I'm developing a web application using socket.io. I'm currently using the socket id as an identifier which gets broadcast to other clients. Now this raised security concerns as to whether this id could be used to hijack another users session. Unfortunately it is extremely difficult to find any information on this online.
So - should the socket id be kept secret or can I safely use it as a public identifier?
A client cannot do anything with a socket.id directly. So, allowing the id to be known causes no new vulnerabilities on its own. However, if your server allows things to be performed on a socket if only an ID is known, then you'd have to assess what the risks are for those operations that your server exposes. We can't really comment on those since you haven't shown us any code or design.
For example, if your server supported a message call "buy" and all that was needed was an id for a client to trigger a buy operation, then it could be a problem if you let the id be publicly known. But as long as the only operations that operate on an id that your server makes available to the client are intended for the public to access on any socket (such as send them a message), then there should not be a problem.
So - should the socket id be kept secret or can I safely use it as a public identifier?
It is perfectly fine as a public identifier and that's one of the things that it is there for. It should be used as an identifier (as in "I want to send a message to Bob so I will tell the server to send a message to his id"), but not as authorization. After all, if you're making it public, then it isn't a secret so should not be used by your own server API for authorization.
I guess I should've been a bit more specific. I was wondering whether it would be possible for a malicious user to pair their requests with a foreign socket object (which I use as a session cache) through packet forgery by supplying another socket id. I take from your answer that this is not the case - so thanks a lot!
The socket.id is not used by socket.io in the transport itself. So you can't do anything malicious such as pretending to be someone you aren't just because you know their socket.id. In fact, as best I know, the client does not even know the socket.id - it is used within the server implementatoin for identification and lookup of a particular client.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 闹够了就滚 的文章《Should the socket.io socket ID be secret?》','https://www.manongdao.com/article-884320.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}