Long polling using ServiceStack

Hello,

Since SS SSE doesn’t support authentication in IE9, I’m looking to implement the pushing for IE9 using long polling. Does anyone implemented long polling in either way with SS?

Does anyone has suggestion how to integrate it with ss-utils?

The issue is that IE9 doesn’t natively support Server Sent Events and that the polyfill for IE9 doesn’t support sending Cookies or Custom HTTP Headers to be able to specify a Users Session.

I’ve added a new Config.AllowSessionIdsInHttpParams config option that will now let you provide the Session Id’s over the QueryString as well. With this enabled you can now specify the ?ss-id on the queryString when connecting to the event stream which you can see in this commit, i.e:

SetConfig(new HostConfig {
    AllowSessionIdsInHttpParams = true,
});

With this enabled you can specify the ss-id Session Id on the QueryString of the /event-stream url, i.e:

var source = new EventSource('/event-stream?channels=@channels&ss-id=@(base.GetSession().Id));

Which should now work with IE9 which you can test with at:
http://chat.servicestack.net/default_ieshim

Good news.

There is a security risk to send a session token as part of the URL. Will it be hard to change the current implementation and incorporate the session token (somehow) into the body of the request?
This way, using SSL will hide the session cookie from being intercepted.

That’s not possible, EventSource makes a GET request. Also if you’re using SSL, the entire HTTP Request is encrypted so no one else sees the URL.

I understand your explanation though HTTP standard doesn’t forbid using body of the request for GET. Although SSL encrypts URL for ManInTheMiddle, the URL remains exposed on the client. So the cookie session id can be hijacked.

Regardless of what http sever libs, middleware, http proxies, etc actually support GET’s with a request body - the SSE EventSource makes a GET request with no body (as expected).

Hello,

I’ve upgraded from 4.0.38 to 4.0.40 and I still don’t have AllowSessionIdsInHttpParams property in HostConfig class.

What version do I’ve to take to have it?

This is available from v4.041+ which is currently available on MyGet