User authentication in tornado based on other php site

Question

I wrote my own long-pollig Tornado/AJAX chat with rooms , whisper messages and other cool stuff . Till now as user authentication for just test purposes i've been using cookies . So u had to just enter your name ,after what cokie 'user' was created and chat would react accordingly to that cookie . But the problem is that i wrote this chat for a friend which has a php site. So basically i need to authenticate users based on his sessions. Thats where i got confused. And i am very ashamed , because i caught myself on a thought that i don't know how exactly session work , which is kind of absurd, because i don't consider myself such a bad programmer ^^ Well shit happens. Well ofcourse i know that sessions only store id on the client and other information is stored on the server , but that doesn't really help because i need know excatly what happens in details . Sure i googled a bit , but still am confused how to solve this problem. So the basic questions are :

1) Would appreciate if someone could in details explain one more time exactly how sessions work , and what i need know or have access to on php site , to use sessions in another application ...

*2)*So for example when i authenticate on my django site ,session is created with some value like 's5ds6dssd6' , and to tell the truth i don't know what to further do with it.Ashamed again. For example in PHP to extract username (if it was set) and check/do something i would do something like PHP_SESSION['username'] === ... .In django even less work just to use decorator or user.is_authenticated method. Yet how works inside and what i need i don't know.

---

There is a big chance what i wrote is stupid , and it's very easy , and i am a moron , which wrote before trying ...Yet even if i somehow would be able to get data from sessions/php site how could i be sure that some guy didn't create session with random id by himself , without authencating on php site ....

Well hope someone could point me in right direction . It felt necessary to write so much so you could udnerstand =) what bothers me and respond accordingly.... Sorry if i wrote something stupid.

Answer 1

1) Would appreciate if someone could in details explain one more time exactly how sessions work , and what i need know or have access to on php site , to use sessions in another application ...

P.S: I am using Linux(I use the freely available Ubuntu which is the most popular/user-friendly Linux distro) as OS below and I would advice you to use a *nx distro(MacOSX is also pretty good but expensive in my opinion) as well with all your webdevelopment although all these commands are also available in Cygwin(windows).

Sessions are:

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

Below I try to explain what sessions are and how they are using cookies

---

I created a simple no.php which does not use sessions and simply outputs Hello World:

Hello World

When we curl this script with the headers using -v we get the following output:

alfred@alfred-laptop:~/www/6500588$ curl http://localhost/6500588/no.php -v
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/no.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:10:53 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Vary: Accept-Encoding
< Content-Length: 12
< Content-Type: text/html
< 
Hello World
* Connection #0 to host localhost left intact
* Closing connection #0

As you can see from the output no cookie has been set. If you do this repeatedly you will get the same output.

---

Next I create a simple yes.php file which does make use of sessions.

<?php

session_start();

if (!isset($_SESSION['count'])) {
    $_SESSION['count'] = 0;
}

echo $_SESSION['count']++;

Let's show the output from curl without storing the cookie:

alfred@alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:12:47 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Set-Cookie: PHPSESSID=hrduhht116e9mikhkkj0gu7126; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
0

As you can see the count is 0, but also a cookie has been set: Set-Cookie: PHPSESSID=hrduhht116e9mikhkkj0gu7126; path=/. with session_id hrduhht116e9mikhkkj0gu7126

---

If we do not store this cookie when we issue the same curl command again we wil still receive 0 as answer(forget to count) and also receive another cookie.

alfred@alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:16:42 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Set-Cookie: PHPSESSID=ihlj9c9fifl8f0lklu0umesas2; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
0

As you can see hrduhht116e9mikhkkj0gu7126 is not equal to ihlj9c9fifl8f0lklu0umesas2 which means a new cookie has been set and the information in that session is lost.

---

Next we store the cookie to cookie file issuing -c flag

alfred@alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v -c cookie
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:27:11 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
* Added cookie PHPSESSID="1h6710hhk84e0k9bj2kg7p03u5" for domain localhost, path /, expire 0
< Set-Cookie: PHPSESSID=1h6710hhk84e0k9bj2kg7p03u5; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
0

As you can see from ls(directory listing) we stored cookie to file named cookie.

alfred@alfred-laptop:~/www/6500588$ ls -al
total 20
drwxr-xr-x  2 alfred alfred 4096 2011-06-28 04:27 .
drwxr-xr-x 19 alfred alfred 4096 2011-06-28 03:59 ..
-rw-r--r--  1 alfred alfred  196 2011-06-28 04:27 cookie
-rw-r--r--  1 alfred alfred   12 2011-06-28 04:00 no.php
-rw-r--r--  1 alfred alfred  114 2011-06-28 04:12 yes.php

---

That cookie to keep track of the count contains the following information according to cat(shows output of file)

alfred@alfred-laptop:~/www/6500588$ cat cookie 
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

localhost   FALSE   /   FALSE   0   PHPSESSID   1h6710hhk84e0k9bj2kg7p03u5

---

We next use that cookie to keep track of the count.

alfred@alfred-laptop:~/www/6500588$ curl http://localhost/6500588/yes.php -v -b cookie
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /6500588/yes.php HTTP/1.1
> User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18
> Host: localhost
> Accept: */*
> Cookie: PHPSESSID=1h6710hhk84e0k9bj2kg7p03u5
> 
< HTTP/1.1 200 OK
< Date: Tue, 28 Jun 2011 02:40:18 GMT
< Server: Apache/2.2.16 (Ubuntu)
< X-Powered-By: PHP/5.3.3-1ubuntu9.3
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 1
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0
1

As you can see we used that cookie with the same ID 1h6710hhk84e0k9bj2kg7p03u5 and the count is 1 instead of 0 when we don't use any cookie(or not store cookie and get new cookie).

---

So basically i need to authenticate users based on his sessions.

sessions are just simple using cookies(sessionid) under the cover. You could for example override the standard implementation for sessions to use the database instead of the filesystem(interesting read!). But I would just use the session_id you receive from PHP(session_id) within your tornado application to authenticate your session because that should be unique(hard to guess).

session_id() returns the session id for the current session or the empty string ("") if there is no current session (no current session id exists).

---

P.S: I hope this answers your question a little bit. If not you could ask in the comments for a little bit more information?