{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 太酷不给撩 的问题《User authentication in tornado websocket applicati》','https://www.manongdao.com/q-489901.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Now, i improve my tornado skills and have a question about user auth.
And my solution is create secure token on first page and next send it with other data, from javascript to tornado server where do checking and auth user.
i think about cookie but i don't know how i can read cookies in WebSocketHandler.on_message
what you think ? and where i wrong ? Thanks
A client can probably make the request headers with a fake user: 'user="ImFkbWxxxx==|xxxxxxxxxx|9d847f58a6897df8912f011f0a784xxxxxxxxxx"'
I think the following approach is better. If the user does not exist or if the cookie id is not correct or falsified, then the function get_secure_cookie will not return a user
I suggest you read the overview section in the documentation.
There should be some relevant content there:
EDIT
I just realized your question is about websockets. I believe you can use the approach you outline:
You should be able to access the request headers inside the websocket handler using
self.request.headers.