Authentication fails since 0.8.6 - CORS

[gavinuhma]

Cookies are not being sent so authentication fails.

This issue was original added to socket.io server by @renajohn: socketio/socket.io#625

I did a git bisect which tracked it down to this commit:
ab60690

Working request:

Request URL: http://redacted/socket.io/1/?t=1320720753680&jsonp=0
Request Method: GET
Status Code: 200 OK

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Cookie: redacted
Host: redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

Broken request (Origin header / no Cookie header):

Request URL: http://redacted/socket.io/1/?t=1320721558960
Request Method: GET
Status Code: 403 Forbidden

Request Headers
Accept: */*
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Connection: keep-alive
Host: redacted
Origin: http://redacted
Referer: http://redacted/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2

[glenjamin]

The client needs to set an additional flag to allow passing cookies with CORS, as "documented" here, and I assume also in the actual spec.

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ (search in page for "cookie")

[gavinuhma]

My concern is that withCredentials doesn't seem to be supported cross browser.

"By default, “credentials” such as Cookies and HTTP Auth information are not sent in cross-site requests using XMLHttpRequest. In order to send them, you have to set the withCredentials property of the XMLHttpRequest object. This is a new property introduced in Firefox 3.5 and Safari 4. IE8′s XDomainRequest object does not have this capability."

The check for withCredentials support happens in hasCORS (https://github.com/LearnBoost/socket.io-client/blob/master/lib/util.js#L348) but it doesn't get set to true before the request.

I'll try that now.

[gavinuhma]

I get this error after setting withCredentials = true;

"XMLHttpRequest cannot load http://redacted/socket.io/1/?t=1320788664255. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."

[gavinuhma]

Working now.

This should be fine since it happens after verifyOrigin:

https://github.com/gavinuhma/socket.io/commit/e4a9342e8b029d8dc251f13b6320500e809c7921

[gavinuhma]

I should probably fix here and here as well:
https://github.com/gavinuhma/socket.io/blob/e4a9342e8b029d8dc251f13b6320500e809c7921/lib/transports/http.js#L65
https://github.com/gavinuhma/socket.io/blob/e4a9342e8b029d8dc251f13b6320500e809c7921/lib/transports/xhr-polling.js#L62

[gavinuhma]

For reference:
http://www.w3.org/TR/XMLHttpRequest2/#the-withcredentials-attribute
https://developer.mozilla.org/En/HTTP_Access_Control#Requests_with_credentials

[benissimo]

FYI this bug is present in 0.8.7 too (just mentioning this since it might not be obvious to all users). Hope that 0.8.8 will include this fix.

[YesterX2]

I have the same issue. i tried some fixes but they don't work :(

[thorlarholm]

Related issue for Tornadio2:

mrjoes/tornadio2#30

[zbjornson]

I'm not sure if anyone who was having problems with this were using the auth technique described here (or nearly identically here) in a cross-domain environment. This ticket involves CORS, and the referenced socket.io ticket that was identified as the cause of this issue describes the cookie-based auth technique, so I'm assuming it's a common confusion.

I think socket.io is working properly. Setting withCredentials=true and Access-Control-Allow-Cookies tell the UA and server that cookies are okay to exchange, but it does not cause domain1's cookies to be sent to the other site. Some techniques for sharing cookies across domains are here: http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach