socket.io 套接字 ID 应该保密吗? [英] Should the socket.io socket ID be secret?
问题描述
我正在使用 socket.io 开发 Web 应用程序.我目前正在使用套接字 id 作为一个标识符,它被广播到其他客户端.现在这引发了关于此 ID 是否可用于劫持另一个用户会话的安全问题.不幸的是,在网上很难找到任何相关信息.
I'm developing a web application using socket.io. I'm currently using the socket id as an identifier which gets broadcast to other clients. Now this raised security concerns as to whether this id could be used to hijack another users session. Unfortunately it is extremely difficult to find any information on this online.
那么 - 套接字 ID 应该保密还是我可以安全地将其用作公共标识符?
So - should the socket id be kept secret or can I safely use it as a public identifier?
推荐答案
客户端不能直接使用 socket.id 做任何事情.因此,允许已知 id 本身不会导致新的漏洞.但是,如果您的服务器允许在仅知道 ID 的情况下在套接字上执行操作,那么您必须评估您的服务器公开的那些操作的风险.由于您没有向我们展示任何代码或设计,我们无法真正评论这些内容.
A client cannot do anything with a socket.id directly. So, allowing the id to be known causes no new vulnerabilities on its own. However, if your server allows things to be performed on a socket if only an ID is known, then you'd have to assess what the risks are for those operations that your server exposes. We can't really comment on those since you haven't shown us any code or design.
例如,如果您的服务器支持消息调用购买"所需要的只是客户触发购买操作的 id,如果您让 id 公开,则可能会出现问题.但是只要在您的服务器提供给客户端的 id 上操作的唯一操作是供公众在任何套接字上访问(例如向他们发送消息),那么就不会有问题.
For example, if your server supported a message call "buy" and all that was needed was an id for a client to trigger a buy operation, then it could be a problem if you let the id be publicly known. But as long as the only operations that operate on an id that your server makes available to the client are intended for the public to access on any socket (such as send them a message), then there should not be a problem.
那么 - 套接字 ID 应该保密还是我可以安全地将其用作公共标识符?
So - should the socket id be kept secret or can I safely use it as a public identifier?
作为公共标识符完全没问题,这也是它的用途之一.它应该用作标识符(如我想向 Bob 发送消息,所以我会告诉服务器向他的 id 发送消息"),但不能用作授权.毕竟,如果您将其公开,那么它就不是秘密,因此不应由您自己的服务器 API 用于授权.
It is perfectly fine as a public identifier and that's one of the things that it is there for. It should be used as an identifier (as in "I want to send a message to Bob so I will tell the server to send a message to his id"), but not as authorization. After all, if you're making it public, then it isn't a secret so should not be used by your own server API for authorization.
我想我应该更具体一点.我想知道恶意用户是否有可能通过提供另一个套接字 id 通过数据包伪造将他们的请求与外部套接字对象(我用作会话缓存)配对.我从您的回答中得知情况并非如此 - 非常感谢!
I guess I should've been a bit more specific. I was wondering whether it would be possible for a malicious user to pair their requests with a foreign socket object (which I use as a session cache) through packet forgery by supplying another socket id. I take from your answer that this is not the case - so thanks a lot!
socket.io 在传输本身中不使用 socket.id.所以你不能做任何恶意的事情,比如假装你不是一个人,因为你知道他们的socket.id.
The socket.id is not used by socket.io in the transport itself. So you can't do anything malicious such as pretending to be someone you aren't just because you know their socket.id.
这篇关于socket.io 套接字 ID 应该保密吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
