User Authentication In Tornado Websocket Application
Now, i improve my tornado skills and have a question about user auth. And my solution is create secure token on first page and next send it with other data, from javascript to torn
Solution 1:
I suggest you read the overview section in the documentation.
There should be some relevant content there:
EDIT
I just realized your question is about websockets. I believe you can use the approach you outline:
- Create a cookie in the non-websocket part of your app
- Check the cookie in the websocket handler
You should be able to access the request headers inside the websocket handler using self.request.headers
.
Solution 2:
A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'
I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user
classWebSocketHandler(tornado.websocket.WebSocketHandler):
defopen(self):
user_id = self.get_secure_cookie("user")
ifnot user_id: returnNone
...
Post a Comment for "User Authentication In Tornado Websocket Application"