SignalR authorizing is successful after cookies cleaning

Question

I develop ASP.NET applicaion with auth cookies and use SignalR 2.0.3 for chat with Websocket transport by default. I use "Authorize" attribute for authorizing to hub.

[Authorize]
[HubName("c")]
public class Chat : Hub
{
...

I met the next problem. After cleaning all cookies in browser (Chrome or Firefox) authorizing stil is succesful. It reproduce only for WebSockets transport. I tried to resolve this problem using so HubPipelineModule:

public class CheckingCookiesPipelineModule : HubPipelineModule
{
    protected override bool OnBeforeIncoming(IHubIncomingInvokerContext context)
    {
        if (context.Hub.Context.Request.Cookies["auth_key"].Value == string.Empty)
        {
            return false;
        }
        return base.OnBeforeIncoming(context);
    }
}

It does not help because cookies are not the empty in Websocket request. Could anybody explain so strange behaviour of SignalR Websocket? Is it bug or feature? May be are there workarounds?

Answer 1

WebSocket are persistent connections, they are always connected. Cookies are sent during the connection handshake, not with every message.

If you close the connection, the cookie should be empty when connecting again.