Home/ Questions/Q 6705261
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T07:23:00+00:00

I am looking atways of implementing comet like behaviour for a website. So far

  • 0

I am looking atways of implementing comet like behaviour for a website. So far Node.js (and its various derivatives) seem to be ahead of the rest of the field (IMHO).

However, I can’t help noticing that with all of the client side JS that is responsible for updating the client (browser etc), the communication port is visibly hard coded in the client script.

To me (and I may be wrong), that is just like publishing which ports of your server are open (and therefore welcoming hackers to attack through that port). Am I being overly paranoid or is this really a cause for concern?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I really want to say Comet isn’t any less secure, but that’s not quite true.

    First, the reason why it’s generally no less secure is that Comet requests are just like regular HTTP request, but with a slightly longer lifecycle. So they’re subject to the same requirements for proper security as any other HTTP endpoint you write (e.g. make sure you authenticate the user’s session cookie, etc.)

    But that long life cycle means it’s possible for the underlying user to change mid-stream through a Comet connection. This can make for some problematic user experiences. For example, imagine a chat application that uses Comet streaming to send messages to the browser, and uses regular HTTP polling to update the buddy list, showing which friends the user has online. Now examine this scenario …

    • Fred logs into your comet-based chat app in window A. You open a Comet connection (authenticated as Fred), and start pulling messages for him. Cool.
    • Now Fred minimizes the window and (thinking he’s closed everything) walks away
    • Sally comes along (not seeing Fred’s minimized window) and opens a 2nd window onto your site and logs herself in. This invalidates Fred’s session cookie, and replaces it with Sally’s.
    • Not too long afterwards, unseen by Sally, that first window polls the server to see which friends of the current user are online. Because the current user is now Sally, that first window updates to show all her friends.

    … now what does Sally see when she finds that first window? The friend list has updated to show all her friends, so it looks like she’s logged in there. But Comet connection was authenticated to Fred and is still open. So Sally is getting Fred’s messages, and not getting hers. Ewww.

    This is the sort of thing you need to watch out for rather than worrying about how visible your endpoint is. All http endpoints are visible, and can be easily reverse engineered using modern browser debuggers and network packet sniffers. Security comes from implementing sane authentication strategies on the server, not from hiding how you connect to the server.

    Finally, note that nothing in your question or this answer is specific to node.js. All Comet solutions have these same traits.

    • 0