View Single Post
  #2 (permalink)  
Old October 29th, 2013, 11:29 AM
metajack metajack is offline
Wrox Author
Points: 702, Level: 10
Points: 702, Level: 10 Points: 702, Level: 10 Points: 702, Level: 10
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jan 2010
Posts: 178
Thanks: 0
Thanked 16 Times in 15 Posts

For security, the attack you are worried about is some cross-origin script modifying your code. For the most part, browsers are hardened against this kind of attack. Users can obviously inspect the app, but they can also run your binary in a debugger, so while it's mechanically easier, it doesn't change much.

You can save session state the same way you normally do and then open a BOSH connection on the server side and pass the SID, RID, and JID to the client and use connection.attach() to establish the connection. This is called pre-binding, and it has the nice property that the user's password is never stored in the JavaScript or needed to be entered client side.

I'm probably not the best person to answer your last question. You might try the Strophe.js mailing list. Certainly many people have integrated Strophe.js with MVC client side applications, so probably what you want is possible.