I put in situation:
I have a website entire make in PHP 5.3 and MYSQL, the site need to user to login for get access, the login "simply" check user/password and create a $_SESSION in the domain with the user ID and other user non-personal data.
In PHP i need to read this $_SESSION to detect if user is logued.
Now, i think in create a NodeJS real-time chat with websockets (only work in last browsers obiously, but i looking for pure HTML5 site, not external client-js like socketio.js), but here is my problems:
First problem I need to get the $_SESSION['user'] in the NodeJS, for make this i need to "pull" from PHP TO NodeJS, send a message like "update-this-user-auth" with the $_SESSION['user'] data, but the problem is, first HOW is the best way to pull from PHP Server to NodeJS Server runing in the same (or not..) machine.
And second problem HOW identify the user in NodeJS, because the user have $_SESSSIOn in PHP but i dont know if the request is from user nº1, nº32 or nº 999999.
For the problem of the comunicate from PHP to NodeJS I read some posts, and get 2 ways:
CURL User, usin PHP Curl to "call" a NodeJS service, and send-read data from PHP to NodeJS
Sending messages from PHP to Node.js
DNODE, i found this googling, have good look, but require some extra librarys, and i like to make the code clear and preferably simple.
http://bergie.iki.fi/blog/dnode-make_php_and_node-js_talk_to_each_other/
I thanks to all ideas and comments for the best solution to this two problem.
With PHP:
You can save a random generated key in the database, associated with user's ip, user id and any other session information (time created, last active, expiration date...). Also, save that key in a cookie too.
With Node.js:
Read the cookie, find the key in the DB and check if the session is valid or not.
So, basically, instead of storing all info in PHP, use a shared storage like for example a DB.
Related
This may be a question someone has already asked. (If it is I'm sorry, I could not find another question like this.)
I designed a webapp on PHP-NODEJS-Static HTML. I send a form from the static HTML to the NODEJS app to get approved. If approved I want the nodejs application to redirect to a php page. I already have the nodejs application up on heroku, and it is designed so if it is approved, it automatically redirects to a php page. The problem is that I only want the redirects from the server to be able to display the php page if that makes any sense. How do I go around doing this.
You'll need to have your nodejs, before redirecting, create a secure one-time token. The token should be embedded into the URL pointing to the PHP server (the one that the browsers will follow for redirect), and stored in a database (probably associated with an expiration, umm, say 5 minutes?).
When PHP page receives the request, it should extract the token from the URL, and validate whether the token exists, and only proceed further then. PHP page should also remove the token once used. You will need some sort of a database to store the token, I would recommend Redis, as it has an automatic expiration of keys, so you don't have to worry about clean up, or clogged database.
I have a working php application in which I want to add real-time support. I would like to use nodejs/socket.io to add that kind of functionality.
First problem I found was how to properly authorize user on nodejs side (user is already authenticated on php backend through PHP session). Using socket.handshake.header.cookie on nodejs side i can parse and get PHP session id, which I can authenticate through redis/memcache/database (depending on what have I used to save session information). Everything looks cool when user has only one tab/window of the site opened - when having more and using session_regenerate_id(), in nodejs the user authenticates with another sessionid key, so I cannot distinguish two tabs by anything other than the socket id they connected with. When user logouts he shouldn't be getting any messages on any tab (because he already logged out on every tab/window from that browser). So on logout message (sent from browser just before the logout PHP things) I should remove all the socket connections connected to the authorized user id. But what if user logges in on two devices (fe. pc browser and an ipad safaris). After logout on one device, he shouldn't be getting any messages on the device he logged out, not on every device. How can i distinguish connections from different devices/browsers in socket.io? Of course not using session_regenerate_id() would be efficent here, but what can I do if I really want to use this feature?
Another problem I have is rather a security issue (or even question). Let's assume that authorized user in application can see page example.com/user1 (which is a news feed for user1) and cannot see example.com/user2 (fe. he doesn't have rights to see it). I'd like socket.io to send update messages to browser when user is on example.com/user1, and of course not to send when user is on example.com/user2 site. On socket.io side I can read the referer address (so presumably, when user is on user2 site he does not get any socket.io connection). The question is: should I compare the referer address with the rights of authenticated user on node.js side? Or maybe the referer value is safe on the node.js side? Adding another db check on node.js side would slow it down (because almost every request there should be same database check on two sides - PHP and node.js).
Or maybe the whole concept of socket.io + PHP application working the way I presented is wrong?
UPDATE
I think I found a way to omit problems with the first question - basically I just add another cookie (besides PHPSESSID) fe. named NODESESSID, which I generate (fe. using uniqid()) when user is authorized. Now authorization on node.js side is comparing PHPSESSID and NODESESSID (both must match). Now, when user logges out he delivers the message logout to socket.io and socket.io disconnects all the sockets with NODESESSID. This is like connecting the benefits of regenerating session id and not regenerating session id (but is not vulnerable to session fixation, isn't it?).
For your second questions:
the Referer is not secure, as mentioned in the comments.
I hava a similar problem in my application and this is how it works for me.
first, i hava a single-page app where all traffic goes through the socket, but thats not necessary. it should work with sessions the way you managed it, too.
in nodejs onConnect I ask the backend if the user is authenticated and then store the userid into the socket object (socket.data) and also populate a hashmap to lookup sockets from userids directly.
second, i use Redis and subscribe to a redis list from nodejs (see redis pub/sub). the php backend pushes messages in this list with a userid to address the message. nodejs takes this message (e.g. a new news feed item), looks up the userid in the mentioned hashmap and sends it to the client. so, a user only gets what he is authorized for. the client then decides what to do with the message. if the user is on his feed page, it could add the item. if the user is on someone elses feed, it could simply add a notification somewhere else on the page. it might also discard it.
on the php backend site, this messages are send to redis everytime an event occurs which needs to be shown live on some connected client. if user1 posts on user2's feed, the new item is stored in the database and in the same time is send as message into the redis queue.
this system also helps to reduce DB load since nodejs just need to query a database to make sure the connected user is already authenticated.
