Is it OK to pass both token and client_id to the client when Channel API is used?

谁都会走 提交于 2019-12-24 08:17:42

问题


I need to create an application, where GAE server will always talk with just one client (i.e. one message should be always sent just to one client).

I do the following -

Python:

def get(self):
    # generate token, when page is loaded
    client_id = uuid.uuid4().hex
    token = channel.create_channel(client_id)
    template_values = {'token': token,
                       'client_id': client_id
                       }
    self.response.out.write(template.render('page.html', template_values))

def post(self):
    # reply to the client
    ... 
    client_id = self.request.get('id')
    channel.send_message(client_id, message)

Javascript:

sendMessage = function(field) {
  $.ajax({
    type: "POST",
    url: "/",
    data: "f=" + field + "&id=" + "{{ client_id }}", // WARNING!
    contentType: "application/x-www-form-urlencoded",
    success: function(data) {
    }
  });          
};

onOpened = function() {
  connected = true;
  sendMessage('opened');
};
onMessage = function(msg) {
  alert(msg.data);
};
onError = function(err) {
  alert(err);
};        
onClose = function() {
  alert("close");
};        
// open new session
channel = new goog.appengine.Channel('{{ token }}'); // WARNING!
socket = channel.open();
socket.onopen = onOpened;
socket.onmessage = onMessage;
socket.onerror = onError;
socket.onclose = onClose;

It works well, but with such scenario both token and client_id are passed to the client. Is it OK?


回答1:


There's no technical reason not to do this. If you're worried about security, the token is far more valuable: an attacker who could listen to your traffic could take the token and listen to channel messages in a different context. The clientid wouldn't let them do that.

But I do have a question: why not return the message in the POST response, rather than sending a message over the channel? Or is the sample code just simplified for the example?



来源:https://stackoverflow.com/questions/9420123/is-it-ok-to-pass-both-token-and-client-id-to-the-client-when-channel-api-is-used

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!