Skip to content Skip to sidebar Skip to footer

User Authentication In Tornado Websocket Application

Now, i improve my tornado skills and have a question about user auth. And my solution is create secure token on first page and next send it with other data, from javascript to torn

Solution 1:

I suggest you read the overview section in the documentation.

There should be some relevant content there:

EDIT

I just realized your question is about websockets. I believe you can use the approach you outline:

  • Create a cookie in the non-websocket part of your app
  • Check the cookie in the websocket handler

You should be able to access the request headers inside the websocket handler using self.request.headers.

Solution 2:

A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'

I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user

classWebSocketHandler(tornado.websocket.WebSocketHandler):

    defopen(self):
        user_id = self.get_secure_cookie("user")
        ifnot user_id: returnNone
        ...

Post a Comment for "User Authentication In Tornado Websocket Application"