I have a socket.io signaling server in which I need to allow two connected clients to discover each other and exchange information.
I am thinking about using the socket.id for this as it is the true unique value for a connection using some code like this:
socket.on('patient ready', appointmentId => {
socket.join(appointmentId, err => {
if (err) return console.log(err)
socket.to(appointmentId).emit('patient ready', socket.id)
})
})
The official documentation (e.g https://socket.io/docs/v3/client-api/#socket-id) says the id is the "unique identifier for the socket session". So I am concerned, can I securely broadcast the session.id of one user to other users or would that allow them to hijack the session?
I could find no documentation about it - only that the session.id seems to come from engine.io.