stackoom
  简体   繁体   中英

Authenticating between php and node.js

 原文  2014-03-30 05:38:36       php/ node.js/ security/ socket.io

Question

I have web application written in php and plan to add chat functionality to it. I decided to use node.js as this seems perfect for the job and php sorta stinks for this sort of things.

At some point I need to make sure that request to socket.io server is legitimate. I need to make sure the request is from page my php generated. trying to keep it simple I came up with this idea. Ok so the client/server process would be:

  1. Client opens web page and php receives request. Php creates hash of some sort and contacts node http server via GET. This I was thinking to simply curl 127.0.0.1 and pass hash not sure if this would be as easy though with apache running already.

  2. Node would receive this has and store it as property in an object so following requests from client would have access to it.

  3. When curl comes back php renders the page and passes this hash to client.

  4. Client makes request to node server on some port, passes this hash and node calls callback. Now node checks if hash is one of the properties of the object I described in step 2

  5. If hash os one of the properties then process request, otherwise something dodgy is happening and ignore it

That is the general idea and I would like to know if this has any obvious flaws that I should consider before implementing. Any advice would be much appreciated.

1 answers

solution1
 0  2014-03-30 09:02:21

  1. Standart scheme. Use redis-memcached-RDMS for saving token on server side.

    • + fast
    • + you should implement mechanizm of token creation in one place
    • - all tokens may be lost in some cases

  2. Signed cookies technique.

Create token on php side. Like 

$token = some_special_hash_not_md5_not_sha1(
                 $userID . $server_side_super_safe_salt);

Send via cookies token and userID.

Check on node side is this token valid.

  • + no db
  • - have to find function on node and php which produce identical signing
  • - you have to know a lot about crypto if you want create safe code

For example. If some_special_hash_not_md5_not_sha1() will be PBKDF2 some people may DDoS you with large $userID

Tips on signed cookies instead of sessions

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to communicate between node.js and PHP? Node.js and PHP Understanding connection between: PHP + Redis + Node.js + Sockets Differences in pbkdf2 between php and node.js SHA1 hash differences between node.js and PHP Shared javascript resources between Node.js and Apache/PHP Encryption and Decryption between Android, PHP & node.js libsodium implementation differences between PHP and Node.js Confusion with theory between the differences of Node.js servers and PHP servers Sharing data between php and node.js via cookie securely
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM