I'm familiarized with server-side programming (eg. PHP, ASP.NET, and so on), but not with a pure Javascript application (like Strophe.JS which is more likely client-side).

Some point that I concern about Strophe.JS:

• Security
  Is it secure to make a pure Javascript application since the modern browser could see your code and even modify them (Inspect element)?
  Someone could be see your connection properties by looking your Javascript code.

• Session State
  When I logged in to my application, is it possible to remember my session since Javascript couldn't establish session state like server-side programming language do (as I know). Is it possible to combining Strophe.JS with server-side programming?

• Application Architecture
  So far, I always use Javascript just for View-Tier (eg. updating HTML interface), not for Controller-Tier. Is it possible to implement MVC framework on Strophe.JS? I mean using Strophe.JS for View-Tier and server-side programming for Controller-Tier?

What is the best practice for developing chat application using XMPP?

Sorry for my bad English, thanks in advance

For security, the attack you are worried about is some cross-origin script modifying your code. For the most part, browsers are hardened against this kind of attack. Users can obviously inspect the app, but they can also run your binary in a debugger, so while it's mechanically easier, it doesn't change much.

You can save session state the same way you normally do and then open a BOSH connection on the server side and pass the SID, RID, and JID to the client and use connection.attach() to establish the connection. This is called pre-binding, and it has the nice property that the user's password is never stored in the JavaScript or needed to be entered client side.

I'm probably not the best person to answer your last question. You might try the Strophe.js mailing list. Certainly many people have integrated Strophe.js with MVC client side applications, so probably what you want is possible.

My solution to the authentication problem is this: I completely get rid of PHP sessions. Instead, I use PHP to check the database and confirm that the username, password combo matches. If they do, then I establish a strophe connection and register the user's specific details such as username, unique member Id, email etc, as javascript variables. I make them namespace objects so that I can use them througout the application. Upon connection fail or if the user voluntarily logs out, I return these variables to null. What do you guys think?

Hi, there thanks for reply

I've read the BOSH session attachment with Strophe.js in chapter 12.

I'm glad that Strophe supporting this feature :) That's very helpful. But when I try to implement connecting with session attachment, I've got some problem with the RID.

I'm using Openfire server. I did my pre-binding system and SID & RID maintenance from my server side code. Every time I go to my page, I'm requesting the latest RID form my pre-bind service and increment it by 1 (RID = RID + 1).

There's no problem when I'm doing session attachment for the first time. But when I refreshed the page or open the new tab a problem occurred with this error message POST http://myopenfireserver/http-bind/ 404 (Invalid SID.)

Now I'm realizing that every time a request occurred, Strophe will automatically increment its RID by 1.
For example, let's say my first RID from PHP-prebind service is: 123456.
Then I'm doing session attachment with RID: 123457.
When I'm sending ping IQ, Strophe will automatically request with RID: 123458.
Next when I'm sending presence IQ, Strophe will request with RID: 1234569

In this case my last RID from PHP-prebind service is 123457 and when I refreshed the page, strophe will request with that RID. Seems Openfire won't accepted request with the same RID as previous. Is that right?

This is my screenshot of XHR