Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Session ID in URL Rewrite
See original GitHub issueYou want to:
- report a bug
- request a feature
Current behaviour
socket.io will add ?sid= to the url when trying to connect
Steps to reproduce (if the current behaviour is a bug)
Normal use of socket.io client for javascript
Expected behaviour
Can we move the sid to header ?
Other information (e.g. stacktraces, related issues, suggestions how to fix)
Context: We ran penn test against our socket app using ZAProxy. One of the alert we got is this:
Session ID in URL Rewrite:
URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.
adding sid to url is problematic according to zaproxy.
my url is like this:
http://localhost:3000/socket.io/?channel=widget&EIO=3&transport=websocket&sid=0JfeAmWw8EceWQkTAAAA
can someone explain the security risk if someone can get other people’s sid ? can it be used to listen/publish or get older messages ? can we move the sid to Header ?
thanks
Issue Analytics
- State:
- Created 5 years ago
- Reactions:7
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
any news?
Closed due to inactivity, please reopen if needed.