Using Socket.IO, clients are notified when other clients perform certain activities, through a JavaScript call to the Socket.IO server.
That message is broadcast to all clients, and client-side logic decides who sees the notification. (Another option for this is to maintain a collection of related clients on the server, and only send()
to those clients - better?).
How would the system be built in order to prevent someone from hijacking the code and sending repeated notifications to the server? (some kind of tokenized send?) Simply using the session ID would not be sufficient, as someone could legitimately login, then use that session to try to bring the system down.
Rather than using JavaScript for this (avoiding the client-side hijacking possibility), another approach may be to use SignalR to send out the notifications from a code-behind scenario. Still researching this one, but some discussion/suggestions are welcome.