27

If a logged in user navigates to a certain area of the site which is to use WebSockets, How can I grab that session Id so I can identify him on the server?

My server is basically an endless while loop which holds information about all connected users and stuff, so in order to grab that id I figured the only suitable moment is at the handshake, but unfortunately the handshake's request headers contain no cookie data:

Request Headers

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive, Upgrade
DNT: 1
Host: 192.168.1.2:9300
Origin: http://localhost
Pragma: no-cache
Sec-WebSocket-Key: 5C7zarsxeh1kdcAIdjQezg==
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

So how can I really grab that id? I thought I could somehow force javascript to send cookie data along with that request but any self-respecting website in 2014 will have httpOnly session cookies so that wont work out. Any help is greatly appreciated!

Here's a link for the server I'm using: https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php (thanks to accepted answer)

php_nub_qq
  • 15,199
  • 21
  • 74
  • 144

1 Answers1

26

http only cookies as well as secure cookies work fine with websocket.

Some websocket modules have chosen to ignore cookies in the request, so you need to read the specs of the module.

Try: websocket node: https://github.com/Worlize/WebSocket-Node.

Make sure to use the secure websocket protocol as wss://xyz.com

Update:

Also, chrome will not show the cookies in the "inspect element" Network tab.

In node try dumping the request, something like: 

 wsServer.on('request', function(request) {
   console.log(request);
   console.log(request.cookies); // works in websocket node
 }

If you see the cookies somewhere in the log...you've got it.

If you're using secure-only cookies, you need to be in secure web sockets: wss://

Update2:

The cookies are passed in the initial request. Chrome does not show it (all the time) as sometimes it shows provisional headers which omits cookie information.

It is up to the websocket server to do 'something' with the cookies and attach them to each request.

Looking at the code of your server: https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/class.PHPWebSocket.php I do not see the word "cookie" anywhere, so it is not being nicely packaged and attached to each websocket connection. I could be wrong, that's why you might want to contact the developer and see if the whole header is being attached to each connection and how to access it.

This I can say for certain: If you're using secure cookies then cookies will not be transmitted unless you use the secure websocket wss://mysite.com. Plain ws://mysite.com will not work.

Also, cookies will only be transmitted in the request if the domain is the same as the webpage.

Pacerier
  • 86,231
  • 106
  • 366
  • 634
Brian McGinity
  • 5,777
  • 5
  • 36
  • 46
  • 1
    I'm sorry but I would really like to stick to my current server. And I assume the problem is not in the server since cookies are missing from the **request** headers, which are sent from the user :/ – php_nub_qq Mar 09 '14 at 19:04
  • 1
    You won't see the cookies in the request header in chrome. What server are you using? – Brian McGinity Mar 09 '14 at 19:07
  • I'm talking about the request headers on the `ws` request in the `Net` tab on any dev tools, where you see all headers, there is no `Cookie` header – php_nub_qq Mar 09 '14 at 19:14
  • I printed the whole buffer from the handshake processing method and there is no cookie header there either ( kind of expected ) – php_nub_qq Mar 09 '14 at 19:17
  • 1
    I know...you will ***not*** see Cookies in the header. Depending on which websocket server you are using--you ***will*** see them on the server. – Brian McGinity Mar 09 '14 at 19:18
  • I just told you that there are no cookies on the server either in my last comment :/ – php_nub_qq Mar 09 '14 at 19:19
  • What server are you using? – Brian McGinity Mar 09 '14 at 19:19
  • A php server, don't really know where I got it from but it seems like a decent one. I will add a download link to the files in the question. – php_nub_qq Mar 09 '14 at 19:20
  • 1
    Found it: https://github.com/Flynsarmy/PHPWebSocket-Chat it looks like cookies are not support in this particular server. You may want to contact the creator and see if he has an updated version or use a different websocket server. – Brian McGinity Mar 09 '14 at 19:36
  • Well since it's not been updated for 2 years I doubt the creator would do something about it. But what is really bothering me is that the request headers are missing the cookie header. They are being sent before it's determined whether the server supports cookies or not. And also how did you find out it doesn't support cookies ( just out of curiosity, not that I don't trust you )? – php_nub_qq Mar 09 '14 at 19:50
  • 4
    That was it!!! I was using `192.168.1.2` as a websocket address server, but was connecting to `localhost` in the browser. Thank you sir !!!!! – php_nub_qq Mar 09 '14 at 21:02
  • @BrianMcGinity, What do you mean by "provisional headers which omits cookie information"? Why will chrome inspector not show `Cookie` header when its very job is to do exactly that? – Pacerier Mar 16 '15 at 05:09
  • @php_nub_qq, Does this mean that the server actually do support Cookies? So Brian's part on *"I do not see the word cookie"* is wrong right? – Pacerier Mar 16 '15 at 06:30
  • @Pacerier presumably. I could dig into the server code that parses the incoming upgrade request and see the headers so they can't just magically disappear. I suppose he was thinking I'm using server API to get the headers and for some reason the server was configured so it wouldn't show it. – php_nub_qq Mar 16 '15 at 08:40
  • @BrianMcGinity, Do you agree with that? – Pacerier Mar 19 '15 at 15:15
  • @Pacerier, I did not see where in the code the headers were getting saved (I only took a quick look). pho_nub_qq was able to read the headers and read the cookies once she make sure the web socket domain matched the domain of the web page. – Brian McGinity Mar 20 '15 at 00:18
  • Actually, I did not see the word "cookie", I was not looking for the headers. Most likely the headers are exposed and the cookies are inside the headers. It makes sense that web socket servers would make the headers readable. – Brian McGinity Mar 20 '15 at 00:35