diff --git a/lib/realtime.js b/lib/realtime.js index a69904a94..a9c541cfe 100644 --- a/lib/realtime.js +++ b/lib/realtime.js @@ -42,22 +42,25 @@ function onAuthorizeFail(data, message, error, accept) { accept(); //accept whether authorize or not to allow anonymous usage } +//secure the origin by the cookie function secure(socket, next) { try { var handshakeData = socket.request; if (handshakeData.headers.cookie) { handshakeData.cookie = cookie.parse(handshakeData.headers.cookie); handshakeData.sessionID = cookieParser.signedCookie(handshakeData.cookie[config.sessionname], config.sessionsecret); - if (handshakeData.cookie[config.sessionname] == handshakeData.sessionID) { + if (handshakeData.sessionID && + handshakeData.cookie[config.sessionname] && + handshakeData.cookie[config.sessionname] != handshakeData.sessionID) { + if (config.debug) + logger.info("AUTH success cookie: " + handshakeData.sessionID); + return next(); + } else { next(new Error('AUTH failed: Cookie is invalid.')); } } else { next(new Error('AUTH failed: No cookie transmitted.')); } - if (config.debug) - logger.info("AUTH success cookie: " + handshakeData.sessionID); - - next(); } catch (ex) { next(new Error("AUTH failed:" + JSON.stringify(ex))); }