Preventing CSRF for websockets

I'm currently considering CSRF vulnerabilities in websockets.

I've already blocked all cross-domain websocket requests, however there exist scripts (such as this python bad boy) to get around such security measures.

Is it worth including a token in the user's index.html, which must be included in the socket.io.connect() call as a query string? This way on the server we can check that the token is what we expected, and block the connection request otherwise.

Thanks for all the advice!


Why don't you setup an authorization handler for your socket.io connections? You can decline / accept connections in there based on information that has been gathered during the handshake.

See https://github.com/LearnBoost/socket.io/wiki/Authorizing for more detailed information about this.


I use socket.io with django. The way I handle authorization is that I first require users to login using a regular HTTP form that includes CSRF token. Upon successful login, a session cookie is set and the user is redirected to the socket.io app.

In my connection authorization code, I check the cookie and validate that the user is logged in, returning "401 Not Authorized" if the check fails.

It's also possible to set a CSRF cookie and check for that instead if you don't want to require users to login first, or you could pass the CSRF token as a URL parameter during authorization as @3rdEden pointed out.

链接地址: http://www.djcxy.com/p/63318.html

上一篇: 在两个活动的管理员类中使用相同的模型

下一篇: 防止WebSockets的CSRF