Golo Roden Golo Roden -4 years ago 145
Node.js Question

Securing Socket.io

I am using a Node.js based https server that authenticates using HTTP Basic (which is fine as the data are sent over the SSL encrypted connection).

Now I want to provide a Socket.io connection which should be


  1. encrypted and

  2. for authenticated users only.



The question is how to do this. I already found out that I need to specify
{ secure: true }
in the client JavaScript code when connecting to the socket, but how do I force on the server-side that socket connections can only be run over SSL, and that it works only for authenticated users?

I guess that the SSL thing is the easy part, as the Socket.io server is bound to the https server only, so it should run using SSL only, and there should be no possibility to run it over an (additionally) running http server, right?

Regarding the other thing I have not the slightest idea of how to ensure that socket connections can only be established once the user successfully authenticated using HTTP Basic.

Any ideas?

Answer Source

Although the answer by Linus is basically right, I now solved it in a more easy way using the session.socket.io - which basically does the same thing, but with way less custom-code to write.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download