This strikes me as a tad in-secure from the outset. Unless you’re sending a password provided by the client to the socket with the user ID and authorizing again, it would be pretty trivial to set a breakpoint in your browser and put in a different user ID. The socket wouldn’t know any better. (I guess this is called socket hijacking?).
Ruby on Rails for example gets around this problem by hashing (SHA512) the session information using a secret key on the server. This way we know that the user id hasn’t been tampered with. (Unless your code has been stolen