Ad Check Authentication On Every Event Or Connection

- 1 answer

I would like to make sure a user is logged in before they are sending chats. To do this, should I use a authentication middleware that triggers on every connection or use a middleware that trigger on each event?

I am worried if I use the former, the user can sign in then signout (without losing the connection) and continue to send messages while not logged in).

However, looking through all the different stackoverflow posts, no one has mentioned this issue. Can anyone tell me what approach is commonly used?



Based on the comments following your question there are two items you can configure to better protect your users.

Tune your implementation:

  1. Upgrade your implementation to use 2.x.
  2. Make use of the '' configuration to eliminate the default CORS wildcard for any domain.
  3. Use authenticated sessions within the connection. See '' or the '' module alternative.

Tune your sites security headers:

  1. Run your site (if publicly available) through to test your current implementation.
  2. Make use of the guide(s) at OWASP for more options regarding securing your site such as this one regarding use of the newer security headers available in browsers.

source :