Skip to content

SignalR secure message delivery #432

Closed
shkleinik opened this Issue Jun 5, 2012 · 4 comments

2 participants

@shkleinik

So, I got a security related question.

// Code that was originally sent to client from the server
var hub = $.connection.hubname;        
hub.name = "UserIdFromDataBase";

If some malicious user will write a simple html page with the same code, will he receive all messages that will be sent the original user?

(Actually I want to organize chat between registered users that is why name/clientid should be provided by server side).

Thanks

@davidfowl
SignalR member

Each connection gets a unique connection id that shouldn't be shared with other connections. On a broader note, if you have information that is secret, then don't broadcast it to all connections other than the ones your care about. So in this particular case, if a malicious user knows the user id then you're already screwed if that's supposed to be a secret.

@shkleinik

So, as I understood, I should have kind of mapping between user id in my database and SignalR Client Id? And when I have some new info for the user, I should try to find Client Id by User Id in my mapping and if success (user is connected) send to him notification? Hmm. . . And how I'll get know, that user is already offline?

And as I understood, this line:

hub.name = "SomeName";

...is not mandatory?

@davidfowl
SignalR member

Yes, if you want to message individuals, you'll need to map your concept of a user to SignalR connections. In fact, jabbr (https://jabbr.net) does this today. When a user joins you get their identity by some means (whatever you choose, cookie etc) and then you associate those connection ids with that user id. When disconnect fires then you remove the connection from that user. When you want to send data to that user, you then loop over all connections you kept track of and send a message to each one (or use a group if you wish).

Why would that line be mandatory? In your application, are user id's secret? I hope so. A random user shouldn't be able to log in as me and steal my identity. That itself has nothing to do with signalr, it's general security.

@shkleinik

Thanks a lot for your attention :) I'll take into account your advice.

@shkleinik shkleinik closed this Jun 6, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.