Geek Answers Handbook

Why does socket.io create a second sid cookie with a different path?

I am pulling up a project, to which I swear that this is no longer a problem, but apparently not now - Iā€™m probably doing something stupid. I see that express and socket.io create two different sid cookies, one of which has the path "/", and the other the path "/socket.io". The behavior I expect is to share the same cookie / session between my express application and socket.io.

"sid" cookie for "/": "sid" for "/"

"sid" cookie for "/socket.io": "sid" for "/socket.io"

I configure express via:

var config = require('config');
var express = require('express');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var sessionStore = require('./session-store');

var sessionConfig = {
  store             : sessionStore,
  secret            : config.server.sessionSecret,
  key               : config.server.sessionKey,
  saveUninitialized : true,
  resave            : true,
  cookie            : { secure: config.server.useHTTPS }
};

module.exports = function (app) {
  app.use(cookieParser(config.server.sessionSecret));
  app.use(session(sessionConfig));
};

I configure socket.io through:

var config = require('config');
var redis = require('socket.io-redis')(config.redis.socket);
var cookieParser = require('socket.io-cookie-parser');
var sessionStore = require('./session-store');

module.exports = function (io) {
  io.adapter(redis);

  io.use(cookieParser(config.server.sessionSecret));
  io.use(authorization);
};

function authorization (socket, next) {
  var unauthorized = new Error('Unauthorized');

  if (!socket.request.headers.cookie) {
    return next(unauthorized);
  }

  var sessionKey = socket.server.engine.cookie;
  var sessionId = socket.request.signedCookies[sessionKey] || socket.request.cookies[sessionKey];

  if (!sessionId) {
    return next(unauthorized);
  }

  sessionStore.get(sessionId, function (err, session) {
    // use session userId to fetch user & attach to socket
  });
}

These two files are linked from my main server file:

var http = require('http');
var express = require('express');
var socketio = require('socket.io');
var config = require('config');

var app = express();
var server = http.Server(app);
var io = socketio(server, {
  cookie: config.server.sessionKey
});

// initialize aspects of the app
require('./config/initializers/io')(io);
require('./config/initializers/express')(app);

module.exports = server;
+4
1

, , . , cookie socket.io , engine.io cookie :

if (false !== this.cookie) {
  transport.on('headers', function(headers){
    headers['Set-Cookie'] = self.cookie + '=' + id;
  });
}

RFC-2109 HTTP State Management Mechanism, - URL:

Path   Defaults to the path of the request URL that generated the
       Set-Cookie response, up to, but not including, the
       right-most /.

cookie, socket.io /socket.io. , cookie, , cookie engine.io, :

var io = socketio(server, {
  cookie: false
});

authorization, , :

var sessionKey = socket.server.engine.cookie;

cookie socket.io/engine.io, :

var sessionKey = config.server.sessionKey;
+5

More articles:


All Articles