I am designing a website which uses a node server and socket.io as a middle man between the server and client. As far as I am aware, the only way to connect the client socket.io to the server is to write a line of code like the following:
var socket = io.connect("http://SERVER_IP:PORT");
With the obvious substitutions. I may be wrong in thinking this, but having this information on client code for all to see seems like a serious security risk. I was wondering if this actually the case, that there may be serious issues posed by displaying this information; if so, how would I go about not having it displayed on client code, since the client has to have some method of connecting to the server. I've looked into proxy ip's, but saw it only in php and didn't know if socket had another way of dealing with this.
Related
I was wondering to have a realtime system made with express and i came to know about socket.io and websockets. But the way they are used i.e.
const io = socket.io("https://example.com") ;
Is it safe to use. Since the url for socket connection is available at client side any third party service can enjoy and exploit the services by connecting from their service. I don't have much idea about socket.io so correct me if I am wrong.
Kindly don't mark this question as duplicate since I found a similar question but the answer to it was related to game development, here I am specific about updating clients whenever any updates are there on the server side. Clients may be website made with angular or apps made with Android studio.
Any help is highly appreciable.
socket.io is widely used. It is perfectly fine for use in production.
Regarding the authentication part, A websocket connection b/w client and browser is established via http upgrade request(in http/1.1).
If you have an authentication mechanism in place for your application using cookie and session then you should be safe. No one can establish websocket connection directly without first logging in. On top of this you can limit connection per user to ensure that a registered user cant further exploit the connection using the cookie data.
i wrote a simple C++ Server which is waiting for clients.
I want users to be able to connect to this client by opening a webpage without installing anything. So the only thing that comes to my mind is using Javascript. Since the server needs to react in realtime later on ( performance is an issue ) sending data with POST/GET is not wanted.
Is this possible with Node.js or Socket.io ? I am trying to find a good example but i only find node.js servers. And when i open a socket with
var socket = io.connect('localhost:25003');
it is sending weird data.
Does anyone have a simple example with a javascript client that can connect to anything and send raw data?
You cannot do plain TCP from browsers (unless you're writing a browser addon/extension or using something like a Java applet or a Flash bridge possibly). Socket.IO always uses HTTP. However those HTTP connections can then be upgraded to WebSockets or other protocols, depending on what the browser and/or Internet connection supports.
The "weird data" you're seeing is probably an HTTP message.
I basically want to know if its possible to use Socket.io using the server-side only with no client side? BUT I want to know if my server-side can instead connect with a different site that I cannot use Socket.io to connect to.
Use PhantomJS to load the third-party site and then inject your own javascript into the page to catch events and send those events back to your own server.
socket.io is a two-way connection. Client <--> Server. You must have a socket.io endpoint at both ends to even establish a connection in the first place. And, then once you establish the connection, you must have agreed upon messages that can be exchanged between the two ends for it to do anything useful.
It is not useful to have a server-side socket.io that doesn't actually connect to anything and nothing connects to it. It wouldn't be doing anything, just sitting there waiting for someone to connect to it.
It is possible to have two cooperating servers connect to one another with socket.io (one server just acts like a client in that case by initiating the connection to the other server). But, again both endpoints must participate in the connection for the connection to even be established and certainly for it to do anything useful.
If you just want to download the contents of a site for scraping purposes, then you would not use socket.io for that. You would just use the nodejs http module (or any of several other modules built on top of it). Your server would essentially pretend to be a browser. It would request a web page from any random web server using HTTP (not socket.io). That web server would return the web page via the normal HTTP request. Your receiving server can then do whatever it wants with that web page (scrape it, whatever).
I'm wondering how I could secure my socket.io connection to the server from th following.
Security Issues:
What would stop malicious users from connecting to the socket server via client side code?
Example:
OUTSIDE DOMAIN REQUEST var socket = io.connect('http://Mydomain', {port: 4000});
Users can seemingly create thousands of concurrent connections just by opening a different browser window.
How can I prevent these issues?
You should be able to check serverside that the HTTP referrer is correct. Check the socket.io spec for info on both http referring as well as handshaking.
https://github.com/socketio/socket.io-protocol
Also 0.8 has referrer verification. Havent used it before, but this may be a place to start looking:
https://github.com/LearnBoost/socket.io/pull/481
Well, if your (real) clients are coming from a well know location, you'd probably want to to block everyone else at the firewall level. Assuming your service is available to everyone, you can probably look into client-server handshake mechanism.
I am trying to create a web based PHP application which can allow chat to my Gmail friends. Something like meebo.com. I downloaded XMPPHP, and executed on localhost, and it is working fine, but when I uploaded everything to Yahoo Small business web hosting, it is throwing connection timeout error.
Do anyone else faced such problem. I heard many of them did, but no one have any solution yet.
Any suggestion will be very helpful. I am new to XMPP clients.
Just some ideas...
How are you trying to connect to the XMPP server? With XMPPHP you may use two classes which are
XMPPHP
XMPPHP_BOSH
You might try both, since they work on different ports (XMPPHP for example on 5222 and XMPPHP_BOSH on 80). So if this is a port issue, trying XMPPHP_BOSH would be an idea. You will need to find out though if this is supported by the XMPP server you are trying to connect to. And if so, you need to know the url the server exposes the BOSH service on.
Anyways, I would recommend to check out what kind of 'restrictions' there are in Yahoo Small business web hosting and on the side of the XMPP server.
If you intend to check XMPPHP_BOSH out, consider this issue to make it work: Issue 47: Http-bind error. All in all XMPPHP seems very buggy and incomplete...