How to secure 'io' cookie

[dglozic]

I noticed that socket.io (engine.io to be precise) is setting a non-secure session cookie called 'io' on the URL it is invoked. What is the role of this cookie, is it necessary and if so, can it be secured? We force https:// for all locations where socket.io is running, and could easily set this cookie to secure but I cannot find where.

[Nibbler999]

It's not used for anything; you can disable it by setting cookie: false in the server options.

[dglozic]

Best answer ever - thanks!

[dglozic]

Closing as resolved - thanks

[wisniewski94]

@Nibbler999 Where are these options? Where exactly do I put this setting?

[darrachequesne]

@wisniewski94 the options are documented here: https://github.com/socketio/engine.io#methods-1

var io = require('socket.io')();
io.on('connection', function(client){});
io.listen(3000, {
  cookie: false
});

[wisniewski94]

@darrachequesne thank you very much! Without your help it would be still unclear to me how to use them. It would be good idea to add example to README.md.

[darrachequesne]

On a broader note, that cookie may be removed, if it's not used anywhere.

[tienlx93]

Hi @darrachequesne ,

Here is my current code.

var server = http.createServer(app);
var socket = require('socket.io');
var io = socket().listen(server,
    {
        cookie: false
    });

However, the server still send the cookie io.
Is there a problem of cookie when integrate io with express server?

Thanks.

[tienlx93]

One more thing, are there any method for sending the header Access-Control-Allow-Origin for web socket request (the 101 Switching Protocols response)
I have set io.origins(config.origin) in init step, however, it only apply for XHR request.

The background is if there is a request that not setting correct Origin header is an vulnerable request, is this correct?

[darrachequesne]

@tienlx93 I'm not able to reproduce: https://github.com/darrachequesne/socket.io-fiddle/tree/issues-2276

The background is if there is a request that not setting correct Origin header is an vulnerable request, is this correct?

The Access-Control-Allow-Origin header only applies for cross-domain requests (MDN). If you set the allowed origins with io.origins(), it should be ok.

[lkende]

Thanks for the info. For reference, another way to set this cookie false when using express as the server:

var server = require('http').createServer(express());
var io = require('socket.io')(server, { path:"/some/path", cookie: false });

[DaVincii]

@darrachequesne In socket.io-2.0, is there a way to set this cookie secure and remove it from the query string.

[jquinter]

@darrachequesne In socket.io-2.0, is there a way to set this cookie secure and remove it from the query string.

can you please post how to do this in socket.io^2.0?