I am working on an PHP API application that will work an different domains (and hosted on different servers) that need to share user session. Let's say api.a.com and api.b.com.
Back end side, for me, storing session data using a session id key that can be fetch from multiple domain is the easy part.
My main concern is sending session id to both api.a.com and api.b.com. Native PHP session uses cookies to send session id for each request. Having different top level domain, the cookies will not be sent to all domains (unless I explicitly use Javascript to extract it and send it as a request header).
I thought about storing the session id inside the the Json Web Token data sent to the server, but somehow, it feels wrong.
Any thoughts on this?
Use a memcache server. PHP supports saving sessions in memcache.
With Amazon, I have a load balancer front with Linux instances, each connected to memcache.
Then I have a completely different EB application and domain that accesses the same memcache and pulls real time stats, so it's pretty easy to setup access to the same memcache server or cluster from different applications.
Note there's a difference between "memcache" and "memcached" -- either can be used, but they're different servers!
Use a memcache server. PHP supports saving sessions in memcache or mysql.
then use sessionid by http transport.
`
$sid = $_REQUEST['sid'];// receive sessionid
session_start();
session_id($sid); //reset current sessionid by $sid
var_dump($_SESSION["A_DOMAIN_SESSION"]);
var_dump($_SESSION["B_DOMAIN_SESSION"]);
?>`
Related
I am working on a service that sits between a client and an API. A client user does API requests via my service. The API requires several user cookies to be set to authenticate the user and allow requests. The client cannot store cookies, so I am storing all the cookies on AWS EFS. The service is written in PHP and API requests are done using cURL. Cookie handling is done using cURL's CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR.
The problem is that sometimes the cookie file gets overwritten instead of appended to or updated, leading to API requests failing. I am still trying to find the cause of this, but I am considering saving the cookies to the database instead of in a file. Obviously this will lead to an increased database load, but I cannot think of any other disadvantages. Are there any?
I am setting up a socket.io server to handle, well, socket requests. This is running on port 1234. This is running along side a laravel 5.1 application. Laravel is using redis to handle sessions.
I have plenty of tutorials on hooking up laravel with socket.io, it's all pretty straight forward. I can connect, respond and forward messages back down the socket and to the laravel application.
However every tutorial avoids the auth part of this setup. Once the message is received within the socket:1234 space, how do I forward that message through to laravel while making sure that request is auth'ed.
Ideally I would simply share the session, and verify the XSRF token. Because the two applications are on different ports, I can't pick up the session directly.
Currently I am using an alternative approach, it involves the following:
Upon socket connection (in node), I decrypt the cookie sent up on connection using node's Crypto library and node's PHPUnserialise library.
This gives me the laravel session id (from the cookie)
I use this to access the redis laravel session
I then decrypt that session, which in turn, gives me access to the user id
It works, but I feel it could be potentially be a security hole, because I am not actually using _token to verify the origin.
I think your code is the right, and maybe the only way to do it.
A session_id is usually stored in the cookie, and at some point has to be sent to the server. Since node and php are different languages, they cannot share a session directly. You always need a intermediate storage like redis, mysql or filesystem. And of course a way to retrieve the session. The key to retrieving a session is of course the session_id.
An interesting post about securing websockets:
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
What he suggests is to add a random generated key to your session, that you can verify when you the websocket connection is established.
The session_id itself is already random, but these session_id's are usually long-lived, so a short-lived random id could increase security. Short-lived should be as short as possible: let php add it to the database, and once the connection is verified in node, remove it from the database, so you cannot use it again.
There are lots of additional session verification techniques, like checking the browser string, or fixating a session to one ip adress:
http://phpsec.org/projects/guide/4.html
I would not recommend these type of checks, as they don't really add much extra security, only annoyance with the end user.
Most importantly i think is that:
You use a secure way of communicating session_id etc. This means HTTPS
Sessions should expire when the user closes their browser
User should be notified if he connects from a different location, or should have access to his "login log"
I had found a good solution for this about a year ago. I decided to make it a module, its really easy to use. helps you get the cookie without hard coding it. helps you get that session Id and retrieve it from mysql and redis
https://www.npmjs.com/package/node-laravel-session
I am looking for application development in such a way that it should work whether the user has an Internet connection or not.
I am working on a mobile PHP/MySQL based application. Sometimes an Internet connection is not available at the required place. I want to keep the database in a buffer and want to update it as it gets connected with the Internet, so that the application can work without any interruptions.
Depending on how much data you need to be persistent on the client's machine, you might be able to use cookies to save this data.
Here is a simple example of storing some information in cookies
// set the cookies
setcookie("someInfo[key1]", "4815162342");
setcookie("anotherValue", "foobar");
Now, after you have set the cookie, you'll be able to retrieve the data on other pages from the same domain.
echo $_COOKIE['anotherValue'];
// prints "foobar"
print_r($_COOKIE['someInfo']);
// Array(
// 'key1'=>"4815162342"
// )
Reference -
PHP Cookies
setcookie()
You can use Web Storage
Web storage and DOM storage (document object model) are web application software methods and protocols used for storing data in a web browser. Web storage supports persistent data storage, similar to cookies but with a greatly enhanced capacity and no information stored in the HTTP request header. There are two main web storage types: local storage and session storage, behaving similarly to persistent cookies and session cookies respectively.
But that's about it in terms of reasonable data storage on the client
Also see
HTML5 Web Storage vs Cookies
Best way to synchronize local HTML5 DB (WebSQL Storage, SQLite) with a server (2 way sync)
If I'm using PHP to perform a cURL POST to a remote server running code containing session_start(), is it possible to access session variables set on the local machine on the remote?
Unless you've got PHP trans_sid option turned on (BAD idea), POST has nothing to do with session values. That's mediated through a standard cookie.
Cookies are bound by same-domain security settings - they CAN be shared between hosts in the same domain (e.g. foo.example.com and bar.example.com), but an Amazon cookie cannot be shared with Yahoo.
No they do not. Even sending a session cookie, which you can do with cURL POST, will reference a session which exists only on the requesting server.
No.
The session variables are server-specific. They only cross to another server if the session ID were to be set correctly, and if they were using a shared session data-store, such as memcached.
In PHP, you manage the Session on the server... accessing any of the session properties there on the server along side your web application.
How does this translate to an iPhone App? If I'm connection to web services (PHP, ColdFusion), where should I be managing sessions? Or does it work differently in this scenario?
Assuming your PHP code use cookies to track the active session (as opposed to, say, a session id request parameter), NSURLConnection handles cookies for you without any extra work, and it should work the same way it does inside a browser.