How do you like this implementation of the chat? Is it safe?

V

Vadim Stepanenko2018-02-26 20:47:22

PHP

Vadim Stepanenko, 2018-02-26 20:47:22

How do you like this implementation of the chat ?
Confused:

spoiler

var objDiv = document.getElementById("message_box");
    objDiv.scrollTop = objDiv.scrollHeight;
    //prepare json data
    var msg = {
    message: mymessage,
    name: '<?=$loggedIn['personaname']?>,
    color : '<?php echo $colours[$user_colour]; ?>'
    };
    //convert and send data to server
    websocket.send(JSON.stringify(msg));

Can the user somehow change his name? Some console command, for example, send not your login from <?=$loggedIn['personaname']?>, but some fake one?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

My joy, 2018-02-26
@Vadim1899

Yes, you can send. I suggest that you supplement the request to the socket with another key parameter:

var msg = {
    message: mymessage,
    name: '<?=$loggedIn['personaname']?>,
    key: '<?= $userKey ?>',
    color : '<?php echo $colours[$user_colour]; ?>'
    };

and $userKey itself is the login hash with some salt, for example:

$salt = 'SDFGH$W#%^UHdfHE$#%';
$userKey = md5($loggedIn['personaname'] . $salt);

and in the script that listens for new messages, check the authenticity of the sender like this:

if($key !== md5($name . $salt)) {
     // обработка поддельного запроса
} else {
     // все ок
}

where $key and $name are the data received from the socket with the message.
In this case, even if the user changes personaname, he will not change the key. and if he tries, in any case, he does not know the value of the salt, and the first condition will work.
This is the simplest option, purely for clarity.

A

Alexander Aksentiev, 2018-02-26
@Sanasol

Of course you can send anything.
And even html with scripts can be sent.