I want to use flask-Socketio. But the problem is that the sessionId (sid) is transmitted in the URL. Which means that anybody sniffing can steal the sessionId. How can flask send the sessionId backin a Post?
Thanks in advance for any help!
Asked
Active
Viewed 259 times
1 Answers
0
Your production server should use SSL so that nobody can see the contents of the requests and responses that are exchanged.
The session ID in the URL is part of the Socket.IO protocol, not a choice of the Flask-SocketIO package. To be accurate, the server sends the session id in a JSON response, and then the client adds it to the URL in follow-up requests. That's how the protocol works.
Data included in the JSON response can also be picked up by intermediaries if not encrypted, this isn't a problem specific to the URL. The solution is to use encryption.
Miguel Grinberg
- 65,299
- 14
- 133
- 152