Passing connection token is secure or hacky from signalr js client side to hub function

问题

i read this article http://www.asp.net/signalr/overview/security/introduction-to-security#connectiontoken

JS Client

$.connection.hub.qs = { "token" : tokenValue };
$.connection.hub.start().done(function() { /* ... */ });

.NET Client

var connection = new HubConnection("http://foo/",
                                   new Dictionary<string, string>
                                   {
                                       { "token", tokenValue }
                                   });

Inside a Hub you can access the community name through the Context:

Context.QueryString["token"]

---

Setting Headers on the .NET Client

var connection = new HubConnection("http://foo/");
connection.Headers.Add("token", tokenValue);

i notice that we can pass some token value from client side to hub function as query string.....if i pass the anything as query string is not safe. so tell me best way to pass token value in secured way from client to hub function as a result no one can hack/change or reuse that token value.

one guy said SignalR uses encryption and a digital signature to protect the connection token.. so please tell me is it true that signalr first encrypt token value and then pass from client side to hub?

suggest me how one can pass token value to hub in secure way. thanks

回答1:

You can use headers in the javascript client like this for example:

$.signalR.ajaxDefaults.headers = { Authorization: "Bearer " + yourToken };

Now not hacky and is a global setting you can do once at startup or successful auth response! Enjoy!

Now only if I can find a way to override this on a per-request basis so I can get a user emulation sandbox working for my users in administrative roles...

回答2:

When the client initiates a connection the server creates and encrypts a connection token and sends it to the client. From this point on the client has to send the connection token each time it sends a request to the server. The server verifies the connection token when it receives a request. If you are asking how to prevent from using the same token by multiple clients then I think you need to look at authentication.

来源：https://stackoverflow.com/questions/27980455/passing-connection-token-is-secure-or-hacky-from-signalr-js-client-side-to-hub-f