卡插槽安全提示? [英] Flash Socket Security Tips?
问题描述
我一直在玩弄插座,在过去几天,有关于安全的一些问题。我运行在客户端Flash的WebSocket和服务器上的PHP套接字服务器。
我有一个应用程序,用户创建私人聊天室。我的问题是,是否有我应该看出来任何安全问题?我在做认证的聊天室网页上,以确保用户有权限在那里等。
但有什么我需要做的websocketserver.php以prevent人将消息发送到一个房间,如果他们没有权限去那里?
我的聊天室页
做认证
什么样的认证的?一次过登录服务的页面?这将是基本的零安全。
您必须发出某种象征,并在套接字连接开始发送,然后验证连接服务器端(通过令牌),以确保它来自经过认证的用户。否则,这将是很容易简单地连接到你的服务器,并开始发送信息。
的基本模型可能看起来像这样
- 在该聊天用户登录
- 在验证用户数据等。
- 在发行该用户的令牌,存储此令牌的数据库,并将其发送到页面
- 启动套接字连接,并发送令牌
- 检查WebSocket的服务器的令牌,并获得匹配用户
- 现在,验证对这一用户权限的所有动作
至于令牌的寿命,但是应当尽快连接终止删除。
I've been playing around with sockets for the past few days and have some questions about security. I am running Flash websocket on the client side and a PHP socket server on the server.
I have an app where users create private chatrooms. My question is, are there any security issues I should be watching out for? I am doing authentication on the chatroom page to make sure the user has the permissions to be there, etc.
But is there anything I need to do on the websocketserver.php to prevent people from sending messages to a room if they don't have permissions to be there?
I am doing authentication on the chatroom page
What kind of "authentication"? A one time log in to serve the page? That would be basically zero security.
You have to issue some kind of token and send it at the start of the socket connection, then validate the connection server side (via the token) to make sure that it comes from an authenticated user. Otherwise, it would be quite easy to simply connect to your server and start sending messages.
A basic model could look like this
- User logs in to the chat
- Validate user data etc.
- Issue a token for this user, store this token in the DB and send it to the page
- Start your socket connection and send the token
- Check the token in the websocket server and get the matching user
- Now validate all actions against this users permissions
As for the lifetime of the token, it should be deleted as soon as the connection terminates.
这篇关于卡插槽安全提示?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
