User authentication in tornado websocket application

Question

Now, i improve my tornado skills and have a question about user auth.

And my solution is create secure token on first page and next send it with other data, from javascr

Answer 1

I suggest you read the overview section in the documentation.

There should be some relevant content there:

• Cookies and secure cookies
• User Authentication
• Third Party Authentication

EDIT

I just realized your question is about websockets. I believe you can use the approach you outline:

• Create a cookie in the non-websocket part of your app
• Check the cookie in the websocket handler

You should be able to access the request headers inside the websocket handler using self.request.headers.

Answer 2

A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'

I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user

class WebSocketHandler(tornado.websocket.WebSocketHandler):

    def open(self):
        user_id = self.get_secure_cookie("user")
        if not user_id: return None
        ...