The generation of new IDs for new sockets is vulnerable to prediction attacks. Potentially, though highly unlikely, collisions are also possible.

Mentioned in the comments of #497.

The Manager.generateId() method generates identifiers using the default Math.random() pseudorandom number generator, which produces predictable output. Knowledge of the socket.io identifier is sufficient information for a client to receive information from a socket.io server. With the current implementation, an attacker that is able to predict subsequent identifiers can make a request and gain potentially private information.

The solution is to generate a secure random number for use in identifiers with sufficient entropy that it is difficult to guess. See RFC 4086 for more information on randomness requirements.

The node.js crypto module can produce cryptographically random sequences: crypto.randomBytes(n). And, if you don't like the miniscule odds of a collision, you can add a sequence number.

Pull request follows.

As posted here: https://groups.google.com/d/topic/socket_io/Peq-R_BTSx0/discussion