0

I'm looking to add on info to this post

Node.js (mysql+socket.io) Authentication PHP via Cookie?

If possible please explain this part and if scenario is correct based on assumptions in above question:

Lets say I have user login via ajax, upon success, I return the session ID to the client side with ajax response, and send it to a websocket request. There on node.js, I keep an array of the successful login session ID's, and can get the member_id using the session ID. This way I don't have to make the session ID accessible via javascript (leaving cookie http only). Lastly, when I visit another page, I have to use ajax to resend the session ID to websockets to reinitiate the websocket chat.

Is my understanding correct? The safety is my concern, I don't know what monstrous issues could occur if I have an ajax response with the session_id. Or is there a way to bypass this sending? I've read about something called Redis, would this be running while I apache, node.js and mysql running? So I have 2 databases running at same time instead of just one?

Edit: Already see someone trying to close the question. Let me rephrase it then, returning the session ID via an ajax response poses a threat or not..?

Community
  • 1
  • 1
Darius
  • 1,613
  • 5
  • 29
  • 58

1 Answers1

0

I think you're making this more complicated than it needs to be. All you need is regular sessions (using httpOnly cookies). Websocket requests already send cookies with the initial HTTP Upgrade request.

For sharing sessions between node and PHP via redis see this answer.

Community
  • 1
  • 1
mscdex
  • 104,356
  • 15
  • 192
  • 153
  • Thanks, didn't realize websockets sent the upgraded request. Made cookies httponly and everything works fine. – Darius Jun 04 '14 at 04:56