Menu
In a SignalR Hub class you are able to call Context.ConnectionId for a user. I am looking to store these in a Dictionary<string, string> in order to connect users together. Is there a risk or security vulnerabilities in returning other user's clientids to a user's client?
982
Yes, we do this in some of our samples but it's bad. If you leak the connection id then people can send/receive your messages on your connection. Create another id that is unique and store a mapping between your id and connection id internally so you can map them back.
It's basically the same idea as the forms auth ticket. Sure it's encrypted but if someone gets ahold of it they can impersonate you regardless.
See a sample of this logic in MessengR. https://github.com/davidfowl/MessengR/blob/master/MessengR/Hubs/Chat.cs#L67
186
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
