7

I've recently set up a nodejs chat server, the chat client is served by a php server. When users log in, their sessions will be stored in mysql of the php server, and a login cookie will append to browser.

I want to restrict users that only logged in users are able to chat. What is the best practice to archieve that ?

My quick thought:

When the chat client loaded, if user logged in, I'll send the login cookie information to nodejs verver via socket. Then create a nodejs session. When user chat, the message together with cookie information will be sent to nodejs server via socket. If the cookie information does not match the nodejs session, the message will not be broadcasted and client socket will be disconected.

angry kiwi
  • 10,730
  • 26
  • 115
  • 161
  • possible duplicate of [node.JS how to create and read session with express](http://stackoverflow.com/questions/5765777/node-js-how-to-create-and-read-session-with-express) – jamesmortensen Mar 05 '12 at 06:28

2 Answers2

3

A websocket is a permanent open connection. You only need to autheticate once when you connect to the websocket.

Simply send your login cookie to node.js once and store it on the server with a reference to the socket connection. Then only handle messages from authenticated users and only broadcast to authenticated users.

The problem is that client side users can easily fake this cookie as node does not talk to php to ensure that it's a valid login cookie.

An example using now.

warning pseudo code

// server.js
everyone.now.joinChat = function(cookie) {
    chat.add(this, cookie);
}

everyone.now.serverMessage = function(message) {
    if (chat.hasUser(this)) {
        chat.broadcast(message);
    }
}

chat = (function() {
    var users = [];

    return {
         "add": function(client) {
             users.push(client);
         },
         "hasUser": function(client) {
             return users.some(function(user) {
                 return user === client;
             });
         },
         "broadcast": function(message) {
              users.each(function(user) {
                  user.clientMessage(message);
              });
         }
    }
}());

// client.js
$(function() {
    now.joinChat($.cookie("login"));

    $("#send").click(function() {
         now.serverMessage($(this).data("message"));
    });

    now.clientMessage = function(message) {
         $("#messages").append($("<span></span>").text(message));
    }

});
Raynos
  • 166,823
  • 56
  • 351
  • 396
  • "store it on the server with a reference to the socket connection" could you give an example on how to do this ? – angry kiwi Apr 21 '11 at 15:18
  • @runrunforest now.js can do this for you. I'll write up an example. you can do the same with socket.io, you can do the same with your own websocket implementation, just have to write the gritty details yourself. – Raynos Apr 21 '11 at 15:22
0

This is the answer i'm looking for nodeJS - How to create and read session with express

Community
  • 1
  • 1
angry kiwi
  • 10,730
  • 26
  • 115
  • 161