How do I secure Socket.IO?


I've been working with Socket.IO for a few days and it's been both extremely exciting and even more frustrating. The lack of current documentation/tutorials has made learning it very difficult. I finally managed to create a basic chat system, but there is one glaring question. How do I secure it?

What's stopping a malicious user from copying (or editing) my code and connecting to my server? I can grab the username from my PHP script and submit it to Socket.IO so I can recognize them as that user (and the PHP has security of course), but what's stopping someone from just submitting an unregistered username?

How can I make sure that the events submitted are authentic and haven't been tampered with?

My basic chat for references.


var io = require('').listen(8080);
var connectCounter = 0;
io.sockets.on('connection', function (socket) {
 console.log('People online: ', connectCounter);

socket.on('set username', function(username) {
socket.set('username', username, function() {
console.log('Connect', username);

socket.on('emit_msg', function (msg) {
    // Get the variable 'username'

socket.get('username', function (err, username) {
      console.log('Chat message by', username);
      io.sockets.volatile.emit( 'broadcast_msg' , username + ': ' + msg );


socket.on('disconnect', function() { connectCounter--; });


    <?php session_start() ?>
<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8" />
<input id='message' type='text'>
<div id="content"></div>
<script src="http://localhost:8080/"></script>
<script src=""></script>

  var socket = io.connect('http://localhost:8080');
type: 'GET',
  url: '',
  dataType: 'json',
   success: function(data) {
var username = data.username;
socket.emit('set username', username, function (data){


  socket.on('broadcast_msg', function (data) {
        console.log('Get broadcasted msg:', data);
        var msg = '<li>' + data + '</li>';

$('#message').keydown(function(e) {
if(e.keyCode == 13) {
          var txt = $(this).val();
          socket.emit('emit_msg', txt, function (data){
            console.log('Emit Broadcast msg', data);

It all works dandy, except for having absolutely no security.

2/5/2014 10:37:21 PM

Accepted Answer

If you can install a key-value store like Redis on your node server, you can access it remotely from your php server using a Redis client like Predis. All you have to do is updating the remote session store on node server when a new login/logout happens in your php server.

Check this post for details: Authenticate user for

5/23/2017 12:02:20 PM

The excellent passport framework for express uses secure cookies to validate identity. There is even a module to access it from

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow