在客户端的JavaScript code替代 [英] JavaScript code substitution on client side
问题描述
我现在正在学习一些新技术(如Node.js的,socket.io,Redis的等等),并做一些简单的测试应用程序,看看它如何能工作。
I'm now learning some new technologies (such as node.js, socket.io, redis etc.) and making some simple test applications to see how it can work.
我的问题是关于一个客户端的JavaScript code安全性:例如,我对Node.js的聊天服务器+ EX preSS,当用户连接到该聊天,服务器应该分配他registred用户名(授权通过老校友php + mysql的使用),以他的插座。现在的问题是,用户可以修改自己的客户端脚本,并连接不同用户的姓名聊天吗?
My question is about security on a client-side javascript code: for example, i have a chat-server on node.js+express and when a user connects to this chat, server should assign his registred username (authorisation through oldschool php+mysql is used) to his socket. The question is, can user modify his client-side script and connect to chat under different users' names?
有些code为如下:
(分配的用户名,这是刚开从客户端调用的用户名的服务器端部分)
(server-side part of assigning username, which is just getting the username from client-side call)
// when the client emits 'adduser', this listens and executes
socket.on('adduser', function(username){
// store the username in the socket session for this client
socket.username = username;
// store the room name in the socket session for this client
socket.room = 'General';
// add the client's username to the global list
usernames[username] = username;
// send client to room 1
socket.join('General');
// echo to client they've connected
socket.emit('updatechat', 'SERVER', 'you have connected to General');
// echo to room 1 that a person has connected to their room
socket.broadcast.to('General').emit('updatechat', 'SERVER', username + ' has connected to this room');
socket.emit('updaterooms', rooms, 'General');
});
(用户名发送到服务器的客户端部分,它看起来像'变种的用户名=用户;为特定用户)
(client-side part of sending username to server, it looks like 'var username = "User";' for a particular user)
Yii::$app->view->registerJs('var username = "'.$user->identity->username.'";', yii\web\View::POS_HEAD);
(连接功能)
chat.on('connect', function(){
// call the server-side function 'adduser' and send one parameter (value of prompt)
chat.emit('adduser', username);
});
所以,问题是:用户可以更改(例如,通过镀铬开发工具)他行变种的用户名...'用户名和连接下的不同的名字聊天
SO the question is: can user change (for example, through chrome development tools) his username in line 'var username ...' and connect to chat under the different name?
P.S。这种特定的情况只是一个例子,很明显,改变在聊天昵称并不比简单的玩笑,但类似的情况可以在其它项目中出现...
P.S. this particular situation is just an example, obviously, changed nicknames in chat are not more than a simple joke, but similar situations can appear in other projects...
推荐答案
假设你的变量在封闭保护,它的不平凡键入改变他们用户名='根'在控制台中,用户可以简单地更换整个code。
Supposing your variables are protected in closures and that it's not trivial to change them by typing username='root' in the console, a user could simply replace the whole code.
这是发生客户端一切是完全失控的。
Everything that happens client side is totally out of your control.
好消息是,他们是不涉及重复的身份验证解决方案。假设你已经在你的前preSS应用程序验证用户,你可以得到会话和用户。
The good news is that they are solutions not involving a duplicate authentication. Supposing you already authenticate the user in your express application, you can get the session and the user from that.
看我怎么做,在我的聊天服务器:
See how I do it in my chat server :
var sessionSockets = new SessionSockets(io, sessionStore, cookieParser);
sessionSockets.on('connection', function (err, socket, session) {
function die(err){
console.log('ERR', err);
socket.emit('error', err.toString());
socket.disconnect();
}
if (! (session && session.passport && session.passport.user && session.room)) return die ('invalid session');
var userId = session.passport.user;
if (!userId) return die('no authenticated user in session');
... handling socket for authenticated user
});
基本上,它使用 session.socket.io模块以传播会议由标准HTTP请求(使用护照认证)的socket.io连接。并且不应该由用户提供一切从会话/数据库/服务器采取
Basically, it uses the session.socket.io module to propagate the session from the standard http requests (authenticated using passport) to the socket.io connection. And everything that isn't supposed to be provided by the user is taken from the session/db/server.
这篇关于在客户端的JavaScript code替代的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
