Geek Answers Handbook

How to share a Laravel session using node?

I am setting up a socket.io server to handle, well, socket requests. This runs on port 1234. This runs in parallel with laravel 5.1. Laravel uses redis to handle sessions.

I have a lot of tutorials on connecting laravel with socket.io, all this is pretty straight forward. I can connect, reply, and forward messages back to the socket and to the laravel application.

However, each tutorial avoids authenticating this setting. After the message is received on the socket: space 1234, how do I pass this message to laravel, making sure the request is authenticated.

Ideally, I would just share the session and check the XSRF token. Since the two applications are on different ports, I cannot directly pick up the session.

I am currently using an alternative approach, which includes the following:

  • After connecting the socket (in node), I decrypt the cookie sent on connection using the node Crypto library and the node PHPUnserialise library.
  • This gives me the laravel session id (from the cookie).
  • I use this to access a redis laravel session
  • Then I decrypt this session, which in turn gives me access to the user ID

This works, but I feel that it could potentially be a security hole, because I don't actually use _token to verify the origin.

+8
php laravel
source share
2 answers

I think your code is correct, and perhaps the only way to do this. Session_id is usually stored in a cookie and at some point should be sent to the server. Since node and php are different languages, they cannot directly transmit the session. You always need intermediate storage like redis, mysql or the file system. And of course, a way to get a session. The key to session extraction is, of course, session_id.

An interesting post about protecting web cards:

https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

He suggests adding a random generated key to your session, which you can check when establishing a connection to a web socket.

Session_id itself is already random, but these session_id are usually durable, so a short-lived random identifier can increase security. The short-term should be as short as possible: let php add it to the database, and as soon as the connection is checked in node, remove it from the database so that you cannot use it again.

There are many additional methods for checking the session, such as checking the browser line or fixing the session to one ip address:

http://phpsec.org/projects/guide/4.html

I would not recommend these types of checks, since they actually do not add additional security, only annoyance with the end user.

Most importantly, I think that:

  • You are using a secure session_id communication method, etc. This means that HTTPS
  • Sessions should end when the user closes their browser
  • The user should be notified if he connects from another place or must have access to his "logbook"
+7
source share

I found a good solution for this about a year ago. I decided to make it a module, it is very easy to use. helps you get cookies without hard coding. help you get this session id and get it from mysql and redis

https://www.npmjs.com/package/node-laravel-session

0
source share

More articles:


All Articles