Martin Karlgren wrote:
>I guess the API user could keep track of sid:s and Server objects separately,
> if they don???t want a .farm?

It was/is not intended to be used like that, though the only dependency here
is that in the Server object there are exactly three references to the
global clients list.

Can you imagine a use case where this is desirable?

> I'd imagine that the globally shared sid lookup mapping might be regarded
> as a security issue

Not really.   The global clients mapping with all sids in it, is a private
object and thus not accessible for reading or writing from outside of the
EngineIO module.  The sids cannot be guessed, they are cryptographically
secure.

> in more complex setups, such as multiple listener ports with different user
> permissions or whatever. (Although using a TLS port should keep the sid
> secret enough, I guess.)

Those setups are explicitly supported through the single farm.  You only
need a single farm, regardless of how many listener ports/urls you
are listening on.
-- 
Stephen.

Reply via email to