SignalR security: how does it work?

As far as I can tell, the connection token is just an id and username. The ID is randomly generated. In earlier versions of SignalR, you can customize it by implementing an interface IConnectionIdFactory

, but that hasn't been possible since 2013 .

Now, to answer the question "how is it generated", let's dive into the source of SignalR. I am using ILSpy to search for source code. It is available for free on the Internet. You can see my ILSpy window here .

The interesting code is in Microsoft.AspNet.SignalR.Infrastructure.ConnectionManager

:

public IPersistentConnectionContext GetConnection(Type type)
{
    if (type == null)
    {
        throw new ArgumentNullException("type");
    }
    string fullName = type.FullName;
    string persistentConnectionName = PrefixHelper.GetPersistentConnectionName(fullName);
    IConnection connectionCore = this.GetConnectionCore(persistentConnectionName);
    return new PersistentConnectionContext(connectionCore, new GroupManager(connectionCore, PrefixHelper.GetPersistentConnectionGroupName(fullName)));
}

      

        
        
        
      

    

This leads us to:

internal Connection GetConnectionCore(string connectionName)
{
    IList<string> signals = (connectionName == null) ? ListHelper<string>.Empty : new string[]
    {
        connectionName
    };
    string connectionId = Guid.NewGuid().ToString();
    return new Connection(this._resolver.Resolve<IMessageBus>(), this._resolver.Resolve<IJsonSerializer>(), connectionName, connectionId, signals, ListHelper<string>.Empty, this._resolver.Resolve<ITraceManager>(), this._resolver.Resolve<IAckHandler>(), this._resolver.Resolve<IPerformanceCounterManager>(), this._resolver.Resolve<IProtectedData>());
}

      

        
        
        
      

    

So you are. The connection id is just random Guid

and the token is the id plus username.