PHP and node.js shared session identification

Question

I'm looking at implementing a chat/messaging system using node.js and socket.io to pass messages etc.

However the system will use a php authentication system using PHP sessions. Obviously I need some way of knowing that the connected node.js user X is the PHP-authenticated user X?

After a bit of research, it seems it is fairly common to use Memcache to share php sessions with node (by storing in JSON etc). However there is still the problem of identifying which connected node user is which stored php session?

My first thought was to use the cookie that PHP sets, utilising the PHPSESSID value etc- however surely a user could modify that cookie to someone else's PHPSESSID, and bazinga? (Obviously they'd either have to know that PHPSESSID or be very good at guessing, but this still appears to be a security hole?

What are your thoughts on this? Is the best way to achieve what I want?

Answer 1

Using the PHP session ID should be secure enough for your purposes, in fact, that's how pretty much any PHP site would handle authentication. Once a user is logged on, a "token" of some kind must be saved in the browser to let the site know who they are so that it can be determined that they are logged on. You could create your own, or you could use the already created session if that's easier for you. The idea is that the session ID value is long enough and complex enough that it cannot be guessed during the time that it is valid for a particular user's authentication.

If you want to further protect your users, make sure that you are using an SSL connection the entire time, that way the session ID cannot be snooped.