I've been working with Socket.IO for a few days and it's been both extremely exciting and even more frustrating. The lack of current documentation/tutorials has made learning it very difficult. I finally managed to create a basic chat system, but there is one glaring question. How do I secure it?

我已经使用 Socket.IO 工作了几天，它既令人兴奋又令人沮丧。当前文档/教程的缺乏使学习变得非常困难。我终于设法创建了一个基本的聊天系统，但有一个明显的问题。我如何保护它？

What's stopping a malicious user from copying (or editing) my code and connecting to my server? I can grab the username from my PHP script and submit it to Socket.IO so I can recognize them as that user (and the PHP has security of course), but what's stopping someone from just submitting an unregistered username?

什么阻止恶意用户复制（或编辑）我的代码并连接到我的服务器？我可以从我的 PHP 脚本中获取用户名并将其提交给 Socket.IO，这样我就可以将他们识别为该用户（当然 PHP 具有安全性），但是什么阻止某人提交未注册的用户名？

How can I make sure that the events submitted are authentic and haven't been tampered with?

如何确保提交的事件是真实的且未被篡改？

My basic socket.io chat for references.

我的基本 socket.io 聊天以供参考。

Server:

服务器：

var io = require('socket.io').listen(8080);
var connectCounter = 0;
io.sockets.on('connection', function (socket) {
connectCounter++;
 console.log('People online: ', connectCounter);

socket.on('set username', function(username) {
socket.set('username', username, function() {
console.log('Connect', username);

    });
});
socket.on('emit_msg', function (msg) {
    // Get the variable 'username'

socket.get('username', function (err, username) {
      console.log('Chat message by', username);
      io.sockets.volatile.emit( 'broadcast_msg' , username + ': ' + msg );
    });

  });

socket.on('disconnect', function() { connectCounter--; });
});

Client:

客户：

    <?php session_start() ?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <title>untitled</title>
</head>
<body>
<input id='message' type='text'>
<div id="content"></div>
<script src="http://localhost:8080/socket.io/socket.io.js"></script>
<script src="http://code.jquery.com/jquery-latest.js"></script>

<script>
  var socket = io.connect('http://localhost:8080');
$.ajax({
type: 'GET',
  url: 'https://mysite.com/execs/login.php?login_check=true',
  dataType: 'json',
   success: function(data) {
var username = data.username;
socket.emit('set username', username, function (data){
});

}
});

  socket.on('broadcast_msg', function (data) {
        console.log('Get broadcasted msg:', data);
        var msg = '<li>' + data + '</li>';
        $('#content').append(msg);
      });


$('#message').keydown(function(e) {
if(e.keyCode == 13) {
e.stopPropagation();
          var txt = $(this).val();
          $(this).val('');
          socket.emit('emit_msg', txt, function (data){
            console.log('Emit Broadcast msg', data);
          });
}
});
</script>
</body>
</html>

It all works dandy, except for having absolutely no security.

除了绝对没有安全性之外，这一切都很顺利。