01:20:44  * cjmquit (Remote host closed the connection)
01:21:17  * cjmjoined
01:25:28  * cjmquit (Ping timeout: 246 seconds)
01:32:45  * sberrymanjoined
01:40:06  * lluadjoined
02:43:34  * sberrymanquit (Remote host closed the connection)
03:07:37  * wolfesjoined
03:46:49  * lluadquit (Quit: lluad)
04:09:59  * ArxPoeticaquit (Quit: Leaving.)
04:17:42  * zenoconjoined
04:21:16  * hipertrackerjoined
04:23:44  * Guest2418quit (Ping timeout: 260 seconds)
05:00:47  * zenoconquit (Remote host closed the connection)
05:01:21  * zenoconjoined
05:05:34  * zenoconquit (Ping timeout: 240 seconds)
06:01:30  * sberrymanjoined
06:02:33  * jsurfage_joined
06:06:01  * avital_joined
06:06:26  * mdedetri_joined
06:10:26  * owenbquit (*.net *.split)
06:10:26  * dennismartenssonquit (*.net *.split)
06:10:28  * gschmidtquit (*.net *.split)
06:10:28  * oalquit (*.net *.split)
06:10:28  * Isaiahquit (*.net *.split)
06:10:28  * jaklquit (*.net *.split)
06:10:29  * majekquit (*.net *.split)
06:10:29  * avitalquit (*.net *.split)
06:10:29  * mdedetrichquit (*.net *.split)
06:10:29  * jsurfagequit (*.net *.split)
06:10:31  * avital_changed nick to avital
06:10:31  * mdedetri_changed nick to mdedetrich
06:19:30  * jakljoined
06:19:50  * oaljoined
06:19:50  * Isaiahjoined
06:21:39  * gschmidtjoined
06:21:57  * owenbjoined
06:21:57  * dennismartenssonjoined
06:24:48  * majekjoined
06:38:51  * majekquit (Changing host)
06:38:51  * majekjoined
07:01:20  * evangeni_joined
07:03:47  * evangenieurquit (Ping timeout: 244 seconds)
08:13:32  * wolfesquit (Quit: Leaving.)
09:39:14  * john3909quit (Quit: Leaving.)
09:42:01  * cjmjoined
10:24:41  * ins0mniajoined
10:39:41  * ins0mniaquit (Ping timeout: 252 seconds)
11:41:38  * ins0mniajoined
12:28:25  * ins0mniaquit (Ping timeout: 265 seconds)
12:57:48  * ins0mniajoined
13:03:10  * mdedetrichquit (Quit: Computer has gone to sleep.)
13:05:22  * ins0mniaquit (Ping timeout: 252 seconds)
13:22:58  * paulbjensenjoined
13:57:53  * mdedetrichjoined
14:06:41  * ins0mniajoined
14:16:35  * mdedetrichquit (Quit: Computer has gone to sleep.)
15:00:20  * hipertrackerquit (Quit: hipertracker)
15:01:04  * hipertrackerjoined
16:26:12  * ins0mniaquit (Ping timeout: 265 seconds)
16:38:44  * ins0mniajoined
16:43:36  * ins0mniaquit (Ping timeout: 265 seconds)
17:04:10  * ArxPoeticajoined
17:12:07  * ins0mniajoined
17:35:29  * ins0mniaquit (Ping timeout: 252 seconds)
17:40:12  * ins0mniajoined
18:13:46  * lluadjoined
19:01:16  * danfojoined
19:12:02  * ins0mniaquit (Ping timeout: 252 seconds)
19:20:46  * joshsmithjoined
19:58:37  * danfoquit (Quit: danfo)
20:00:37  * danfojoined
20:41:05  * joshsmithquit (Quit: joshsmith)
20:41:30  * ins0mniajoined
20:41:51  * joshsmithjoined
21:54:48  * ins0mniaquit (Ping timeout: 264 seconds)
22:04:51  * mdedetrichjoined
22:44:17  * danfopart
23:27:22  <mdedetrich>hi everybody
23:27:25  <mdedetrich>ArxPoetica: hello
23:28:34  <paulbjensen>hi
23:28:53  <mdedetrich>paulbjensen: oh hey, speak of the devil!
23:29:09  <mdedetrich>paulbjensen: how hard do you think it would be to implement authentication into ss-engine.io
23:29:24  <mdedetrich>or something to prevent csrf
23:29:55  <paulbjensen>At this point, I don't know, only way to find out is to give it a shot
23:30:17  <mdedetrich>mainly because we need to have csrf for our site to be in production (for obvious reasons)
23:30:18  <paulbjensen>I briefly read the link about authorising with socket.io
23:30:25  <mdedetrich>I can help out, if needed
23:30:48  <mdedetrich>I think if you can emulate that authorization with engine.io
23:30:50  <mdedetrich>it should be fine
23:30:57  <mdedetrich>its just a question of how to integrate it with ss
23:34:08  <mdedetrich>paulbjensen: I am guessing the easiest way would to be pass it in as an option when you do ss.ws.transport.use(require('ss-engine.io')) to enable csrf, as well as a function to handle the csrf detection
23:34:43  <paulbjensen>That sounds good.
23:35:34  <mdedetrich>I think making it global for now is the best thing to do (and in spirit of SS as well)
23:36:01  <mdedetrich>alternately you can make it a middleware, that might be more complicated
23:37:19  <paulbjensen>I'd say go with the first option (global) for now
23:41:27  <mdedetrich>well I will have a look at it tomorrow, if you get anywhere with it or need any help let me know
23:43:48  <paulbjensen>thanks, do you have any code relating to your currently CSRF presentation implementation for reference?
23:48:14  <paulbjensen>*prevention
23:51:44  <mdedetrich>well I have some current code, but it has nothing to do with sockets
23:51:59  <mdedetrich>its just standard csrf through forms, so you actually have to do a post FORM for your login
23:52:17  <mdedetrich>thats (one) way to do csrf
23:53:42  <mdedetrich>im not sure how helpful that would be
23:54:54  <mdedetrich>I think the socket.io documentation for authentication is going to be the best reference, seeing as i havn't done CSRF using websockets before
23:55:05  <mdedetrich>the principle is similar, server needs to send unique token to the client
23:55:14  <mdedetrich>that token is put into the servers session
23:55:33  <mdedetrich>any kind of 'post' request (or a request that changes something on the server), requires the client to send that token
23:55:42  <mdedetrich>and you need to compare the token with the one in the session
23:55:55  <mdedetrich>when doing a comparison, you should probably compare with using hashes, to prevent timing attacks
23:57:27  <mdedetrich>paulbjensen: you may find this interesting
23:57:30  <mdedetrich>paulbjensen: http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html
23:57:52  <mdedetrich>paulbjensen: particularly https://github.com/koto/socket_io_client
23:58:17  <mdedetrich>I might write up a sample app based on that code, in SS, using ss-engine.io, to test against csrf
23:59:48  <paulbjensen>thanks, that looks pretty useful (and scary from a security POV)