Menu
We have been using socket.io as the framework for chat in our application. The implementation was clean and successful. But after a security review of the application it was reported that keeping the session id in url is considered as a bad practice.
In socket.io session id is the parameter sid and it appears in URL by default as shown below.
https://example.com:4000/socket.io/?EIO=3&transport=polling&t=1480422460686-2&sid=H7ZujhfsdTyTGKg2AARq
Is there any methods by which we can remove this from URL? We have gone through the documentation and a bunch of results from Google. Nothing seem to have a solution for this.
According to the security team, this issue is relevant when related to the recent vulnerability in CloudFlare. Any solutions?
947
This post suggests that sid MUST be present in the querystring.Some workarounds using proxy / SSL certificates are outlined here. Hope this helps.
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
