Sending User ID (in protected mode).
||required, User ID|
auth is used,
identify should be called after
If your site has registration / authorization, then we strongly recommend that you send us User ID. We use User ID to merge users from different devices.
Example of PHP hash generation:
<?php $userId = '...'; $hash = hash_hmac('sha256', $userId, 'userauth-secret-key'); echo "dashly.auth('$userId', '$hash');" ?>
Thus, your user does not see the secret key, and he will be assigned User ID = 2
This method can be called only once after authorization (actual for Single Page App), or it can be called multiple times (if you insert the code through Backend into each page, when the user is authorized, ie, for example via PHP) - this is OK, too.
There are two rules:
User ID does not have to be a number, strings of up to 255 characters are allowed. It is recommended that you use a numeric identifier.
Example. If you’re writing a backend in PHP (for example), and you would just write
dashly.auth(<?php echo $userID ?>); then in the browser it would look something like
The intruder seeing that you are sending UserId = 1234, can open the console and start sorting out options (he can type
dashly.auth(1235) for example, so he will pretend being a user with Userid = 1235).
Thus, he easily impersonates any other person, can read his messages and make events on his behalf.
If a hash is added, the secret key with which the hash is calculated, is known only to your backend (thus source code is unknown to the attacker) and dashly. When you’re calling the auth method, dashly, knowing the UserID and knowing the secret key, calculates the hash by itself. Then it checks if this calculated hash matches what was sent. If it does not match, then the request is rejected and the union does not occur.