Since PHP sessions are basically cookies, and I am using them to authenticate logged in users (I know, I should move to tokens), is it possible to read the session cookie on my node app? (I want to create a simple chat that gets the logged in username from the PHP session, and on the way allow only logged in users to use the chat)
What would then be the preferred way to do that? (In terms of security as well)
**Edit: I am trying to get something sort of the node equivalent of this in PHP:
if(!isset($_SESSION['user_id']){
//don't allow access to the chat page
} else {
//show chat for logged user
}
A cookie is not language specific so if the cookie is there, you could certainly read it with node.js.
BUT, the browser only sends cookies to the server that they are associated with. So, if your PHP server is not part of the same sub-domain as the node.js server and the cookies are configured to allow sharing with sub-domains, then the browser won't send the PHP cookie to your node.js server.
To read cookies with Express, you can use the cookie-parser module. Samples for how to use it are in the doc. After installing the cookie-parser middleware, you would end up referencing:
req.cookie
to access that same cookie. To manage sessions using Express and node.js and keep track of server-side session state, one would typically use the express-session module.
Related
I'm in a situation where I need to auto-auth users between an ASP.NET website and WordPress. The idea is once you're logged into the ASP.NET website and if you browse the WP pages your logged in automagically and vice versa.
In ASP.NET I can auth users against WP database but that's all I can think of, so the question is.
-How to enable this by-directional authentication scheme?
-Zubair
I had a similar problem, where I had an ASP.net application (third party) and a PHP application (built in-house). I have modified the ASP.net application with just a few lines of code, so that it worked like this:
User logs to the ASP.net application
The ASP.net application sets a session cookie (this is automatic)
Modification: the ASP.net adds a row to the database with the session ID (which is in the cookie) and the username
The PHP application reads the ASP.net session cookie and gets the session ID
The PHP application searches the DB for the session ID and if it is found, it automatically associates the session with the username found
I also added an expiry time for the sessions, to minimize impersonation possibilies...
There are two different server side scripts and it is hard to create by-directional authentication. Since WP uses cookies, you might try to authenticate users against cookies. creating a mechanism that check if there is valid WP cookies in users machine and then read from cookies to authenticate users.
Send cookies from PHP by SetCookie() method, then read cookies from ASP.Net by reading cookies collection(since the name of the cookie changes). then Decode url.. (in ASP.Net you wil get encrypted url. special caharacters are replaced by(#-->%23 , #--->%40 etc..)
I started to develop a web application as a major project for my degree. Purpose of app is not important. My problem is handling the login. I have no problem with setting up login with jQuery mobile, that is actualy working pretty well. Problem is I'm handling login with php script through ajax and creating session in that process. So for checking if user is logged in or not I'd normaly use a php script, but in this case I can't. I need to keep using only client side for authentication. What would be the solution for this? Can I handle authentication with some native jQuery functions or do I need to write some JS scripts? If anyone have any solution please I don't need actual code, just best solution. Thank you
You can achieve this as long as login authentication is restricted to the device. What I mean is that user-id / password combination can be stored locally on the device. You may choose local file system storage for this. Here are the steps:
1) Make user register with uid/password
2) Check uid is existing in your local storage. If not register by writing it to local storage.
3) Later when user returns, validate login credentials against the local store.
I assume you're developing a native app with a mobile web framework. In this case you have two choices:
POST the login details out to a server somewhere, authenticate and return the session, allowing the user access. This will obviously require internet access, but will be more secure.
Store the credentials in local storage using JavaScript when the user signs up. Encrypt this value and compare against it when the user logs in.
I'm writing a JQM web app with a PHP web service. Users will be able to sign-in and register that they've made a purchase of, for instance, a soda from the club. This info will be stored in a database and eventually billed.
To illustrate what I want to do: I have already implemented this as an Android app. My "session handling" in the Android app consists of simply storing the user's credentials in Android's savedPeferences (persistent local storage) upon succesful authentication with the server. These credentials are then resent with every subsequent server request so that users only ever have to sign-in once - upon running the app for the first time.
I want to mimic this behavior in my JQM app as closely as possible. Ideally, the user should only ever have to sign in once unless they choose log out.
I'm a bit rusty when it comes to website programming, so what would be the best approach? Non-expiring cookings? Do I use a PHP session or handle everything in javascript?
This is for a hobby project; I prefer a simple solution over something overly secure and complex. Thanks!
Edit: After reading Mike's answer I stumbled across this plugin: https://github.com/carhartl/jquery-cookie
Perhaps this is the easiest way to keep users logged in..?
PHP sessions are going to be invalidated after a set amount of time (depending on your php.ini settings or any runtime modificatoins to the settings).
You can use long-time expiring cookies to persist a login (typically user is given checkbox at login to allow their login credential to be stored).
Since you are developing for a mobile device, you do also have the alternative of using HTML5 local storage since most every Android browser out there supports it. See more info at the link below.
HTML5 Local storage info
I prefer this as the login hash could be persisted even if the user clears their browser cookies and it can be handled strictly within Javascript.
When the Facebook session expires with my App, I have to use the Javascript SDK to create a new session. This is hugely annoying as it appears to the user that they are logged out occasionally as I do most of the detection server side. And then, when they reload the page and the javascript has executed, the session is recreated.
I am aware that I can fix this quite simply by using javascript to show a message saying 'please reload the page' (much like StackOverflow), however, I do not want my users to have to do this. I accept that the PHP SDK cannot do it, but is there any sort of hack I can do to achieve it myself using PHP instead of Javascript?
Can anyone explain why the PHP cannot do this?
PHP is running on your server, which has nothing to do with Facebook's servers. Remember that cookies are locked to the originating domain. The cookie will appear to have been set by YOUR server, and have an originating domain of "yoursite.com", not "facebook.com".
JS, on the other hand, runs on the client, and any requests made to Facebook's servers will also obey any cookies set by the Facebook servers.
So if I use a server to make call to web page (cURL or file_get_contents or something), and that web page assigns a session to that call (like I use that call to add an item to a shopping cart), is it possible to then migrate that session to a user's browser from the server?
If I'm understanding correctly, you want your server code to browse to a separate site behind the scenes, do something there that creates a session, and then redirect the user of your app to that separate site, but using the same session you created.
If the session is maintained using a cookie, as is likely, than no, you can't -- you'd have to set the cookie in the user's browser as if it came from that other site, and you can't. In general, this seems like it would be prevented by any sort of session hijacking protection, which most decent sites do have.
The alternative, I suppose, is to proxy for your user for their entire use of that other site (i.e. they click on stuff in your app and you pass it on to the other site behind the scenes).
I would suggest to use simpletest's scriptable browser ( http://simpletest.sourceforge.net/en/browser_documentation.html ) to keep track of states while browsing the interwebs form your PHP codez
Probably not - That call to cURL / file_get_contents will likely generate specific session information for the machine that requested it (i.e. your server). The remote machine should be keeping track of things like IP address and other identifiable information to prevent such a maneuver.
If this is possible, then your shopping cart software is horrifically vulnerable to session hijacking.
I don't believe that is possible. But you can start a session between the user's browser and your server, which keeps track of the session cookie that the remote web page issues you.