如何防止恶意使用我的套接字? [英] How can I prevent malicious use of my sockets?
问题描述
我正在制作一个基于玩家能够邀请其他玩家参加聚会的网页,以及其他很长时间的网页。
I'm making a webpage based around players being able to invite other players to parties, and other things a long the lines.
我有你的基本发送/接收/更新您队伍中的聊天/用户。唯一的问题是,什么阻止某人坐在那里打开开发者控制台并且去
I have your basic send / receive / update of the chat/users in your party. The only thing is, what's to stop somebody from sitting there opening up a developer console and going
socket.emit('updateUsers', 'Weiner');
socket.emit('updateUsers', 'Idiot');
socket.emit('updateUsers', 'Bad word');
socket.emit('updateUsers', 'Other stupid malicious really long spam the chat name');
我如何防止这种情况发生,以致他们无法做到这一点?
How can I prevent against this so that they can not do such things?
(完整的JS Stack,Node.js)
谢谢!
(Full JS Stack, Node.js) Thanks!
推荐答案
我面对这个问题,这是我的解决方案,就垃圾邮件发出去(恶意套接字使用)..
I faced this problem aswell, This was my solution as far as spamming emits go (malicious socket use)..
var spamData = new Object();
var spamCheckFunctions = ["updateUsers","moreEmits"]; // anti-spam will check these socket emits
var antiSpam = 3000; // anti spam check per milliseconds
var antiSpamRemove = 3; // -spam points per antiSpam check
var maxSpam = 9; // Max spam points before disconnect is thrown to the socket
io.sockets.on('connection', function (socket) {
// Spam Check, this binds to all emits
var emit = socket.emit;
socket.emit = function() {
data = Array.prototype.slice.call(arguments);
if(spamCheckFunctions.contains(data[0])){
addSpam(socket);
};
emit.apply(socket, arguments);
};
var $emit = socket.$emit;
socket.$emit = function() {
data = Array.prototype.slice.call(arguments);
if(spamCheckFunctions.contains(data[0])){
addSpam(socket);
}
$emit.apply(socket, arguments);
};
});
function maxSpamCheck(socket){
if(spamData[socket.username].spamScore>=maxSpam && !socket.spamViolated){
socket.spamViolated = true;
socket.disconnect();
}
}
function checkSpam(){
for(user in spamData){
if(spamData[user].spamScore>=1) spamData[user].spamScore-=antiSpamRemove;
}
return;
}
setInterval(checkSpam,antiSpam);
function addSpam(socket){
if(socket.spamViolated) return;
spamData[socket.username].spamScore+=1;
maxSpamCheck(socket);
}
// Then add this where your user is authenticated
function authenticate(socket){
socket.username = username // here you define username
socket.spamViolated = false;
spamData[socket.username] = {
spamScore: 0
}
}
Array.prototype.contains = function(k) {
for(var p in this)
if(this[p] === k)
return true;
return false;
};
基本上绑定到所有发出并检查发送名称是否包含在 spamCheckFunctions中
如果是,如果用户超过垃圾邮件分数( maxSpam
),它将添加垃圾邮件点;他将被断开连接。并且在 antiSpam
中定义的每毫秒将减去在定义的用户垃圾邮件分数antiSpamRemove
basically binds to all emits and checks if the emit name is contained in spamCheckFunctions
if it is it will add a spam point, if a user exceeds a spam score amount (maxSpam
); he will be disconnected. And for every milliseconds defined at antiSpam
will minus the user spam score defined at antiSpamRemove
我确信有更清洁的解决方案,但这个对我来说非常好:)。
I'm sure there are cleaner solutions but this one worked out pretty good for me :)
只需确保验证/验证用户。
Just make sure to verify/authenticate the users.
这是我验证它们的方式(不使用nodejs作为网络服务器,但有django):
this is how I authenticate them (not using nodejs as a webserver, but had django):
io.configure(function(){
io.set('authorization', function(data, accept){
if(data.headers.cookie){
data.cookie = cookie_reader.parse(data.headers.cookie);
return accept(null, true);
}
return accept('error', false);
});
});
现在你可以访问 socket.handshake.cookie ['sessionid']
(在我的情况下,这适用于django)
然后匹配 socket.handshake.cookie ['sessionid']
,其中包含一个条目会话存储在网络服务器上
now you can access socket.handshake.cookie['sessionid']
(in my case this worked with django)
then match the socket.handshake.cookie['sessionid']
with a entry where your sessions are stored on the webserver
这篇关于如何防止恶意使用我的套接字?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!