Menu
I've been working with Socket.IO for a few days and it's been both extremely exciting and even more frustrating. The lack of current documentation/tutorials has made learning it very difficult. I finally managed to create a basic chat system, but there is one glaring question. How do I secure it?
What's stopping a malicious user from copying (or editing) my code and connecting to my server? I can grab the username from my PHP script and submit it to Socket.IO so I can recognize them as that user (and the PHP has security of course), but what's stopping someone from just submitting an unregistered username?
How can I make sure that the events submitted are authentic and haven't been tampered with?
My basic socket.io chat for references.
Server:
var io = require('socket.io').listen(8080); var connectCounter = 0; io.sockets.on('connection', function (socket) { connectCounter++; console.log('People online: ', connectCounter); socket.on('set username', function(username) { socket.set('username', username, function() { console.log('Connect', username); }); }); socket.on('emit_msg', function (msg) { // Get the variable 'username' socket.get('username', function (err, username) { console.log('Chat message by', username); io.sockets.volatile.emit( 'broadcast_msg' , username + ': ' + msg ); }); }); socket.on('disconnect', function() { connectCounter--; }); }); Client:
<?php session_start() ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title>untitled</title> </head> <body> <input id='message' type='text'> <div id="content"></div> <script src="http://localhost:8080/socket.io/socket.io.js"></script> <script src="http://code.jquery.com/jquery-latest.js"></script> <script> var socket = io.connect('http://localhost:8080'); $.ajax({ type: 'GET', url: 'https://mysite.com/execs/login.php?login_check=true', dataType: 'json', success: function(data) { var username = data.username; socket.emit('set username', username, function (data){ }); } }); socket.on('broadcast_msg', function (data) { console.log('Get broadcasted msg:', data); var msg = '<li>' + data + '</li>'; $('#content').append(msg); }); $('#message').keydown(function(e) { if(e.keyCode == 13) { e.stopPropagation(); var txt = $(this).val(); $(this).val(''); socket.emit('emit_msg', txt, function (data){ console.log('Emit Broadcast msg', data); }); } }); </script> </body> </html> It all works dandy, except for having absolutely no security.
660
All you have to do is updating the remote session store on node server when a new login/logout happens in your php server. Show activity on this post. The excellent passport framework for express uses secure cookies to validate identity. There is even a module to access it from socket.io.
It is important to know that, by default, there is no authentication provided by Socket.io connections. Anyone can point a client at your server and start emitting and receiving events.
If you want socket.io to use https, just pass a key param to the listen() function. You can also run your server behind stunnel.
If you can install a key-value store like Redis on your node server, you can access it remotely from your php server using a Redis client like Predis. All you have to do is updating the remote session store on node server when a new login/logout happens in your php server.
Check this post for details: Authenticate user for socket.io/nodejs
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
