Menu
I'm working on a chat app that's using signalr. I'm associating each user by their connectionid.
I'm just wondering if I broadcast all the users connectionids so anyone can see them in the code, would someone be able to cause any problems?
Sharing the connection ID is not a security risk as far as I know, sharing the connection token however is one.
From my own testing with SignalR it doesn't check the origin of a message but only the connection token, which is a encrypted form of the connection ID plus the username (if I remember correctly) if the session is authenticated (which is also why you need to reconnect after authenticating).
I was successfully able to spoof a SignalR connection from another computer on another IP with version 2.0.2 just by replacing the connection token.
194
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
