socket.io套接字ID应该保密吗？ [英] Should the socket.io socket ID be secret?

问题描述

我正在使用socket.io开发一个Web应用程序。
我目前正在使用套接字ID作为标识符，广播给其他客户端。现在，这引发了安全问题，即这个id是否可以用来劫持另一个用户会话。不幸的是，很难在网上找到这方面的任何信息。

I'm developing a web application using socket.io. I'm currently using the socket id as an identifier which gets broadcast to other clients. Now this raised security concerns as to whether this id could be used to hijack another users session. Unfortunately it is extremely difficult to find any information on this online.

那么 - 套接字ID应该保密还是我可以安全地将其用作公共标识符？

So - should the socket id be kept secret or can I safely use it as a public identifier?

推荐答案

客户端无法直接对socket.id执行任何操作。因此，允许知道id本身不会导致新的漏洞。但是，如果您的服务器允许在套接字上执行操作（如果只知道ID），那么您必须评估服务器公开的那些操作的风险。我们无法对这些内容发表评论，因为您没有向我们展示任何代码或设计。

A client cannot do anything with a socket.id directly. So, allowing the id to be known causes no new vulnerabilities on its own. However, if your server allows things to be performed on a socket if only an ID is known, then you'd have to assess what the risks are for those operations that your server exposes. We can't really comment on those since you haven't shown us any code or design.

例如，如果您的服务器支持消息调用buy且所有需要的是客户触发购买操作的ID，如果你让id公开，那么这可能是一个问题。但是，只要对服务器提供给客户端的id进行操作的唯一操作是供公众在任何套接字上访问（例如向他们发送消息），那么应该没有问题。

For example, if your server supported a message call "buy" and all that was needed was an id for a client to trigger a buy operation, then it could be a problem if you let the id be publicly known. But as long as the only operations that operate on an id that your server makes available to the client are intended for the public to access on any socket (such as send them a message), then there should not be a problem.

那么 - 套接字ID是保密还是我可以安全地将其用作公共标识符？

So - should the socket id be kept secret or can I safely use it as a public identifier?

作为一个公共标识符，它完全没问题，而且它就是其中之一。它应该用作标识符（如我想向Bob发送消息，因此我将告诉服务器向其id发送消息），但不作为授权。毕竟，如果你公开它，那么它不是秘密，所以不应该被你自己的服务器API用于授权。

It is perfectly fine as a public identifier and that's one of the things that it is there for. It should be used as an identifier (as in "I want to send a message to Bob so I will tell the server to send a message to his id"), but not as authorization. After all, if you're making it public, then it isn't a secret so should not be used by your own server API for authorization.

我想我应该更具体一点。我想知道恶意用户是否有可能通过提供另一个套接字ID来通过数据包伪造将其请求与外部套接字对象（我用作会话缓存）配对。我从你的回答中得出结论并非如此 - 非常感谢！

I guess I should've been a bit more specific. I was wondering whether it would be possible for a malicious user to pair their requests with a foreign socket object (which I use as a session cache) through packet forgery by supplying another socket id. I take from your answer that this is not the case - so thanks a lot!

套接字不使用socket.id.我在运输本身。所以你不能做任何恶意的事情，比如冒充别人，不仅仅是因为你知道他们的 socket.id 。事实上，据我所知，客户端甚至不知道 socket.id - 它在服务器实现中用于识别和查找特定客户端。

The socket.id is not used by socket.io in the transport itself. So you can't do anything malicious such as pretending to be someone you aren't just because you know their socket.id. In fact, as best I know, the client does not even know the socket.id - it is used within the server implementatoin for identification and lookup of a particular client.

这篇关于socket.io套接字ID应该保密吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！