Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Authentication fails since 0.8.6 - CORS #333

Closed
gavinuhma opened this Issue · 10 comments

7 participants

@gavinuhma

Cookies are not being sent so authentication fails.

This issue was original added to socket.io server by @renajohn: Automattic/socket.io#625

I did a git bisect which tracked it down to this commit:
ab60690

Working request:

Request URL: http://redacted/socket.io/1/?t=1320720753680&jsonp=0
Request Method: GET
Status Code: 200 OK

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Cookie: redacted
Host: redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

Broken request (Origin header / no Cookie header):

Request URL: http://redacted/socket.io/1/?t=1320721558960
Request Method: GET
Status Code: 403 Forbidden

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Host: redacted
Origin: http://redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2
@glenjamin

The client needs to set an additional flag to allow passing cookies with CORS, as "documented" here, and I assume also in the actual spec.

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ (search in page for "cookie")

@gavinuhma

My concern is that withCredentials doesn't seem to be supported cross browser.

"By default, “credentials” such as Cookies and HTTP Auth information are not sent in cross-site requests using XMLHttpRequest. In order to send them, you have to set the withCredentials property of the XMLHttpRequest object. This is a new property introduced in Firefox 3.5 and Safari 4. IE8′s XDomainRequest object does not have this capability."

The check for withCredentials support happens in hasCORS (https://github.com/LearnBoost/socket.io-client/blob/master/lib/util.js#L348) but it doesn't get set to true before the request.

I'll try that now.

@gavinuhma

I get this error after setting withCredentials = true;

"XMLHttpRequest cannot load http://redacted/socket.io/1/?t=1320788664255. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."

@gavinuhma

Working now.

This should be fine since it happens after verifyOrigin:

gavinuhma/socket.io@e4a9342

@benissimo

FYI this bug is present in 0.8.7 too (just mentioning this since it might not be obvious to all users). Hope that 0.8.8 will include this fix.

@YesterX2

I have the same issue. i tried some fixes but they don't work :(

@thorlarholm

Related issue for Tornadio2:

mrjoes/tornadio2#30

@zbjornson

I'm not sure if anyone who was having problems with this were using the auth technique described here (or nearly identically here) in a cross-domain environment. This ticket involves CORS, and the referenced socket.io ticket that was identified as the cause of this issue describes the cookie-based auth technique, so I'm assuming it's a common confusion.

I think socket.io is working properly. Setting withCredentials=true and Access-Control-Allow-Cookies tell the UA and server that cookies are okay to exchange, but it does not cause domain1's cookies to be sent to the other site. Some techniques for sharing cookies across domains are here: http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach

@YesterX2 YesterX2 referenced this issue in Automattic/socket.io
Closed

Authentication fails - CORS #764

@rauchg rauchg closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.