I am currently working on integrating node.js with socket.io with my PHP Framework.
When the user logs into my site I save his/her session in my database and assign him a userid.
The only way I am able to validate if the request to node.js is valid, is to send the **cookie (session id) and userid to node.js and check the Database, if the session ID is valid and the userid belonging to this session id. This happens with node.js mysql module.
Is this the only method? Is it "safe"?
Depending on what are you doing with your Node.js server and sockets.io, you can maintain an array of logged users onto the server.
When a user validates onto your PHP you send a socket event from your client code to your sockets server with the session id, then you store that session id on an associative array of users on the Node.js server, this way you can have associated any user session id to the socket you use to maintain communication between client and server.
From now on, you can check any communication with the Node.js server just passing the session id through client code and checking if it's included on the associative array.
Of course, when disconnection event is fired from socket.io, you delete the associated entry on the array.
