Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Authentication fails since 0.8.6 - CORS #333

Closed
gavinuhma opened this Issue Nov 8, 2011 · 10 comments

Comments

Projects
None yet
7 participants
Contributor

gavinuhma commented Nov 8, 2011

Cookies are not being sent so authentication fails.

This issue was original added to socket.io server by @renajohn: LearnBoost/socket.io#625

I did a git bisect which tracked it down to this commit:
ab60690

Working request:

Request URL: http://redacted/socket.io/1/?t=1320720753680&jsonp=0
Request Method: GET
Status Code: 200 OK

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Cookie: redacted
Host: redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

Broken request (Origin header / no Cookie header):

Request URL: http://redacted/socket.io/1/?t=1320721558960
Request Method: GET
Status Code: 403 Forbidden

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Host: redacted
Origin: http://redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

The client needs to set an additional flag to allow passing cookies with CORS, as "documented" here, and I assume also in the actual spec.

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ (search in page for "cookie")

Contributor

gavinuhma commented Nov 8, 2011

My concern is that withCredentials doesn't seem to be supported cross browser.

"By default, “credentials” such as Cookies and HTTP Auth information are not sent in cross-site requests using XMLHttpRequest. In order to send them, you have to set the withCredentials property of the XMLHttpRequest object. This is a new property introduced in Firefox 3.5 and Safari 4. IE8′s XDomainRequest object does not have this capability."

The check for withCredentials support happens in hasCORS (https://github.com/LearnBoost/socket.io-client/blob/master/lib/util.js#L348) but it doesn't get set to true before the request.

I'll try that now.

Contributor

gavinuhma commented Nov 8, 2011

I get this error after setting withCredentials = true;

"XMLHttpRequest cannot load http://redacted/socket.io/1/?t=1320788664255. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."

Contributor

gavinuhma commented Nov 8, 2011

Working now.

This should be fine since it happens after verifyOrigin:

https://github.com/gavinuhma/socket.io/commit/e4a9342e8b029d8dc251f13b6320500e809c7921

FYI this bug is present in 0.8.7 too (just mentioning this since it might not be obvious to all users). Hope that 0.8.8 will include this fix.

I have the same issue. i tried some fixes but they don't work :(

Related issue for Tornadio2:

MrJoes/tornadio2#30

I'm not sure if anyone who was having problems with this were using the auth technique described here (or nearly identically here) in a cross-domain environment. This ticket involves CORS, and the referenced socket.io ticket that was identified as the cause of this issue describes the cookie-based auth technique, so I'm assuming it's a common confusion.

I think socket.io is working properly. Setting withCredentials=true and Access-Control-Allow-Cookies tell the UA and server that cookies are okay to exchange, but it does not cause domain1's cookies to be sent to the other site. Some techniques for sharing cookies across domains are here: http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach

@YesterX2 YesterX2 referenced this issue in socketio/socket.io Mar 19, 2014

Closed

Authentication fails - CORS #764

@rauchg rauchg closed this Nov 25, 2014

lattmann pushed a commit to lattmann/socket.io-client that referenced this issue Jul 23, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment