A secure question, about exposing the socket.id

socketio / socket.io

Realtime application framework (Node.JS server)

https://socket.io

MIT License

61.22k stars 10.11k forks source link

A secure question, about exposing the socket.id #1335

Closed ETiV closed 10 years ago

ETiV commented 11 years ago

Is it safe to exposing client's socket.id like 6McPaSWV2iFXZT0IoLRa to the others?

because I'm writing a chat server/app, and I want to implement One-to-One message-sending or admin-operations by accessing the target client's socket.id.

But I'm new to Socket.IO, not familiar with it.

I'm afraid exposing the socket.id may cause some secure risk. Like exposing the cookies to the others.

jas- commented 10 years ago

Use wss which can be done by using the tls or https modules and binding socket.io to that. That will eliminate exposing any of the websocket & http protocol headers including the payloads (i.e. socket.id).

The cookies used by socket.io are usually sent during the initial handshake or request at which time the protocol is changed as detailed here

The details of the websocket protocol are detailed in RFC 6455