Any risk returning other user's Connection Id to the client?

In a SignalR Hub class you are able to call Context.ConnectionId for a user. I am looking to store these in a Dictionary<string, string> in order to connect users together. Is there a risk or security vulnerabilities in returning other user's clientids to a user's client?

Answers


Yes, we do this in some of our samples but it's bad. If you leak the connection id then people can send/receive your messages on your connection. Create another id that is unique and store a mapping between your id and connection id internally so you can map them back.

It's basically the same idea as the forms auth ticket. Sure it's encrypted but if someone gets ahold of it they can impersonate you regardless.

See a sample of this logic in MessengR. https://github.com/davidfowl/MessengR/blob/master/MessengR/Hubs/Chat.cs#L67


Need Your Help

How to enble/disable a button in TypeScript 1.5?

typescript typescript1.5

Using VS 2013. After having installed TypeScript 1.5 and following the question/suggestion to upgrade:

How to configure java.util.logging on Android?

android logging

I want to use java.util.logging on Android. I want to configure the logging system with logging.properties. But how can I tell Android using the specific configure file? For example, I placed the l...