Long polling using ServiceStack

leonidy · June 25, 2015, 1:06pm

Hello,

Since SS SSE doesn’t support authentication in IE9, I’m looking to implement the pushing for IE9 using long polling. Does anyone implemented long polling in either way with SS?

Does anyone has suggestion how to integrate it with ss-utils?

mythz · June 25, 2015, 11:45pm

The issue is that IE9 doesn’t natively support Server Sent Events and that the polyfill for IE9 doesn’t support sending Cookies or Custom HTTP Headers to be able to specify a Users Session.

I’ve added a new Config.AllowSessionIdsInHttpParams config option that will now let you provide the Session Id’s over the QueryString as well. With this enabled you can now specify the ?ss-id on the queryString when connecting to the event stream which you can see in this commit, i.e:

SetConfig(new HostConfig {
    AllowSessionIdsInHttpParams = true,
});

With this enabled you can specify the ss-id Session Id on the QueryString of the /event-stream url, i.e:

var source = new EventSource('/event-stream?channels=@channels&ss-id=@(base.GetSession().Id));

Which should now work with IE9 which you can test with at:
http://chat.servicestack.net/default_ieshim

leonidy · June 28, 2015, 9:53am

Good news.

There is a security risk to send a session token as part of the URL. Will it be hard to change the current implementation and incorporate the session token (somehow) into the body of the request?
This way, using SSL will hide the session cookie from being intercepted.

mythz · June 28, 2015, 1:18pm

That’s not possible, EventSource makes a GET request. Also if you’re using SSL, the entire HTTP Request is encrypted so no one else sees the URL.

leonidy · June 29, 2015, 12:46pm

I understand your explanation though HTTP standard doesn’t forbid using body of the request for GET. Although SSL encrypts URL for ManInTheMiddle, the URL remains exposed on the client. So the cookie session id can be hijacked.

mythz · June 29, 2015, 12:49pm

Regardless of what http sever libs, middleware, http proxies, etc actually support GET’s with a request body - the SSE EventSource makes a GET request with no body (as expected).

leonidy · July 5, 2015, 9:50am

Hello,

I’ve upgraded from 4.0.38 to 4.0.40 and I still don’t have AllowSessionIdsInHttpParams property in HostConfig class.

What version do I’ve to take to have it?

mythz · July 6, 2015, 2:24am

This is available from v4.041+ which is currently available on MyGet