Skip to content

[Security] WebSocket connection lacks dynamic token validation and session expiration handling #586

Description

@Pratikshya32

Description

Currently, the socket connection validates the JWT token only during the initial handshake. Once established, the WebSocket connection remains active indefinitely, even if the user logs out, their token expires, or the account is disabled. This exposes the application to session hijacking and unauthorized real-time communication.

Impact

Users can continue sending and receiving messages via WebSocket after their authentication token is invalid or expired.

Proposed Fix

  • Implement a heartbeat/verification check on the socket connection to periodically validate the JWT token.
  • Listen for logout events to explicitly terminate the socket connection from the server-side.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions