0

I come here with a simple, yet very important question regarding session security.

I wonder if it's secure to share sessions from PHP back-end with node.js + socket.io to authenticate and authorize WebSocket connections with that data? To share sessions between PHP and node.js I am planning to use Redis.

I've seen many solutions making HTTP requests to PHP back-end to obtain session data, but I find it unnecessary, since I plan to use Redis to store sessions anyway (to allow distributing PHP back-end on multiple servers).

I'm not sure what else information would be relevant, so please do not hesitate to ask.

I think it's also worth mentioning that PHP back-end is server with nginx fastCGI module connecting to PHP-FPM and node will also reside behind nginx. Also both regular PHP and WebSocket connections are using SSL.

Because it seems the question is not clearly stated: Is it wise in terms of security to share sessions using Redis (Memcached or noSQL database, while I'm going to use Redis) and why all tutorials use HTTP requests instead of what seems easier and more performant (is it because of scalability)?

pzaj
  • 1,062
  • 1
  • 17
  • 37
  • so what the question? imo it's enough secure, redis just storage – bxN5 Mar 06 '17 at 21:50
  • You can use the `SessionInterfaceHandler` to store sessions in the db and load them with [tag:node.js]. Easy as pie, presuming they both share the same db? – Xorifelse Mar 06 '17 at 22:34
  • @bxN5 Well, perhaps I didn't emphasize the question good enough. Basically the question is: is it a good practice (in terms of security) to share sessions that way? Most tutorials seem to prefer HTTP request instead. – pzaj Mar 07 '17 at 10:40
  • @user1970395 why it is not HTTP query? You send request to php, php store session in redis, send request to node, node get session and send response, yes maybe it's not so secure as native flow but in your case are there any other options? – bxN5 Mar 07 '17 at 10:47
  • @bxN5 well, I mean that mostly tutorials use HTTP request made from Node to PHP back-end to query session data. I also use Node for WebSocket only, so there are no real queries to node back-end, instead it's mostly server -> browser data flow. During WebSocket handshake I'd like to get PHP session data to verify the user is logged in (and authorized to access certain channels). I've seen two ways: HTTP request to PHP back-end and storing session in Redis, then fetching session data in node from Redis based on cookies. – pzaj Mar 07 '17 at 10:52
  • @user1970395 hard discuss security without concrete realization, mb it's can help you http://stackoverflow.com/questions/23795926/share-sessions-between-php-and-node – bxN5 Mar 07 '17 at 10:57

0 Answers0