1

I'm tryin' to use active sessions (started in php) in node.js

For PHP i'm storing sessions in mysql (by using session_set_save_handler as described in http://phpsecurity.org/code/ch08-2). Works fine for PHP.

Now planed to:

1) from php app's client side "execute" node.js link with client's PHPSESSID cookie in GET:

http://192.168.0.222:53077/?phpsession=02isg9kv8fbveqhmt1htcj6cc7

2) on node.js server side get PHPSESSID, look for it's value in mysql sessions table

3) if PHPSESSID value exists in mysql - read user's id, name and other user's data stored in mysql (sessions table)

Question is - is it right way? I think i'm wrong, at least from step 2. What is the right way to work in Node.js with sessions stored in mysql started from php?

Please try to don't advise me to store sessions in memcached or redis, i'm chose mysql.

deeplay
  • 376
  • 3
  • 20
  • 1
    Passing the session token via the URL can make your users especially vulnerable to session hijacking (will show up in server logs, possibly on urls stored in browsers, etc.). I would add an HTTP header to the request instead. – mesch Mar 08 '15 at 18:29
  • I expected it. Was going to ask about it, but u answered already. You advise me to not use GET? Or - use GET, but send HTTP header instead of cookie id? Can you please write a little sample? Thanks anyway. – deeplay Mar 08 '15 at 18:39

1 Answers1

2

Since you are handling the sessions yourself with session_set_save_handler, you can choose to serialize the data any way you want. I would suggest json_encode() for compatibility with nodejs.

PHP gives your save handler the already serialized data as a string, so you would need to unserialize() it and re-serialize with json_encode. Adjust your session blob reading to json_decode() and serialize() before returning to PHP.

Your steps of 1, 2, and 3 seem to be correct. More detailed questions could provide a better answer.

I would suggest making sure your SQL table as a few columns for session storage.

  • "created_on" integer timestamp
  • "updated_on" integer timestamp
  • "long_term" small int, if the user checked "remember me" or something similar, this should skip normal session garbage collection
  • "ip_addr" can be used to alert users to potential session hijacking.
  • "agent" can be md5 or sha1 sum of the user agent to detect access from different devices / browsers
chugadie
  • 2,786
  • 1
  • 24
  • 33
  • Thanks for answer. Question about json: do u mean something like this: 1. in php: `json_encode()` for storing session data in json format; 2. in node.js: `json_decode()` for read session data in json format. I can't get one main thing: do i need to bind node's it's session technology with data stored in mysql (session table)? Or i just read stored in mysql data and use it in node.js? And do i need to use in node.js something like "goran" (found it in [link](http://stackoverflow.com/questions/26331228/how-can-i-parse-php-user-details-session-to-node-js-server)) ? – deeplay Mar 08 '15 at 18:30
  • You might be over thinking the whole problem. When you need access to data from the session in Node, make sure Node has access to the session ID generated from PHP, and read the table. The only problem is, PHP's default serialization may not be parsable by Node, so use json_encode/decode in PHP when writing to the DB. – chugadie Mar 09 '15 at 12:49