Socket.io ID 和用户信息安全

Question

What I want to do at the moment is when user leaves lobby I want to emit the username who left the lobby and then display that info in lobby chatroom. This is the current emit:

  $("#lobby-leave-btn").on('click', () => {
    socket.emit('lobby-left', {
      username: username
    });
  });

The problem is that everyone can set whatever username they want in console, even if I check in serverside if the username exists in DB they can type existing users username who is not in lobby.

Is there somehow possible way to do this without passing username ? More secure way ? I can get socket.id in serverside but then again I can't get user info by socket id. Any help is appreciated.

Answer 1

If you have usernames, then you should have them stored server-side, which I assume you're doing (either in a database, or just stored in memory on the server when the users connect). In that case, as soon as you know who a user is -- that is, as soon as they either sign in (if you have a sign-in system) or connect to the socket -- you should store the username as a property on the socket itself on the server. Then any socket data that comes in will automatically have the username attached to it, since it's inherently connected to that socket.

The mantra of web security is that you should never trust user-submitted data if you can help it; so you should never let the user identify themselves in an action without some sort of verification. Hence, verify them once on sign-in or connection, then store their identity on the socket, don't let them tell you who they are whenever they want to make a change.