问题
I'm realizing a simple chat application with Node.js and socket.io and wonder if sharing the socket IDs of all the clients throughout Objects is considered a good practice?
To explain, each of my users are represented so :
{
nick : 'John Doe',
dateJoined : Date.now(),
rank : 0,
id : socket.id
}
A list of all my clients is stored on the server const usersList = [ {...}, {...}, ... ]
All of my clients needs to see who's connected, so this usersList should be shared to all clients.
And if a client disconnect, all should be notified that this #ID disconnected :
socket.on('userDisconnect', function(id) {
clientSideList = clientSideList.filter( user => user.id !== id );
}
So my question is : is that a security problem if every client knows the socket ID of the others? Could they make something nasty like stealing data or impersonating other users?
Thanks for your help
回答1:
There is no inherent, built-in security risk in sharing the socket.id value of one or more sockets. socket.io itself does not contain any APIs that a client could use to use that socket.id to do anything. So, out of the box, no client could do anything with a socket.id if they knew it.
Now, if you start supporting socket.io messages that accept socket.id values as arguments, then passing around socket.id values does allow some arbitrary client to use those socket.id values in your messages. Whether or not that causes a problem depends entirely upon your own design and what messages your server accepts. Suppose you support a message that tells the server to remove a user from your system by just passing it the socket.id of that user. Then, if you start passing around socket.id values, then that allows anyone to use your own server message to remove that user from your system.
So, there's no built-in risk with socket.id values. There could be risk if your own server supports operations that can do damage when given a socket.id value. So, that's totally up to how you've designed your server and whether you've protected against malicious operations when someone knows a socket.id.
You can think of a socket.id like a temporary username on the socket.io server. In most systems, knowing only the username of some user does not, by itself, cause a security problem. It's only if you expose operations that an unauthorized client can then direct at a specific username that you get a problem. Same for socket.id. It's just like a temporary username.
来源:https://stackoverflow.com/questions/44568559/socket-io-is-the-socket-id-considered-sensitive-information