如果 socket.io 连接与 express 有共享会话，是否需要对其进行身份验证? [英] Is there any need to authenticate a socket.io connection if it has a shared session with express?

问题描述

我见过 这个问答，解释了如何与 Socket.IO 1.x 和 Express 4.x 以及 这个博客 建议使用 socketio-验证.

I have seen this question and answer, which explains how to share sessions with Socket.IO 1.x and Express 4.x and this blog which suggests the use of socketio-auth.

如果您已经与 express 共享会话，是否需要同时使用这两种方法进行身份验证.它是否增加了任何安全优势?

Is there a need to use both approaches for authentication if you are already sharing sessions with express. Does it add any security advantage?

推荐答案

如果您已经在 Express 中通过 http 进行了身份验证会话，那么 socket.io 连接实际上只是另一个 http 连接(它实际上以 http 连接开始，并且然后转换为 webSocket 协议(顶部有 socket.io 层).因此，如果您愿意信任来自该客户端的下一个 http 请求的会话，那么信任传入的会话没有什么不同来自同一个客户端的 socket.io 连接.它们是一样的.

If you already have an authenticated session via http in Express, then a socket.io connection is really JUST another http connection (it actually starts with an http connection and is then converted to the webSocket protocol (with a socket.io layer on top). So, if you're willing to trust the session for the next http request from that client, then it is no different to trust the session for an incoming socket.io connection from that same client. They are the same thing.

从头开始验证 socket.io 连接可能有用的地方是当您还没有 socket.io 连接来自的经过身份验证的 http 页面时，或者因为 socket.io 连接是它自己的 API和自己的服务，甚至可能在单独的主机上，因此没有其他"身份验证可依赖.

Where it might be useful to auth a socket.io connection from scratch would be when you don't already have an authenticated http page that the socket.io connection comes from, either because the socket.io connection is its own API and own service, perhaps even on a separate host so there is no "other" auth to rely on.

如果您已经与 express 共享会话，是否需要同时使用这两种方法进行身份验证.

Is there a need to use both approaches for authentication if you are already sharing sessions with express.

没有.您可以只使用您已有的快速会话，以便现在 socket.io 连接来自同一个客户端.

No. You can just use the express session you already have in order to now that the socket.io connection comes from the same client.

它是否增加了任何安全优势?

Does it add any security advantage?

仅当您出于某种原因希望对每个新请求进行身份验证并且根本不依赖会话 cookie 时，即使对于 http 请求也是如此.或者，如果因为 socket.io 连接转到不同的主机而没有会话 cookie.

Only if there's some reason you want to require auth on every new request and not rely on a session cookie at all, even for http requests. Or, if there is no session cookie because the socket.io connection goes to a different host.

这篇关于如果 socket.io 连接与 express 有共享会话，是否需要对其进行身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！