Is auth option secure?

[ghost]

Hi,
I was wondering how the auth option is handled by socket.io in different use cases.
Particularly:

• When using long-polling as transport method where are the credentials encoded? Are they encoded on some HTTP request's body?
• The same question in the websocket transport method

I'm trying to understand if this option is secure over a HTTPS connection, so the credentials are not encoded neither in a querystring nor other unsafe places but they are encrypted over a secure connection.

[darrachequesne]

Hi!

The auth option is sent during the handshake, in a CONNECT packet:

• with HTTP long-polling, the credentials are indeed sent in the request body of a POST request
• with WebSocket, the credentials are sent in a WebSocket frame

Format: <Engine.IO MESSAGE packet type><Socket.IO CONNECT packet type><JSON.stringified auth>
Example: 40{"token":"abc"}

Reference: https://github.com/socketio/socket.io-protocol

[ghost]

Thank you @darrachequesne, so in both cases the credentials gets encrypted over a SSL/TLS connection?

[darrachequesne]

Yes, that's right.

[ghost]

Thank you very much!