How does socket.io prevent session hijacking when polling transport is used?

[kujiraOo]

I implemented the auth middleware according to this example https://socket.io/how-to/use-with-jwt

The main idea behind the middleware is to validate the token only during the handshake request. Once the socket connection is established and SID is assigned, the token is not re-validated and the server trusts the subsequent HTTP requests to the GET and POST /socket.io endpoints.

I tried to duplicate one of the POST requests that is generated by socket.io-client when a message is emitted from the client to the server and to re-send it from insomnia. The request goes through even if all the headers generated by the socket.io-client are removed.

The request looks somehow like this POST http://localhost:3002/socket.io/?EIO=4&transport=polling&t=some-generated-value&sid=some-sid with an arbitrary plain text payload in the body.

• Do i understand correctly that the polling transport relies solely on the SID value for checking the client identity?
• Does SID need to be treated as sensitive information?
• If yes, how secure is SID randomness?

[darrachequesne]

Hi!

Do i understand correctly that the polling transport relies solely on the SID value for checking the client identity?

Yes.

Does SID need to be treated as sensitive information?

Yes.

If yes, how secure is SID randomness?

The SID is generated by the base64id package, which uses crypto.randomBytes under the hood.

See also: #3416 (comment)

[kujiraOo]

Hi! Thanks a lot for answering my questions 🙂