Skip to content
Create a gist now

Instantly share code, notes, and snippets.

Embed URL


Subversion checkout URL

You can clone with
Download ZIP in Express 3
var express = require('express')
, http = require('http')
, connect = require('connect')
, io = require('');
var app = express();
/* NOTE: We'll need to refer to the sessionStore container later. To
* accomplish this, we'll create our own and pass it to Express
* rather than letting it create its own. */
var sessionStore = new connect.session.MemoryStore();
/* NOTE: We'll need the site secret later too, so let's factor it out.
* The security implications of this are left to the reader. */
var SITE_SECRET = 'I am not wearing any pants';
* ... skipping some of your app settings ...
/* NOTE: Pass the cookieParser the site secret. It used to be that
* express.session() got the secret, but in Express 3 that's
* no longer the case. */
/* NOTE: We'll need to know the key used to store the session, so
* we explicitly define what it should be. Also, we pass in
* our sessionStore container here. */
key: 'express.sid'
, store: sessionStore
* ... skipping the rest of your app settings ...
var server = http.createServer(app);
server.listen(app.get('port'), function(){
console.log("Express server listening on port " + app.get('port'));
var sio = io.listen(server);
sio.set('authorization', function(data, accept){
/* NOTE: To detect which session this socket is associated with,
* we need to parse the cookies. */
if (!data.headers.cookie) {
return accept('Session cookie required.', false);
/* XXX: Here be hacks! Both of these methods are part of Connect's
* private API, meaning there's no guarantee they won't change
* even on minor revision changes. Be careful (but still
* use this code!) */
/* NOTE: First parse the cookies into a half-formed object. */
data.cookie = require('cookie').parseCookie(data.headers.cookie);
/* NOTE: Next, verify the signature of the session cookie. */
data.cookie = require('cookie').parseSignedCookies(data.cookie, SITE_SECRET);
/* NOTE: save ourselves a copy of the sessionID. */
data.sessionID = data.cookie['express.sid'];
/* NOTE: get the associated session for this ID. If it doesn't exist,
* then bail. */
sessionStore.get(data.sessionID, function(err, session){
if (err) {
return accept('Error in session store.', false);
} else if (!session) {
return accept('Session not found.', false);
// success! we're authenticated with a known session.
data.session = session;
return accept(null, true);
sio.sockets.on('connection', function(socket){
var hs = socket.handshake;
console.log('A socket with sessionID '+hs.sessionID+' connected.');
/* NOTE: At this point, you win. You can use hs.sessionID and
* hs.session. */
/* NOTE: This function could end here, and everything would be fine.
* However, I included this additional mechanism that Daniel
* added to keep the session alive by pinging it every 60
* seconds. I don't know how useful this is in the context of
* this demo, considering that the sessions aren't going to
* expire in the near future. So feel free to not include this: */
var intervalID = setInterval(function(){
}, 60 * 1000);
socket.on('disconnect', function(){
console.log('A socket with sessionID '+hs.sessionID+' disconnected.');

Thanks mate, this is awesome tweak!

How would you do when using socket namespaces, i.e. the

sio.of('/namespace').authorization( function(data, accept){


In my case, i finally had it worked, but now it appears my server isn't listening to any socket client-event anymore... (but clients seem to get all server-side event)


Ok, my bad, I was missing the client side impacts... from now it's

var socket = io.connect('http://' + + '/namespace');

and after that as usual:

socket.on('connect', function(){

instead of the old way

        var sio = io.connect();
    var socket = sio.socket;

What versions of things are you using here, i'm running the latest and I show that the cookie module does't have a parseCookie or parsedSignedCookies method. I must be missing something?

I'm having all sorts of issues with the io authorization cookie. I send that to cookie.parse and node just crashes, and on stop of that it doesn't even give me an error stack dump.


Excellent example! That is what I am looking for.


could not get this to work by copy and paste, data.headers.cookie=undefined in 'authorization'


hey bob and everyone, would you try a tiny module I wrote for the same purpose as this gist?

feedback's appreciated.


why have to pass the secret to the cookieparser instead of the session?


and how can i adapt it to a login system


@wcamarao nice work, you rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.