2

I'm looking at implementing a chat/messaging system using node.js and socket.io to pass messages etc.

However the system will use a php authentication system using PHP sessions. Obviously I need some way of knowing that the connected node.js user X is the PHP-authenticated user X?

After a bit of research, it seems it is fairly common to use Memcache to share php sessions with node (by storing in JSON etc). However there is still the problem of identifying which connected node user is which stored php session?

My first thought was to use the cookie that PHP sets, utilising the PHPSESSID value etc- however surely a user could modify that cookie to someone else's PHPSESSID, and bazinga? (Obviously they'd either have to know that PHPSESSID or be very good at guessing, but this still appears to be a security hole?

What are your thoughts on this? Is the best way to achieve what I want?

Improve this question

1 Answer 1

Reset to default
5

Using the PHP session ID should be secure enough for your purposes, in fact, that's how pretty much any PHP site would handle authentication. Once a user is logged on, a "token" of some kind must be saved in the browser to let the site know who they are so that it can be determined that they are logged on. You could create your own, or you could use the already created session if that's easier for you. The idea is that the session ID value is long enough and complex enough that it cannot be guessed during the time that it is valid for a particular user's authentication.

If you want to further protect your users, make sure that you are using an SSL connection the entire time, that way the session ID cannot be snooped.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

+1, In short, the session ID is a temp password that can only be used once.
That is great, concise way to say it.
Great, thanks. I just wanted to get another opinion on this before proceeding :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.