Updated As has been pointed out, sending the username and password hash over to the client is not the most secure thing you can do. I wholeheartedly agree. Please do not do this on anything for real-ish. Treat this tutorial as a simple demo of how to isolate a connection until you give it some sort of approval. A much better approach would be to use a one-time throw away key or create a salted hash using the incoming client’s IP address. Or probably a million other things. The concept of isolating a connection to socket.io within a closure still applies.
Now back to your regularly scheduled programming:
One of the problems I have had with nodechat.js is that using sessions to handle the transition of authenticated users between express and socket.io has always been somewhat finicky.
Nodechat.js and the previous nodechat-tutorials have used sessions to manage this transition by storing a username and password in the session after initial login and making it available to the socket.io listener on new connections and during each message. While adequate most of the time, this method never worked correctly with all the various socket.io transports and it seemed like clients would frequently get stuck when reconnecting, requiring them to reload the page to get back into nodechat.js.
I now have a pretty decent way to address this issue and I am going to share it with you. A little technique I came up with that I call Purgatory…