We have been using socket.io as the framework for chat in our application. The implementation was clean and successful. But after a security review of the application it was reported that keeping the session id in url is considered as a bad practice.
In socket.io session id is the parameter sid and it appears in URL by default as shown below.
https://example.com:4000/socket.io/?EIO=3&transport=polling&t=1480422460686-2&sid=H7ZujhfsdTyTGKg2AARq
Is there any methods by which we can remove this from URL? We have gone through the documentation and a bunch of results from Google. Nothing seem to have a solution for this.
According to the security team, this issue is relevant when related to the recent vulnerability in CloudFlare. Any solutions?
2 Answers
Answers 1
Go to the Store > Configuration > General > Web > Session Validation Settings > Use SID on Storefront and set its value to No reference How to remove SID
Answers 2
This post suggests that sid MUST be present in the querystring.Some workarounds using proxy / SSL certificates are outlined here. Hope this helps.
0 comments:
Post a Comment