How to securely send a message to a specific user

Question

I am using ASP.NET MVC 5 and SignalR. I want to send a message to a specific user. I have followed the method which is explained in this tutorial (also suggested by this ans

Answer 1

You're pretty well on your way to the right solution. The only trick is that your security should be set up such that you can't spoof someone else's UserId.

For instance, we have exactly the same scenario with SignalR, but we use the UserId claim from a JWT Token to tell who you are. So you would need to know the guy's login credentials if you wanted to receive his messages. You can't just change the UserId in the claims, because then the JWT signature would be invalid and you wouldn't be authenticated or authorized anymore.

So TL;DR: use JWT authentication or something with a one-way signature that prevents tampering with the UserId.