From 5467e6da8debc35befd5891bbe393a22f269117d Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Wed, 30 Dec 2015 00:31:39 -0500 Subject: [PATCH] Fixed socket session secure might not apply properly --- lib/realtime.js | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/realtime.js b/lib/realtime.js index a69904a94..a9c541cfe 100644 --- a/lib/realtime.js +++ b/lib/realtime.js @@ -42,22 +42,25 @@ function onAuthorizeFail(data, message, error, accept) { accept(); //accept whether authorize or not to allow anonymous usage } +//secure the origin by the cookie function secure(socket, next) { try { var handshakeData = socket.request; if (handshakeData.headers.cookie) { handshakeData.cookie = cookie.parse(handshakeData.headers.cookie); handshakeData.sessionID = cookieParser.signedCookie(handshakeData.cookie[config.sessionname], config.sessionsecret); - if (handshakeData.cookie[config.sessionname] == handshakeData.sessionID) { + if (handshakeData.sessionID && + handshakeData.cookie[config.sessionname] && + handshakeData.cookie[config.sessionname] != handshakeData.sessionID) { + if (config.debug) + logger.info("AUTH success cookie: " + handshakeData.sessionID); + return next(); + } else { next(new Error('AUTH failed: Cookie is invalid.')); } } else { next(new Error('AUTH failed: No cookie transmitted.')); } - if (config.debug) - logger.info("AUTH success cookie: " + handshakeData.sessionID); - - next(); } catch (ex) { next(new Error("AUTH failed:" + JSON.stringify(ex))); }