I currently have a server implementation where a javascript front-end connects through the socketio protocol used by Netty-Socketio. The implementation works wonderfully with one flaw.

From what I gather, the only way to make the websocket channel aware of the security context of the user is to pass up the JSESSIONID in the handshake, which means putting it on the client page.

There is no way this is secure right? It would also mean that since we use an HTTPONLY header (Even more reason this shouldn't be on the front-end), we would need to make a call for the JS to return the current user's JSESSIONID. Even if we abstract this with a GUID, it still allows for session hijacking does it not?

Can anyone advice on a method to handle this better?