the cookie. use Php to store information in the session and call the cookie
Ruby Net::IMAP library provides a good API for IMAP stuff (http://railsapi.com/doc/ruby-v1.8/classes/Net/IMAP.html). There are two methods related to closing the IMAP connection: logout() and disconnect(). In which turn are they supposed to be called?
logout will simply log the user out of the server while disconnect will completely close the socket. I would use logout if you want to keep the connection open (like maybe logging into another mailbox using the same socket) and disconnect when you don't need to do anymore work with the IMAP server. As for a sequence, logout should be used before disconnect.