Actually, you can avoid using node.js, and use phpdaemon, its written with php and work very good.
I need to add in a survey form to an old asp.net application. I tried using creating another asp.net application but the server doesn't allow.
the survey form will get the user's particulars from a database, after everything is filled up and validation is done, a submit will create an excel spreadsheet, send a email to the user and update the database.
However the web server is not running the page of the new application, error says that a virtual directory is not created for the application and i do not have the access to the IIS manager, i only have the ftp access.
I am thinking of using php to do the job instead. My plan is to pass the session("userid") of the apsx page and call a response.redirect(survey.php). From there the php must know which user had done the survey, so i need to pass a session variable from aspx to php so that i only who is doing the survey.
Is this method possible? If so, how can i pass that session variable?
This seems like a hacky solution. If you are modifying the ASPX to do the response.Redirect, surely you and put your logic there instead of creating a PHP solution alongside?
If you really want to do this (which I don't recommend), just pass it in the QueryString.
response.redirect("survey.php?userid=" + Session["UserId"]).
You could store the session information in the database, to be shared, which would avoid showing the values in the querystring (unless you encrypted it). ASP.Net has a SQLServer mode for session which you might be able to use by querying the DB from PHP. Otherwise just a custom table with the usual expiry date, user id etc. could work.
I have been asked to write to save the data in some secure place after certain task is completed by a client.
Here my client has alot of staffs who makes data entry in online forms provided by some different vendors. After some steps the entered data generates some results. i.e after submitting the web form. Now he wants the generated results to be saved either in local computer or in some online server.
Can it be done by:
1.) Creating a local web server which sits in between the users and the online main third party server and record all the generated results?
2.) Creating a browser extension [m thinking about firefox] and forcing users to navigate via the specific browser and record all the generated results?
**I am pretty sure that second method can work as firebug is doing that only need to add some functionality to save the data.
any idea will be appreciated.
Sorry for mis-leading guys. To make more clear here are some more explanation.
a.) I am writing application to one of my client who has many staffs who enters data in abc.com website.
b.) User submits the data to abc.com.
c.) the website abc.com produces or generates some result as per input data and sends back to user.
d.) Now I need a system which will be inbetween the staffs/user and abc.com website and track the responses of abc.com and save it to some location automatically.
e.) Currently the data entry user will manually save the result to his local computer and if he/she forgets to save then we miss the result so want to do it automatically so that we wont be missing any single result.
A local webserver wouldn't really help so much because of crossdomain issues, unless you wanna go with something as JSONP. In that case, you might wanna use a signed java applet, which (assuming the user accepts the certificate) has any access an installed Java app would have, so it could potentially bind a port and server as HTTP server (I'm not sure how well this works on linux or unix).
Another idea would be to use Flash's local shared objects. Depends on how much data you want to save. You may need to make the Flash visible, so the user can see the dialog for allowing the data to be saved. You can communicate from JavaScript to Flash using ExternalInterface.
Yet the most simple thing is to give the user a permanent cookie, and save the data associated with that cookie on a web server.
greetz
back2dos
Take a look at HTML5 local storage if you don't need a lot of data to be stored or you can use local databases, see http://blog.darkcrimson.com/2010/05/local-databases/ .
You can also sync it with a server once the client is online again..
Almost everything is in the title :
Here's what I'd like to do :
A nice html page with a php authentication process (http first then https & so on)
Launch a flex app which knows (I don't know how (this is the actual question !)) the user has already been authenticated and display his/her stuff he/she has to do for the day (or whatever...).
Of course if someone try to call directly the flex app I would display an "authentication error" message and then redirect to the authentication page.
I'm sorry for my English which is perfectible.
I was thinking about the session cookie : first authenticate then ass a variable on the server side, something like :
$_SESSION['authenticate']=true
Then, on the flex side, just send the cookie and ask if the user is properly authenticated, something like calling a php web page like :
https://is_authenticated.php?php_session=xxxx
Thank you
Olivier
What are you using on the server side? Remember that you shouldn't do anything in the flex application other then send the SESSION ID along with any requests. Any time where the client checks security, you have a bug. The server must validate the session and determine if the request is allowed.
It sounded in your last comment that you are worried about people manually calling a web page. Each page must check to see if the user is authenticated. I don't know your specific application, but you may try looking at AMFPHP and see how they do session authentication. Good luck!
Your on the right track!
You could use session-authentication, these links might help you out:
http://www.zend.com/zend/spotlight/sessionauth7may.php
http://www.tizag.com/phpT/phpsessions.php
There is also the possibility to use http-authentication
http://se2.php.net/features.http-auth
however http-authentication is not as flexible as session-authentication, and also means some more configuration on the serverside.I would therefore recommend you to stick with sessions.
This is exactly what I would do.. A few things to consider from a security standpoint:
If your php service (from flex) gets an unknown session token, always generate a new one. This also applies to your PHP application and is often overlooked.
I would generate the swf with javascript, and manually insert the session cookie using javascript. This way people won't download and safe (or cache) your php pages with sessions that are invalid in the future.
Even better would be to use a separate token other than the session, and on the server figure out what the session id was based on this flex token.