Socket.io - Implementing a user-socket association map for private messaging

Question

I\'m trying to create a private messaging system using socket.io

In order to associate the users with their sockets, most sites are suggesting something like this:

Answer 1

You're missing the most important part... Your code has to verify the usr is who he says he is. Plain and simple. I've done this multiple ways:

If users are logging in via PHP code, I move the session data to a mysql database. I then use a string on the PHP side to generate a response for a challenge to the client, who sends it to my web socket server. The WS server will challenge the client and look up the session information in the mysqldb. Done.

In my more recent developments, the actual login process is done via the web socket server. I verify the user credentials via whatever DB (in my instance, MySQL) and tie the username to the socket. Finished...

Do not purely rely on the javascript-based site to say "My name is." Otherwise, as you said, user impersonation becomes a walk in the park. You MUST validate that the user is who he says he is IF you're implementing a system where that matters. "Web sockets" themselves are not magical components that do this for you.