Comments on: Quick Tip: Node.js + Socket.io + Authentication https://mattmueller.me/blog/quick-tip-node-js-socket-io-authentication?utm_source=rss&utm_medium=rss&utm_campaign=quick-tip-node-js-socket-io-authentication Thu, 25 Aug 2011 07:50:15 +0000 https://wordpress.org/?v=2.9.1 hourly 1 By: Sam Lown https://mattmueller.me/blog/quick-tip-node-js-socket-io-authentication/comment-page-1#comment-179 Sam Lown Thu, 04 Aug 2011 09:40:31 +0000 https://mattmueller.me/blog/node-js-socket-io-authentication#comment-179 This strikes me as a tad in-secure from the outset. Unless you're sending a password provided by the client to the socket with the user ID and authorizing again, it would be pretty trivial to set a breakpoint in your browser and put in a different user ID. The socket wouldn't know any better. (I guess this is called socket hijacking?). Ruby on Rails for example gets around this problem by hashing (SHA512) the session information using a secret key on the server. This way we know that the user id hasn't been tampered with. (Unless your code has been stolen ;-) Cheers, sam This strikes me as a tad in-secure from the outset. Unless you’re sending a password provided by the client to the socket with the user ID and authorizing again, it would be pretty trivial to set a breakpoint in your browser and put in a different user ID. The socket wouldn’t know any better. (I guess this is called socket hijacking?).

Ruby on Rails for example gets around this problem by hashing (SHA512) the session information using a secret key on the server. This way we know that the user id hasn’t been tampered with. (Unless your code has been stolen

Cheers, sam

]]>
By: Matt Mueller https://mattmueller.me/blog/quick-tip-node-js-socket-io-authentication/comment-page-1#comment-152 Matt Mueller Sat, 22 Jan 2011 22:38:19 +0000 https://mattmueller.me/blog/node-js-socket-io-authentication#comment-152 No, you can authenticate using other architectures, this problem is unique to node.js because of node's asynchronous nature that causes race conditions between the socket.io connection and session authentication. No, you can authenticate using other architectures, this problem is unique to node.js because of node’s asynchronous nature that causes race conditions between the socket.io connection and session authentication. ]]> By: Dan https://mattmueller.me/blog/quick-tip-node-js-socket-io-authentication/comment-page-1#comment-148 Dan Thu, 20 Jan 2011 21:16:47 +0000 https://mattmueller.me/blog/node-js-socket-io-authentication#comment-148 Do you have to do your authenticating via node.js? Do you have to do your authenticating via node.js? ]]>

We highly recommend you our friends Cpasbien to download any films, movies, songs, books or files you need.