Socket.io-是“套接字ID”吗?被认为是敏感信息? [英] Socket.io - Is the "socket ID" considered sensitive information?
问题描述
我正在用Node.js和socket.io实现一个简单的聊天应用程序,想知道在整个对象中共享所有客户端的套接字ID是否被认为是一种好习惯吗?
I'm realizing a simple chat application with Node.js and socket.io and wonder if sharing the socket IDs of all the clients throughout Objects is considered a good practice?
为了解释,我每个用户的代表如下:
To explain, each of my users are represented so :
{
nick : 'John Doe',
dateJoined : Date.now(),
rank : 0,
id : socket.id
}
我所有客户的列表存储在服务器上 const usersList = [{...},{...},...]
A list of all my clients is stored on the server const usersList = [ {...}, {...}, ... ]
我所有的客户都需要查看谁已连接,因此该 usersList 应该是共享给所有客户端。
All of my clients needs to see who's connected, so this usersList should be shared to all clients.
如果客户端断开连接,则应通知所有人该#ID断开连接:
And if a client disconnect, all should be notified that this #ID disconnected :
socket.on('userDisconnect', function(id) {
clientSideList = clientSideList.filter( user => user.id !== id );
}
所以我的问题是:安全专家如果每个客户端都知道其他客户端的套接字ID,该怎么办?他们会做出令人讨厌的事情,例如窃取数据或冒充其他用户吗?
So my question is : is that a security problem if every client knows the socket ID of the others? Could they make something nasty like stealing data or impersonating other users?
感谢您的帮助
推荐答案
共享一个或多个套接字的socket.id值没有固有的内置安全风险。 socket.io本身不包含任何客户端可用于使用 socket.id 进行任何操作的API。因此,开箱即用,如果客户知道,没有客户可以使用 socket.id 做任何事情。
There is no inherent, built-in security risk in sharing the socket.id value of one or more sockets. socket.io itself does not contain any APIs that a client could use to use that socket.id to do anything. So, out of the box, no client could do anything with a socket.id if they knew it.
现在,如果您开始支持接受 socket.id 值作为参数的socket.io消息,则传递socket.id值确实允许某些任意客户端使用那些 socket.id 值。是否导致问题完全取决于您自己的设计以及服务器接受的消息。假设您支持一条消息,告诉服务器仅通过向该用户传递该用户的socket.id将其从系统中删除。然后,如果您开始传递 socket.id 值,那么任何人都可以使用自己的服务器消息从系统中删除该用户。
Now, if you start supporting socket.io messages that accept socket.id values as arguments, then passing around socket.id values does allow some arbitrary client to use those socket.id values in your messages. Whether or not that causes a problem depends entirely upon your own design and what messages your server accepts. Suppose you support a message that tells the server to remove a user from your system by just passing it the socket.id of that user. Then, if you start passing around socket.id values, then that allows anyone to use your own server message to remove that user from your system.
因此, socket.id 值没有内置风险。如果您自己的服务器支持给定socket.id值的操作可能会造成破坏,则可能会有风险。因此,这完全取决于您设计服务器的方式以及当有人知道 socket.id 时是否防止恶意操作。
So, there's no built-in risk with socket.id values. There could be risk if your own server supports operations that can do damage when given a socket.id value. So, that's totally up to how you've designed your server and whether you've protected against malicious operations when someone knows a socket.id.
您可以将socket.id视为socket.io服务器上的临时用户名。在大多数系统中,仅知道某些用户的用户名本身不会引起安全问题。仅当您公开操作后,未经授权的客户端才可以使用特定的用户名定向您遇到问题。与 socket.id 相同。就像一个临时用户名。
You can think of a socket.id like a temporary username on the socket.io server. In most systems, knowing only the username of some user does not, by itself, cause a security problem. It's only if you expose operations that an unauthorized client can then direct at a specific username that you get a problem. Same for socket.id. It's just like a temporary username.
这篇关于Socket.io-是“套接字ID”吗?被认为是敏感信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
