Best way to pass Django session id in sockjs connection
https://stackoverflow.com//questions/25007766
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Right now I have a Django-tornado-sockjs stack and want to be able to pass the session id from the site into a sockjs cnnection. What is the most secure way to pass the Django session id to my tornado backend? It sounds like people are recommending I store the session id in cookies and then send the data over when sockjs opens a connection. But isn't this less secure? It doesn't seem like Sockjs supports passing http-only cookies.
Any alternatives? At some point do I just have to accept I will have pass the encrypted session id though html or cookies and is there a real danger to this?
Solution
I'm far from a security expert but AFAIK requiring SSL for all auth requests is a baseline requirement to keep things secure if security is important.
We don't use session ids but instead generate an auth token on login, store it in redis which acts as the message queue between django and sockjs-tornado, and also pass it into the rendered page that establishes the sockjs connection via https. Then our sockjs-tornado process checks for the correct auth token in redis as part of the payload in a connection event.
We use haproxy to handle SSL uniformly across all the requests and dispatch to the appropriate backend which has been working great.
