Any risk returning other user's Connection Id to the client?
https://stackoverflow.com//questions/11663265
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In a SignalR Hub class you are able to call Context.ConnectionId for a user. I am looking to store these in a Dictionary<string, string> in order to connect users together. Is there a risk or security vulnerabilities in returning other user's clientids to a user's client?
Solution
Yes, we do this in some of our samples but it's bad. If you leak the connection id then people can send/receive your messages on your connection. Create another id that is unique and store a mapping between your id and connection id internally so you can map them back.
It's basically the same idea as the forms auth ticket. Sure it's encrypted but if someone gets ahold of it they can impersonate you regardless.
See a sample of this logic in MessengR. https://github.com/davidfowl/MessengR/blob/master/MessengR/Hubs/Chat.cs#L67
