7

i read this article http://www.asp.net/signalr/overview/security/introduction-to-security#connectiontoken

JS Client

$.connection.hub.qs = { "token" : tokenValue };
$.connection.hub.start().done(function() { /* ... */ });

.NET Client

var connection = new HubConnection("http://foo/",
                                   new Dictionary<string, string>
                                   {
                                       { "token", tokenValue }
                                   });

Inside a Hub you can access the community name through the Context:

Context.QueryString["token"]

Setting Headers on the .NET Client

var connection = new HubConnection("http://foo/");
connection.Headers.Add("token", tokenValue);

i notice that we can pass some token value from client side to hub function as query string.....if i pass the anything as query string is not safe. so tell me best way to pass token value in secured way from client to hub function as a result no one can hack/change or reuse that token value.

one guy said SignalR uses encryption and a digital signature to protect the connection token.. so please tell me is it true that signalr first encrypt token value and then pass from client side to hub?

suggest me how one can pass token value to hub in secure way. thanks

Mou
  • 15,673
  • 43
  • 156
  • 275
  • I do have exactly the same issue. Have you found a solution? – Catalin Feb 24 '15 at 15:50
  • Sorry still i got no work around rather than passing my token value as tightly encrypted. – Mou Feb 25 '15 at 11:11
  • I found a solution! [look here](https://github.com/SignalR/SignalR/issues/3415) – Catalin Feb 25 '15 at 11:25
  • thanks for ur help. i go to that link do not understand what they try to show to make token secure. if u understand then plzz explain it briefly. thanks – Mou Feb 25 '15 at 15:14

2 Answers2

11

You can use headers in the javascript client like this for example:

$.signalR.ajaxDefaults.headers = { Authorization: "Bearer " + yourToken };

Now not hacky and is a global setting you can do once at startup or successful auth response! Enjoy!

Now only if I can find a way to override this on a per-request basis so I can get a user emulation sandbox working for my users in administrative roles...

Bon
  • 1,083
  • 12
  • 23
  • somehow this header doesn't come to hub mehtod and I can't get it from this.Context.Request.Headers... inside MyHubMethod() – Artem A Nov 02 '15 at 14:02
  • 1
    If you're connecting over websockets then that would be why. Websockets can't handle custom HTTP headers. http://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api – Bon Nov 02 '15 at 17:03
0

When the client initiates a connection the server creates and encrypts a connection token and sends it to the client. From this point on the client has to send the connection token each time it sends a request to the server. The server verifies the connection token when it receives a request. If you are asking how to prevent from using the same token by multiple clients then I think you need to look at authentication.

Pawel
  • 31,342
  • 4
  • 73
  • 104
  • i have seen that `$.connection.hub.qs = { "token" : tokenValue };` this way people pass token from client side to hub. how aromatically connection token will be encrypted? will u explain. you explain very briefly and not very clear to me. – Mou Jan 30 '15 at 07:28