通过 cookie 在 php 和 node.js 之间安全地共享数据

Question

I have a PHP site, and for real time updates and chat I have installed Node.js and its running fine.

Both PHP and Node.js have access to the same MySQL database.

But the problem is to verify the identity of an user, who is already logged in to the PHP site.

I don't want to talk to the PHP app via any means, REST or not. As, to me this will defeat the same purpose of using Node.js, as then each Node.js request, a new PHP page request would be made.

What I want is, a encryption and decryption method which is understood by both PHP and node.js

So that I can set a cookie with the encrypted value for Node.js request, which will be at updates.mydomain.com subdomain. By reading the cookie, Node.js can decrypt its value and verify the user's identity.

So, my question: is there any encrypt and corresponding decrypt method that is supported via both PHP and Node.js, using same encryption key?

Updates

Actually im not looking forward to decrypt it on client side:D as then the whole point of decryption is pointless. What i want to do is-

1) PHP to generate a cookie encrypted user info and use that cookie for a specific domain like updates.mydomain.com

2) Then node.js will get the cookie for each subsequent request, and decrypt the data on server side, using the same encryption key.

As u can see, that is why i wanted to know, if there is a common encryption/decryption system between PHP and node.js, so that encrypted data by one can be decrypted by the other and vice versa.

This way i can securly transfer the current logged in users identity from PHP to node.js and i don't have to worry about session management of other kinds:)

So in short, Encrypt by PHP -> Decrypt by Node.js -> get back same data. Possible?

Thanks,
Anjan

Answer 1

The best approach here (imho) would be to store the session information in the database , and then make sure that Node can read the session cookie set by the PHP app.

Then it can just check the session cookie against the database to make sure the user is logged in.

Encryption example

If you really really want to use encryption, be aware that this'll probably be less secure and take more time to do than simply changing PHPs session backend, but here's an example that could probably work:

In PHP, encrypt the data:

<?php
$encryption_key = 'somethingverysecretandpreferrablylong';
$vector = 'anotherlongwindedstring';
mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $encryption_key, 'My secret message', MCRYPT_MODE_CBC, $vector);
?>

And to decrypt in Node.js;

var crypto = require('crypto');
var decipher = crypto.createDecipher('aes-256-cbc','InmbuvP6Z8');
decipher.update(crypted_string_from_cookie,'hex','utf8');
decipher.final('utf8');

And please, please be careful with this code. I am by no means a security expert, so if you want to encrypt anything sensitive, you should get peer review from someone who is:)

Answer 2

Another approach would be to use node.js as a the PHP session store itself. Gonzalo Ayuso has an interesting article on it:

http://gonzalo123.wordpress.com/2011/07/25/using-node-js-to-store-php-sessions/