SameSite looks available to browsers for quite some time. Does it change situation regarding the possibility of optionally using cookies for authentification in websockets? (even as web-specific option not available for possible custom transports)
Also, how could banning the user be implemented when using a token-based socket authentification? It looks to be problematic
You can already access session cookie data as seen in the post before yours.
Generally SameSite is only a layer of defence. E.g. it depends on all your subdomains for a given root domain (based on https://publicsuffix.org/) to be save to provide security.
Take a loot at phx.gen.auth. It has all the pieces needed to implement that.
Does it also applies to socket auth? I didn’t yet research current docs for phx.gen.auth, but stumbled upon this thread stating that no cookies can be used for auth in sockets, while I hoped to use server-stored sessions with cookies for socket auth (as well as for regular auth). I will research the post you mentioned as well as the docs
© Copyright Elixir Forum | Terms | Privacy & Cookies
