Databases
StackOverflow2013
Postsdbo
POPHP + socket.io (session, authorizing and security problems)
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPHP + socket.io (session, authorizing and security problems)
    primarykey
    data
    text
    <p>I have a working php application in which I want to add real-time support. I would like to use nodejs/socket.io to add that kind of functionality. <br/><br/> First problem I found was how to properly authorize user on nodejs side (user is already authenticated on php backend through PHP session). Using <strong>socket.handshake.header.cookie</strong> on nodejs side i can parse and get PHP session id, which I can authenticate through redis/memcache/database (depending on what have I used to save session information).<br/> Everything looks cool when user has only one tab/window of the site opened - when having more and using <strong>session_regenerate_id()</strong>, in nodejs the user authenticates with another sessionid key, so I cannot distinguish two tabs by anything other than the socket id they connected with. When user logouts he shouldn't be getting any messages on any tab (because he already logged out on every tab/window from that browser). So on logout message (sent from browser just before the logout PHP things) I should remove all the socket connections connected to the authorized user id. But what if user logges in on two devices (fe. pc browser and an ipad safaris). After logout on one device, he shouldn't be getting any messages on the device he logged out, not on every device. <strong>How can i distinguish connections from different devices/browsers in socket.io?</strong> Of course not using <strong>session_regenerate_id()</strong> would be efficent here, but what can I do if I really want to use this feature? <br/><br/> Another problem I have is rather a security issue (or even question). Let's assume that authorized user in application can see page <strong>example.com/user1</strong> (which is a news feed for user1) and cannot see <strong>example.com/user2</strong> (fe. he doesn't have rights to see it). I'd like socket.io to send update messages to browser when user is on <strong>example.com/user1</strong>, and of course not to send when user is on <strong>example.com/user2</strong> site. On socket.io side I can read the referer address (so presumably, when user is on user2 site he does not get any socket.io connection). The question is: <strong>should I compare the referer address with the rights of authenticated user on node.js side? Or maybe the referer value is <em>safe</em> on the node.js side?</strong> Adding another db check on node.js side would slow it down (because almost every request there should be same database check on two sides - PHP and node.js). <br/><br/> Or maybe the whole concept of socket.io + PHP application working the way I presented is wrong? </p> <p><strong>UPDATE</strong> <br/><br/> I think I found a way to omit problems with the first question - basically I just add another cookie (besides PHPSESSID) fe. named NODESESSID, which I generate (fe. using uniqid()) when user is authorized. Now authorization on node.js side is comparing PHPSESSID and NODESESSID (both must match). Now, when user logges out he delivers the message <em>logout</em> to socket.io and socket.io disconnects all the sockets with NODESESSID. This is like connecting the benefits of regenerating session id and not regenerating session id (but is not vulnerable to session fixation, isn't it?). </p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USpatryk
    1. USpatryk
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POPHP + socket.io (session, authorizing and security problems)
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POPHP + socket.io (session, authorizing and security problems)
      1. USDan
      1. VTFavorite
    3. VO
      singulars
      1. POPHP + socket.io (session, authorizing and security problems)
      1. This table or related slice is empty.
      1. VTUpMod
    1. COwell my guess is that the referer is taken from the http headers, so i wouldn't consider it safe.
      singulars
      1. POPHP + socket.io (session, authorizing and security problems)
      1. USsupernova
    2. COI am having the exact same issue on your second question, did you by chance find a way around this?
      singulars
      1. POPHP + socket.io (session, authorizing and security problems)
      1. USVincent Cohen
    3. COwhy not control by a session variable the access rights to the pages ? for example user1 can see his profile, but not user2 profile that the user2 choosed not to make public .. `$_SESSION["current_page"]="http://www.example.com/user1"; $_SESSION["canview"]=check_user_rights($_SESSION["userid"],$_SESSION["current_page"]` on nodejs `if(user1.canview){ // do stuff }else{ // do other studff }`
      singulars
      1. POPHP + socket.io (session, authorizing and security problems)
      1. USGntem
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload