0

I come here with a simple, yet very important question regarding session security.

I wonder if it's secure to share sessions from PHP back-end with node.js + socket.io to authenticate and authorize WebSocket connections with that data? To share sessions between PHP and node.js I am planning to use Redis.

I've seen many solutions making HTTP requests to PHP back-end to obtain session data, but I find it unnecessary, since I plan to use Redis to store sessions anyway (to allow distributing PHP back-end on multiple servers).

I'm not sure what else information would be relevant, so please do not hesitate to ask.

I think it's also worth mentioning that PHP back-end is server with nginx fastCGI module connecting to PHP-FPM and node will also reside behind nginx. Also both regular PHP and WebSocket connections are using SSL.

Because it seems the question is not clearly stated: Is it wise in terms of security to share sessions using Redis (Memcached or noSQL database, while I'm going to use Redis) and why all tutorials use HTTP requests instead of what seems easier and more performant (is it because of scalability)?

Improve this question
6
  • so what the question? imo it's enough secure, redis just storage Commented Mar 6, 2017 at 21:50
  • You can use the SessionInterfaceHandler to store sessions in the db and load them with node.js. Easy as pie, presuming they both share the same db? Commented Mar 6, 2017 at 22:34
  • @bxN5 Well, perhaps I didn't emphasize the question good enough. Basically the question is: is it a good practice (in terms of security) to share sessions that way? Most tutorials seem to prefer HTTP request instead. Commented Mar 7, 2017 at 10:40
  • @user1970395 why it is not HTTP query? You send request to php, php store session in redis, send request to node, node get session and send response, yes maybe it's not so secure as native flow but in your case are there any other options? Commented Mar 7, 2017 at 10:47
  • @bxN5 well, I mean that mostly tutorials use HTTP request made from Node to PHP back-end to query session data. I also use Node for WebSocket only, so there are no real queries to node back-end, instead it's mostly server -> browser data flow. During WebSocket handshake I'd like to get PHP session data to verify the user is logged in (and authorized to access certain channels). I've seen two ways: HTTP request to PHP back-end and storing session in Redis, then fetching session data in node from Redis based on cookies. Commented Mar 7, 2017 at 10:52
Related questions
0
error when use session with expressjs and redis
7
Using Redis to communicate between PHP and socket.io/node.js
0
Storing php sessions in redis as json, read the session
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.