Unable get HttpOnly, Secure cookie coming from client in the connect event handler ?

[abhayana24]

Hi,

I have a rasa open-source server running which uses python-socketio to implement event handlers. It uses sanic Blueprint and routes socketio connections to it. I am customizing its socketio implementation to have an authentication mechanism in place during the connect event. The authentication happens through the JWT token present in the cookie, but when I try to print environ dictionary there is no HTTP_COOKIE attribute part of it although the cookie becomes part of the header while making a connection request. The client is not explicitly adding cookie to the header while calling the connect event since the cookie is httponly and secure, but they claim that it automatically gets added by the browser. So I am trying to understand weather the cookie even reaches my server or not and if environ is the way to access this cookie ?

P.S: The rasa server is running behind the nginx reverse proxy.

Rasa Socketio implementation: https://github.com/RasaHQ/rasa/blob/main/rasa/core/channels/socketio.py

Any help is appreciated, thanks.

[miguelgrinberg]

I think you misunderstand the role that the python-socketio package plays in your stack. Handling of cookies is entirely the business of your client and your web server, so this package has nothing that can prevent cookies from being passed. The environ dictionary that you refer to is passed to python-socketio from your web server, it is not generated by this package.

It appears you are filing this bug on behalf of someone, since you say that "they claim" that the cookie is in the request. My recommendation is that confirm this, because the most likely reason for the cookie to be missing is that the browser isn't sending it.

[abhayana24]

Thanks for your response. I checked with the UI team , they mentioned the cookies are part of the request headers and since its HttpOnly it can't be accessed on the client side and to ensure that they shared the request headers from the developer console.

As you mentioned that this has nothing to do with the python-socketio, is there a way to figure out if the cookie is reaching the server or where is it getting eaten up , I am new to this, so any help would be great ?

[miguelgrinberg]

Well, you know your stack and I don't, so I cannot really provide much guidance. If requests hit nginx without anything else in between, then the next step would be to review the nginx configuration, I would think? Also, wearing my detective hat I could claim that the picture that you included above does not prove anything, because it shows that the cookie was sent with a request, but there is nothing in the picture that indicates that it was the actual request in question. I would recommend that you get a front end up and running and debug everything yourself, without relying on what other people tell you.

[abhayana24]

Thanks for your response. I will look into your recommendations.

[abhayana24]

Hi @miguelgrinberg ,

In order to test this locally, I created simple server, below is the code:

from sanic import Sanic
from sanic.response import text
from sanic.cookies import CookieJar
import socketio

#Socket.IO server
sio = socketio.AsyncServer(async_mode='sanic')
app = Sanic(name='my_sanic_app')
sio.attach(app)

@app.route("/get-cookie")
async def test(request):
    response = text("There's a cookie up in this response")
    response.cookies['jwtToken'] = "abcd123"
    response.cookies['jwtToken']['httponly'] = True
    return response

@app.route("/http_cookie")
async def print_cookie(request):
    print("COOKIE FROM HTTP ENDPOINT:", request.cookies.get('jwtToken'))
    return text("Cookie read")

@sio.on('connect')
async def connect(sid, environ):
    # On a connect event, print the cookie value
    #print(environ)
    #print('Cookie:', environ['HTTP_COOKIE'])
    jar = CookieJar(environ['sanic.request'])
    print(jar)
    print(environ)
    return True

if __name__ == '__main__':
    app.run(host='0.0.0.0', `port=5001)

Here I am creating two http endpoints: /get-cookie and /http-cookie to set and print the cookies. The connect event is called after calling the /get-cookie and /http_cookie endpoint and I am testing through postman and I can see the cookie is set in the cookie manager for the session. All good so far. Now When I call the : connect event on /socket.io endpoint, the cookies which were part of the session is no longer accessible inside the environ dictionary. This is the output of all the request params inside the environ:

{'wsgi.input': <engineio.async_drivers.sanic.translate_request.<locals>.AwaitablePayload object at 0x7eff381f87c0>, 'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='utf-8'>, 'wsgi.version': (1, 0), 'wsgi.async': True, 'wsgi.multithread': False, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'SERVER_SOFTWARE': 'sanic', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': 'EIO=4&transport=websocket', 'RAW_URI': 'ws://localhost:5001/socket.io/?EIO=4&transport=websocket', 'SERVER_PROTOCOL': 'HTTP/1.1', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '0', 'SERVER_NAME': 'sanic', 'SERVER_PORT': '0', 'sanic.request': <Request: GET /socket.io/>, 'HTTP_SEC_WEBSOCKET_VERSION': '13', 'HTTP_SEC_WEBSOCKET_KEY': 'aGwYOye3MGtgQbRhdE6pAw==', 'HTTP_CONNECTION': 'Upgrade', 'HTTP_UPGRADE': 'websocket', 'HTTP_SEC_WEBSOCKET_EXTENSIONS': 'permessage-deflate; client_max_window_bits', 'HTTP_HOST': 'localhost:5001', 'wsgi.url_scheme': 'http', 'PATH_INFO': '/socket.io/', 'SCRIPT_NAME': ''}

So does that mean the cookie is not shared across HTTP and socketio session ? If so how should I access it ?

[miguelgrinberg]

As I mentioned before, this package does not manage the requests, it receives a request object from the web server and uses it.

You are using the sanic web server, correct? Then the incoming request is processed here: https://github.com/miguelgrinberg/python-engineio/blob/main/src/engineio/async_drivers/sanic.py#L70-L83. This code takes what Sanic provides and translates it to the dictionary you are looking at. If Sanic does not provide the cookie in their request headers, then it is not going to be exposed in the dictionary. You have to figure out why Sanic does not receive or expose the cookie.

[abhayana24]

Thanks @miguelgrinberg ,

So you think this could be a problem with Sanic not passing the cookie after HTTP handshake and upgrading to websockets, because within HTTP session I am able to see the cookie received at the server and also if I explicitly add the Cookie in the header of the socketio request, I can still see the cookie in the environ , the problem is only between sharing the cookies between HTTP and websocket session.

If you can share any other framework apart from Sanic that can be used to achieve the same, it would be really helpful.

[miguelgrinberg]

My guess is that your testing method is flawed, and that you think the cookie is being sent but for some reason it isn't.

If you don't mind switching to sync Python, you can try my sessions.py example, which shows how this works for the Flask framework. I have even recorded a video demonstrating this example a while back.