如何保护 Socket.IO? [英] How do I secure Socket.IO?

问题描述

我使用 Socket.IO 已经有几天了，它既令人兴奋又令人沮丧.当前文档/教程的缺乏使学习变得非常困难.我终于设法创建了一个基本的聊天系统，但有一个明显的问题.我如何保护它?

I've been working with Socket.IO for a few days and it's been both extremely exciting and even more frustrating. The lack of current documentation/tutorials has made learning it very difficult. I finally managed to create a basic chat system, but there is one glaring question. How do I secure it?

是什么阻止了恶意用户复制(或编辑)我的代码并连接到我的服务器?我可以从我的 PHP 脚本中获取用户名并将其提交给 Socket.IO，这样我就可以将他们识别为该用户(当然 PHP 具有安全性)，但是是什么阻止某人提交未注册的用户名?

What's stopping a malicious user from copying (or editing) my code and connecting to my server? I can grab the username from my PHP script and submit it to Socket.IO so I can recognize them as that user (and the PHP has security of course), but what's stopping someone from just submitting an unregistered username?

我如何确保提交的事件是真实的且未被篡改?

How can I make sure that the events submitted are authentic and haven't been tampered with?

我的基本 socket.io 聊天以供参考.

My basic socket.io chat for references.

服务器:

var io = require('socket.io').listen(8080);
var connectCounter = 0;
io.sockets.on('connection', function (socket) {
connectCounter++;
 console.log('People online: ', connectCounter);

socket.on('set username', function(username) {
socket.set('username', username, function() {
console.log('Connect', username);

    });
});
socket.on('emit_msg', function (msg) {
    // Get the variable 'username'

socket.get('username', function (err, username) {
      console.log('Chat message by', username);
      io.sockets.volatile.emit( 'broadcast_msg' , username + ': ' + msg );
    });

  });

socket.on('disconnect', function() { connectCounter--; });
});

客户:

    <?php session_start() ?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <title>untitled</title>
</head>
<body>
<input id='message' type='text'>
<div id="content"></div>
<script src="http://localhost:8080/socket.io/socket.io.js"></script>
<script src="http://code.jquery.com/jquery-latest.js"></script>

<script>
  var socket = io.connect('http://localhost:8080');
$.ajax({
type: 'GET',
  url: 'https://mysite.com/execs/login.php?login_check=true',
  dataType: 'json',
   success: function(data) {
var username = data.username;
socket.emit('set username', username, function (data){
});

}
});

  socket.on('broadcast_msg', function (data) {
        console.log('Get broadcasted msg:', data);
        var msg = '<li>' + data + '</li>';
        $('#content').append(msg);
      });


$('#message').keydown(function(e) {
if(e.keyCode == 13) {
e.stopPropagation();
          var txt = $(this).val();
          $(this).val('');
          socket.emit('emit_msg', txt, function (data){
            console.log('Emit Broadcast msg', data);
          });
}
});
</script>
</body>
</html>

一切都很顺利，除了绝对没有安全性.

It all works dandy, except for having absolutely no security.

推荐答案

如果你可以安装像 Redis 在您的节点服务器上，您可以使用 Redis 客户端(如 Predis.当您的 php 服务器中发生新的登录/注销时，您所要做的就是更新节点服务器上的远程会话存储.

If you can install a key-value store like Redis on your node server, you can access it remotely from your php server using a Redis client like Predis. All you have to do is updating the remote session store on node server when a new login/logout happens in your php server.

查看此帖子了解详细信息:验证 socket.io/nodejs 的用户

Check this post for details: Authenticate user for socket.io/nodejs

这篇关于如何保护 Socket.IO?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！