All geek questions in one place

The transfer of the connection token is protected or hacked from the client side signalr js to the hub function

I am reading this article http://www.asp.net/signalr/overview/security/introduction-to-security#connectiontoken

JS Client

$.connection.hub.qs = { "token" : tokenValue }; $.connection.hub.start().done(function() { /* ... */ });

.NET Client

 var connection = new HubConnection("http://foo/", new Dictionary<string, string> { { "token", tokenValue } });

Inside the hub, you can access the community name through the context:

 Context.QueryString["token"]

Setting Headers in .NET Client

 var connection = new HubConnection("http://foo/"); connection.Headers.Add("token", tokenValue);

I notice that we can pass some value of the token from the client side to the hub function as a query string ..... if I pass anything because the query string is unsafe. so tell me the best way to transfer the value of the token in a protected form from the client to the hub function, as a result, no one can crack / change or reuse the value of the token.

one guy said SignalR uses encryption and a digital signature to protect the connection token. . so please tell me, is it true that signalr first encrypts the value of the token and then goes from the client side to the hub?

offer me how to safely transfer the value of the token to the hub. thanks

+5
source share
2 answers

You can use headers in the javascript client, for example:

 $.signalR.ajaxDefaults.headers = { Authorization: "Bearer " + yourToken };

Now there are no hacks and a global setting that you can do once at startup or a successful authorization response! Enjoy it!

Now, only if I can find a way to override this for each request so that I can create an isolated sandbox for users for my users in administrative roles ...

+11
source

When a client initiates a connection, the server creates and encrypts the connection token and sends it to the client. From this moment, the client should send a connection token each time it sends a request to the server. The server checks the connection token when it receives the request. If you are asking how to prevent multiple clients from using the same token, I think you need to authenticate.

0
source

Source: https://habr.com/ru/post/1211233/

More articles:


All Articles