Home/ Questions/Q 8807917
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T02:29:13+00:00

I have a good start on a technique similar to this in Express 3

  • 0

I have a good start on a technique similar to this in Express 3
http://notjustburritos.tumblr.com/post/22682186189/socket-io-and-express-3

the idea being to let me grab the session object from within a socket.io connection callback, storing sessions via connect-redis in this case.

So, in app.configure we have 

var db = require('connect-redis')(express)
....
app.configure(function(){
     ....
     app.use(express.cookieParser(SITE_SECRET));                                                                                                      
     app.use(express.session({ store: new db }));

And in the app code there is

var redis_client = require('redis').createClient()

 io.set('authorization', function(data, accept) {
     if (!data.headers.cookie) {
         return accept('Sesssion cookie required.', false)
     }

     data.cookie = require('cookie').parse(data.headers.cookie);
     /* verify the signature of the session cookie. */
     //data.cookie = require('cookie').parse(data.cookie, SITE_SECRET);
     data.sessionID = data.cookie['connect.sid']

     redis_client.get(data.sessionID, function(err, session) {
         if (err) {
             return accept('Error in session store.', false)
         } else if (!session) {
             return accept('Session not found.', false)
         }
         // success! we're authenticated with a known session.
         data.session = session
         return accept(null, true)
     })
 })

The sessions are being saved to redis, the keys look like this:

redis 127.0.0.1:6379> KEYS *
1) "sess:lpeNPnHmQ2f442rE87Y6X28C"
2) "sess:qsWvzubzparNHNoPyNN/CdVw"

and the values are unencrypted JSON. So far so good.

The cookie header, however, contains something like

{ 'connect.sid': 's:lpeNPnHmQ2f442rE87Y6X28C.obCv2x2NT05ieqkmzHnE0VZKDNnqGkcxeQAEVoeoeiU' }

So now the SessionStore and the connect.sid don’t match, because the signature part (after the .) is stripped from the SessionStore version.

Question is, is is safe to just truncate out the SID part of the cookie (lpeNPnHmQ2f442rE87Y6X28C) and match based on that, or should the signature part be verified? If so, how?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    rather than hacking around with private methods and internals of Connect, that were NOT meant to be used this way, this NPM does a good job of wrapping socket.on in a method that pulls in the session, and parses and verifies
    https://github.com/functioncallback/session.socket.io

    • 0