Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication fails since 0.8.6 - CORS #333

Closed
gavinuhma opened this issue Nov 8, 2011 · 10 comments
Closed

Authentication fails since 0.8.6 - CORS #333

gavinuhma opened this issue Nov 8, 2011 · 10 comments
Labels
bug Something isn't working

Comments

@gavinuhma
Copy link
Contributor

Cookies are not being sent so authentication fails.

This issue was original added to socket.io server by @renajohn: socketio/socket.io#625

I did a git bisect which tracked it down to this commit:
ab60690

Working request:

Request URL: http://redacted/socket.io/1/?t=1320720753680&jsonp=0
Request Method: GET
Status Code: 200 OK

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Cookie: redacted
Host: redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

Broken request (Origin header / no Cookie header):

Request URL: http://redacted/socket.io/1/?t=1320721558960
Request Method: GET
Status Code: 403 Forbidden

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Host: redacted
Origin: http://redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2
@glenjamin
Copy link

The client needs to set an additional flag to allow passing cookies with CORS, as "documented" here, and I assume also in the actual spec.

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ (search in page for "cookie")

@gavinuhma
Copy link
Contributor Author

My concern is that withCredentials doesn't seem to be supported cross browser.

"By default, “credentials” such as Cookies and HTTP Auth information are not sent in cross-site requests using XMLHttpRequest. In order to send them, you have to set the withCredentials property of the XMLHttpRequest object. This is a new property introduced in Firefox 3.5 and Safari 4. IE8′s XDomainRequest object does not have this capability."

The check for withCredentials support happens in hasCORS (https://github.com/LearnBoost/socket.io-client/blob/master/lib/util.js#L348) but it doesn't get set to true before the request.

I'll try that now.

@gavinuhma
Copy link
Contributor Author

I get this error after setting withCredentials = true;

"XMLHttpRequest cannot load http://redacted/socket.io/1/?t=1320788664255. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."

@gavinuhma
Copy link
Contributor Author

Working now.

This should be fine since it happens after verifyOrigin:

https://github.com/gavinuhma/socket.io/commit/e4a9342e8b029d8dc251f13b6320500e809c7921

@gavinuhma
Copy link
Contributor Author

I should probably fix here and here as well:
https://github.com/gavinuhma/socket.io/blob/e4a9342e8b029d8dc251f13b6320500e809c7921/lib/transports/http.js#L65
https://github.com/gavinuhma/socket.io/blob/e4a9342e8b029d8dc251f13b6320500e809c7921/lib/transports/xhr-polling.js#L62

@gavinuhma
Copy link
Contributor Author

For reference:
http://www.w3.org/TR/XMLHttpRequest2/#the-withcredentials-attribute
https://developer.mozilla.org/En/HTTP_Access_Control#Requests_with_credentials

@gavinuhma gavinuhma mentioned this issue Nov 9, 2011
Merged
@benissimo
Copy link

FYI this bug is present in 0.8.7 too (just mentioning this since it might not be obvious to all users). Hope that 0.8.8 will include this fix.

@YesterX2
Copy link

I have the same issue. i tried some fixes but they don't work :(

@thorlarholm
Copy link

Related issue for Tornadio2:

mrjoes/tornadio2#30

@zbjornson
Copy link

I'm not sure if anyone who was having problems with this were using the auth technique described here (or nearly identically here) in a cross-domain environment. This ticket involves CORS, and the referenced socket.io ticket that was identified as the cause of this issue describes the cookie-based auth technique, so I'm assuming it's a common confusion.

I think socket.io is working properly. Setting withCredentials=true and Access-Control-Allow-Cookies tell the UA and server that cookies are okay to exchange, but it does not cause domain1's cookies to be sent to the other site. Some techniques for sharing cookies across domains are here: http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach

@YesterX2 YesterX2 mentioned this issue Mar 19, 2014
Closed
@rauchg rauchg closed this as completed Nov 25, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rauchg @benissimo @glenjamin @gavinuhma @zbjornson @YesterX2 @thorlarholm