Is socket.uid reliably secure?
-
I am wondering if
socket.uidis secure, if I can rely on it to provide absolutely valid information about the current user on the server side. Because if I can't, then there isn't a way of developing plugins while using socket.io to send information from client to server.Otherwise, I'll have to head on back to ajax requests.
-
Secure up to a point, if you're saving stuff I'd make sure your corresponding server side call also checks uid and doesn't believe the uid that is sent from client.
-
How would I do that with just the information from the socket?
-
What data do you need?
-
@psychobunny if I could get the actual uid of the user based on his/her socket id, that would be great.
I just need to know with absolute certainty what the user's uid is.
-
socket.uid is your best bet it's set when the socket connects based on the users session id.
NodeBB/src/socket.io/index.js at master 路 NodeBB/NodeBB
Node.js based forum software built for the modern web - NodeBB/src/socket.io/index.js at master 路 NodeBB/NodeBB
GitHub (github.com)
-
But @baris, can I rely on it to be secure? And by secure, I mean, I can't be faked or altered by the client in any way after authentication.
-
It is as secure as the express routes it uses the same session id that express stores in the database. We had no reports of anyone altering
socket.uidits a server side only value. The data parameter however is sent by the client so you shouldn't trust that. IEsomeFunction = function(socket, data, callback) { console.log(socket.uid); //0 if not logged in or the users uid who made the emit console.log(data); //can be anything } -
That clears things up. Yeah! I won't have to modify all of my code!
-
@baris said:
We had no reports of anyone altering
socket.uidits a server side only value.A while back there was a certain vulnerability (not NodeBB specific), I don't exactly remember what it was, but it allowed a user to mimic another user, even an admin, and do pretty much everything as that user.
Now you have one report
