堆栈内存溢出
  简体   繁体   English

使用 Socket.IO,在发送 JavaScript 事件时防止客户端劫持 - 使用 SignalR?

[英]Using Socket.IO, to prevent client-side hijacking when sending JavaScript events - use SignalR?

 原文  2012-03-05 22:42:59       javascript/ socket.io/ signalr/ dom-events/ session-hijacking

问题描述

Using Socket.IO, clients are notified when other clients perform certain activities, through a JavaScript call to the Socket.IO server.使用 Socket.IO,当其他客户端执行某些活动时,客户端会通过对 Socket.IO 服务器的 JavaScript 调用得到通知。

That message is broadcast to all clients, and client-side logic decides who sees the notification.该消息被广播给所有客户端,客户端逻辑决定谁可以看到通知。 (Another option for this is to maintain a collection of related clients on the server, and only send() to those clients - better?). (另一个选择是在服务器上维护一组相关客户端,并且只send()这些客户端send() - 更好?)。

How would the system be built in order to prevent someone from hijacking the code and sending repeated notifications to the server?如何构建系统以防止有人劫持代码并向服务器发送重复通知? (some kind of tokenized send?) Simply using the session ID would not be sufficient, as someone could legitimately login, then use that session to try to bring the system down. (某种标记化发送?)仅使用会话 ID 是不够的,因为有人可以合法登录,然后使用该会话尝试关闭系统。

Rather than using JavaScript for this (avoiding the client-side hijacking possibility), another approach may be to use SignalR to send out the notifications from a code-behind scenario.而不是为此使用 JavaScript(避免客户端劫持的可能性),另一种方法可能是使用 SignalR 从代码隐藏场景中发送通知。 Still researching this one, but some discussion/suggestions are welcome.仍在研究这个,但欢迎一些讨论/建议。

1 个解决方案

解决方案1
 0 已采纳  2012-03-05 22:54:10

It is the one and only way to send messages only to those users that are allowed to read the message.这是仅向允许阅读消息的用户发送消息的唯一方法 If you don't do this, then absolutely nothing can guarantee you that this message won't be read buy a hacker.如果您不这样做,那么绝对没有什么可以保证您不会阅读此消息购买黑客。

As for the second question: what you are saying is that you want to protect against the DoS attack ?至于第二个问题:你说的是要防范DoS攻击吗? Generally there is no solution for this.一般没有办法解决这个问题。 One thing you can do is to make server monitor what a given user emits and disconnect the user if he misbehaves (whatever that means :) ).您可以做的一件事是让服务器监视给定用户发出的内容,并在用户行为不端时断开用户连接(无论这意味着 :) )。

And what does client-side hijacking have to do with changing JavaScript to something else?客户端劫持与将 JavaScript 更改为其他内容有什么关系? If you send data to the client and then the client sends it back, then using JavaScript or not makes no difference for the hacker.如果您将数据发送到客户端,然后客户端将其发回,那么是否使用 JavaScript 对黑客来说没有区别

That's my advice for you.这就是我给你的建议。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 客户端找不到Socket.io - Socket.io is not found in the client-side Socket.io客户端套接字未发出 - Socket.io Client-Side socket not emitting 将数据追加到所有Socket.io客户端发出的数据 - Appending data to all Socket.io client-side emits 没有客户端脚本的Socket.IO ping - Socket.IO ping without client-side script Socket.IO 客户端 .js 文件位于何处? - Where is the Socket.IO client-side .js file located? socket.io:客户端发出回调永远不会触发 - socket.io: client-side emit callback never fires 在Socket.io上从客户端更改服务器 - Changing server from client-side on Socket.io Socket.io - 客户端断开后手动重新连接 - Socket.io - Manual reconnect after client-side disconnect 如何在 vanilla javascript 中从客户端导入 socket.io? - How to import socket.io from client-side in vanilla javascript? 基于动态 url 的客户端 JavaScript Socket.io 连接可能吗? - Client-side JavaScript Socket.io connection based on dynamic url possible?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM