User authentication in tornado websocket application

后端 未结 2 1511
花落未央
花落未央 2021-02-04 13:51

Now, i improve my tornado skills and have a question about user auth.

And my solution is create secure token on first page and next send it with other data, from javascr

相关标签:
2条回答
  • 2021-02-04 14:30

    I suggest you read the overview section in the documentation.

    There should be some relevant content there:

    • Cookies and secure cookies
    • User Authentication
    • Third Party Authentication

    EDIT

    I just realized your question is about websockets. I believe you can use the approach you outline:

    • Create a cookie in the non-websocket part of your app
    • Check the cookie in the websocket handler

    You should be able to access the request headers inside the websocket handler using self.request.headers.

    0 讨论(0)
  • 2021-02-04 14:35

    A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'

    I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user

    class WebSocketHandler(tornado.websocket.WebSocketHandler):
    
        def open(self):
            user_id = self.get_secure_cookie("user")
            if not user_id: return None
            ...
    
    0 讨论(0)
提交回复
热议问题