Passing connection token is secure or hacky from signalr js client side to hub function

Question

i read this article http://www.asp.net/signalr/overview/security/introduction-to-security#connectiontoken

JS Client

$.connection.hub.qs = { "token" : tokenValue };
$.connection.hub.start().done(function() { /* ... */ });

.NET Client

var connection = new HubConnection("http://foo/",
                                   new Dictionary<string, string>
                                   {
                                       { "token", tokenValue }
                                   });

Inside a Hub you can access the community name through the Context:

Context.QueryString["token"]

---

Setting Headers on the .NET Client

var connection = new HubConnection("http://foo/");
connection.Headers.Add("token", tokenValue);

i notice that we can pass some token value from client side to hub function as query string.....if i pass the anything as query string is not safe. so tell me best way to pass token value in secured way from client to hub function as a result no one can hack/change or reuse that token value.

one guy said SignalR uses encryption and a digital signature to protect the connection token.. so please tell me is it true that signalr first encrypt token value and then pass from client side to hub?

suggest me how one can pass token value to hub in secure way. thanks

Answer 1

You can use headers in the javascript client like this for example:

$.signalR.ajaxDefaults.headers = { Authorization: "Bearer " + yourToken };

Now not hacky and is a global setting you can do once at startup or successful auth response! Enjoy!

Now only if I can find a way to override this on a per-request basis so I can get a user emulation sandbox working for my users in administrative roles...