Allow cookies to be sent in XMLHttpRequest handshake; see https://github... #587

wants to merge 1 commit into


None yet

9 participants


See: Issue #344

With these changes, can now send a cookie with the XHR handshake, allowing for persisting a user session.

Note about dependency upgrade:
Had to update XMLHttpRequest module to 1.6.0, to be able to disable forbidden headers in an XHR request.


This would be extremely helpful for testing purposes

iliakan commented Jan 10, 2014

I had to patch to workaround that. Please let this pull request in.

JCMais commented Jan 30, 2014

Is this ever going to be merged?


Is this going to be merged?



ismriv commented Apr 7, 2014

This is extremely helpful for testing when using cookie-based authentication. Is this going to be merged at some point?


+1, helpful to testing api with mocha( server-sdie testing), i do this but got auth problem taday!

rauchg commented May 13, 2014

I'm down for merging a solution like this for the master branch

@chill117 chill117 referenced this pull request in socketio/ Jun 2, 2014

Allow sending of cookie header in XHR handshake. #304

chill117 commented Jun 3, 2014

If anyone is upgrading to 1.x, which now uses for the connection-related heavy lifting, you'll probably want to look into passing your session cookie(s) in the query string. I just went through the upgrade process, and by far the least painful method of persisting user sessions within my integrations tests was the query string method.

To give you a better idea of how to accomplish this.. When creating the socket instance, pass the cookie in the query string like this:

var url = 'http://your-app-url'
var options = {}

url += '?cookie=' + encodeURIComponent(sessionCookie)

// Pass this flag to create a fresh socket for the integration tests.
options.forceNew = true

var socket = io(url, options)

Then on the server-side, you'll need to read the cookie variable from the query data:

// The new middleware way of doing things..
io.use(function(socket, next) {

    // The query string value will be used only if the header is not set.
    var cookie = socket.handshake.headers.cookie || socket.handshake.query.cookie

    if (!cookie)
        return next()

    // There is a cookie..
    // Perform your cookie-based user authentication here..

    // And, don't forget to call next() when you're done.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment