Just how is the connection ID determined in SignalR? Could a user purposefully use another person's connection ID to pretend to be them?
Obviously there's the difficulty of determining another person's connection ID since there's so many possible IDs. However, my application would make users aware of other user's connection IDs because the application requires peers to interact and I've used the connection ID as a unique user ID.
Can the connection IDs be chosen by users? And can users somehow switch to another, known ID or is there some other protection in place?
I refer to the connection IDs that are obtained server side via Context.ConnectionId.
No. The connection id is assigned by the server. However apart from the connection id the server also sends a connection token which is calculated using a few pieces of information including the connection id. If the server receives a request where connection id and connection token don't match the request will be rejected. If you want to understand how the SignalR protocol works in general read a post I wrote some time ago . If you want more details on connection id and connection token read this.
Related
We have web application designed in VS2008. When adding some new functionality we are trying to use Web API.
In the existing system, each user from a client has access to their database. So, when a user logs in, we pull the connection string and save it in a session. Every insert, Update or select that the user performs, it uses the connection string in the session and when the user logs out, it gets cleared out.
How do I achieve this functionality if I have to use a Web API in this scenario?
Can I pass the connection string to Web API for every request?
The only other way I could think of is after every request to Web API, I have to connect to database and get the connection string based on the UserID that I have. This would add one extra step of connecting to database for every request.
Is there any other way?
Thanks in Advance
I want to create the web application (SPA with angular) with token based authentication.
It is required create the access token with short live-time, perhaps 1 hour expiration.
I want to use the SignalR for real-time communication and I have tried send the access token via query string after starting signalr connection.
If is access token expired I create the http request for refresh it and recieved it to the javascript.
How can I send the new access token if is signalr connection is running?
Is possible change the token or is necessary close the connection and create new again?
It depends on the transport technology that is used. In case of websockets you have to stop the connection, set the query-string and restart the connection. With other technologies you can directly change the query-string. You can check $.connection.hub.transport.name to learn what transport method is being used.
I have seen some sites, where your authentication does note expire after your ip changes. How to create such session, and how safe is it?
So, how does session validate then? by some hardware information?
The fact that you have a session cookie is the validation.
Sessions work by creating a server-side resource with a random id. For example, a random id is created, iuwehrc3948hg3w09x4h, and an entry in a database is saved with it. That random id is sent as a cookie to the browser. The browser returns this cookie with every request, the server looks up the database entry with this id and gets the associated session data.
The "validation" is that the browser possesses a valid session id. The browser can only know this id if it was given to it by the server previously. Because the id is entirely random, it should practically be unguessable by any 3rd party.
Having said this, cookie hijacking is a concern, in which a 3rd party outright steals a valid session cookie (e.g. through a shared network, malware installed on the victim's machine etc.). In this case recording the IP address of the client in the session and validating it as well can help mitigate problems; but as you note, it also means that sessions have an extremely limited life span. The most practical solution to avoid session hijacking is to use HTTPS throughout.
I know this is not a question which has code but I was asked a question about SESSION in an interview. Not session variable. Say I have same site open in 2 different tabs of my browser. In one tab i query for the search results of the hospitals in New York and in the second tab(same website) i query for the restaurants in New York. How I get the different results in 2 different tabs and how they don't get mixed up as the request is going from the same browser. Is there any session object that the browser is maintaining.? I could answer about SESSION variable in asp.net but couldn't answer hoe the above condition works. Please explain me the concept of please provide me links .
A session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user. A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.
session management is the process of keeping track of a user's activity across sessions of interaction with the computer system.
A session token is a unique identifier that is generated and sent from a server to a client to identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. The reason to use session tokens is that the client only has to handle the identifier—all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier. Examples of the names that some programming languages use when naming their HTTP cookie include JSESSIONID (JSP), PHPSESSID (PHP), CGISESSID (CGI), and ASPSESSIONID (ASP).
More Information :
http://en.wikipedia.org/wiki/Session_(computer_science)
I've got, probably, a very basic question about sessions.
In the page load function i have the following code:
Session["loggedInUserId"] = userId;
Now the question is:
if this code is on a server and two users connect to this server and log in one after another, would the one that logs in second be logged in already as the first user?
Do i need multithreading?
Asp.net session is per browser session. two browsers in same machine or two users in two separate machines will be referencing different sessions so dont worry.
if your are setting userId variable as static then it will be possibe other wise there will be no problem
Not needed. Please go through ASP.NET Session State (MSDN) post.
According to this
ASP maintains session state by providing the client with a unique key assigned to the user when the session begins. This key is stored in an HTTP cookie that the client sends to the server on each request. The server can then read the key from the cookie and re-inflate the server session state.
Hope this is what you are looking for.
A session is per-browser state management. A unique session ID is stored in a cookie for that browser. Never store sensitive information in a session since the session ID is sent back and forth in plain text and thus could be used by an outside source.
Read more about Sessions here.