Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Any risk returning other user's Connection Id to the client?

In a SignalR Hub class you are able to call Context.ConnectionId for a user. I am looking to store these in a Dictionary<string, string> in order to connect users together. Is there a risk or security vulnerabilities in returning other user's clientids to a user's client?

like image 982
anthonypliu Avatar asked Jul 26 '12 05:07

anthonypliu


1 Answers

Yes, we do this in some of our samples but it's bad. If you leak the connection id then people can send/receive your messages on your connection. Create another id that is unique and store a mapping between your id and connection id internally so you can map them back.

It's basically the same idea as the forms auth ticket. Sure it's encrypted but if someone gets ahold of it they can impersonate you regardless.

See a sample of this logic in MessengR. https://github.com/davidfowl/MessengR/blob/master/MessengR/Hubs/Chat.cs#L67

like image 186
davidfowl Avatar answered Sep 23 '22 21:09

davidfowl