Menu
I'm developing a web application using socket.io. I'm currently using the socket id as an identifier which gets broadcast to other clients. Now this raised security concerns as to whether this id could be used to hijack another users session. Unfortunately it is extremely difficult to find any information on this online.
So - should the socket id be kept secret or can I safely use it as a public identifier?
433
Each Socket in Socket.IO is identified by a random, unguessable, unique identifier Socket#id. For your convenience, each socket automatically joins a room identified by its own id.
In the first case, the Socket will automatically try to reconnect, after a given delay.
path Default value: /socket.io/ It is the name of the path that is captured on the server side.
A client cannot do anything with a socket.id directly. So, allowing the id to be known causes no new vulnerabilities on its own. However, if your server allows things to be performed on a socket if only an ID is known, then you'd have to assess what the risks are for those operations that your server exposes. We can't really comment on those since you haven't shown us any code or design.
For example, if your server supported a message call "buy" and all that was needed was an id for a client to trigger a buy operation, then it could be a problem if you let the id be publicly known. But as long as the only operations that operate on an id that your server makes available to the client are intended for the public to access on any socket (such as send them a message), then there should not be a problem.
So - should the socket id be kept secret or can I safely use it as a public identifier?
It is perfectly fine as a public identifier and that's one of the things that it is there for. It should be used as an identifier (as in "I want to send a message to Bob so I will tell the server to send a message to his id"), but not as authorization. After all, if you're making it public, then it isn't a secret so should not be used by your own server API for authorization.
I guess I should've been a bit more specific. I was wondering whether it would be possible for a malicious user to pair their requests with a foreign socket object (which I use as a session cache) through packet forgery by supplying another socket id. I take from your answer that this is not the case - so thanks a lot!
The socket.id is not used by socket.io in the transport itself. So you can't do anything malicious such as pretending to be someone you aren't just because you know their socket.id.
173
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
