Strophe.js provides two mechanisms that allow a BOSH client to resume an authenticated session without going through the full SASL login flow again: prebind withDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/strophe/strophejs/llms.txt
Use this file to discover all available pages before exploring further.
attach() and keepalive with restore(). Both mechanisms are BOSH-only features — they rely on the rid/sid token pair that BOSH sessions carry, which has no equivalent in the WebSocket transport.
Comparison at a Glance
attach() — Prebind
A server process authenticates on behalf of the user and passes the resulting
jid, sid, and rid to the browser. The browser calls attach() to claim the pre-authenticated session. No password is ever exposed to the client.restore() — Keepalive
Strophe.js caches
jid, sid, and rid in sessionStorage while the page is open. On the next page load the browser calls restore() to resume the same BOSH session — no re-authentication needed unless the session expired.Prebind / attach()
Prebinding is a pattern where a trusted server-side process opens a BOSH session, authenticates the user, and then hands the session tokens to the browser. This keeps the user’s credentials entirely server-side and eliminates the client-side login round-trip.Server-Side Flow
The server must:- Open a BOSH session with the XMPP server (
POSTto/http-bind) - Complete SASL authentication and resource binding on behalf of the user
- Return the final
jid,sid, andridto the browser
BOSHClient from the Strophe.js repository:
connection.attach() Parameters
The
rid passed to attach() must be exactly one greater than the last rid used by the server-side process. If you pass the same rid that the server last sent, requests will fail. The Python BOSHClient example above leaves bc.rid at the last sent value; increment it by 1 before passing it to attach().Prebind Example
Server authenticates and returns tokens
Your backend authenticates the user over BOSH and returns the session tokens to the page — for example, as JSON in an API response or embedded in the HTML template.
Call attach() instead of connect()
Pass the server-provided
jid, sid, and rid directly. Do not call connect().ATTACHED vs CONNECTED
| Status | Meaning |
|---|---|
Strophe.Status.CONNECTED | Full login completed; SASL authentication and resource binding finished by Strophe.js |
Strophe.Status.ATTACHED | Strophe.js has claimed an externally pre-authenticated BOSH session; no re-authentication performed |
Keepalive / restore()
Whenkeepalive: true is set, Strophe.js writes the current jid, rid, and sid to sessionStorage['strophe-bosh-session'] as JSON after every successful BOSH request. When the page reloads, calling restore() reads those tokens back and calls _attach() internally — producing an ATTACHED status if the session is still valid.
ConnectionOptions.keepalive
_doDisconnect().
connection.restore() Parameters
jid is provided, restore() compares it against the cached jid (using bare JID comparison) and throws StropheSessionError if they do not match. Pass undefined to restore any cached session.
restore() throws StropheSessionError (not a regular Error) when:
sessionStorageis unavailable- No cached session exists
- The transport is not BOSH
Keepalive + Restore Example
Pausing and Resuming Request Processing
connection.pause() and connection.resume() let you temporarily suspend all outgoing data without disconnecting. This is useful when you need to batch many send() calls together — particularly over BOSH, where batching reduces the number of HTTP round-trips.
connection.paused is true, both the Bosh._onIdle() and Websocket._onIdle() handlers skip sending any queued data. Calling resume() sets paused back to false, and the next idle cycle (every 100 ms) dispatches all queued stanzas.