My question is simple. How do I securely share laravel session information with my socket.io nodejs app. I've tried many different methods, none of them worked so I'm hoping a expert will pull through. I already know I don’t want to use JWT Tokens. So I guess that just leaves the session cookie data itself. I cannot figure out how to authenticate socket.io with the cookie so that’s what I need help with. I am storing sessions using redis, and using the default authentication system with laravel.
I’ve tried using this library which is great for parsing the session. But it does not authenticate with my socket.io server.
https://www.npmjs.com/package/node-laravel-session
If anyone knows how to fix this problem I would greatly appreciate some help.
I think, you have problem with authentication problem inside socket.io, idea is that you can't share the session from application to application easily, why? because this data is processed between the client's browser (cookie) and the server ( session ), if you want to connect Laravel and Socket.io, first you have to make some kind of flow like:
When user authenticates on website, to set cookie for socket.io as
well (if host is different).
In background you have to share the session data trough database (memcached, redis etc), and with cookie. As you know, if you set laravel session param to work with database, instead of using files, laravel will automatically start saving session data into DB, so it's easy to read the session params from database.
I think you are using node-laravel-session by wrong, I mean if you have node.js application on other server and you use getSessionFromFile, it will not work. make sure you are using it correctly and it'll work. It's easy process itself to make thing like that, but mostly problem is security when you have cross-project sessions.
Related
we are in the process of building a new app in node.js with express that connects to our parse server backend. We have built native apps that already connect to our backend on iOS, Android and PHP. All of them have the ability to log in the user and store the session data securely.
I'ts my understanding that node.js doesn't really store sessions like for example in PHP you can store them as a file on the server or to memcache or redis and test against parse->currentUser() to check if its valid.
How does one do this with node.js? We cant store any session data in a cookie since thats not secure.
Is using express-sessions and redis a good way to handle this?
I'ts my understanding that node.js doesn't really store sessions like for example in PHP...
That's not a totally accurate understanding... it's more that Node.js doesn't really know or care how you handle your sessions. That's where frameworks like Express, and their modules express-session, come into play.
Is using express-sessions and redis a good way to handle this?
If you're using Express, yes. And, with that, you can use whatever session store you want, including Redis, Memcached, files, just like you're used to with PHP.
An approach that I've used in the past is to store your session ID in a cookie, but none of the session content. That will allow you to reconnect with a prior session, as long as it's still valid. You can also use LocalStorage if you want something a little more persistent than SessionStorage. If you want something really persistent, you can manually save your session data to your database, and have the user request it if their browser data has been cleared.
Here I will describe the requirement for my project.
Basically I want to build a chat application which I can embed to different websites for example , site build using wordpress, magento, drupal, custom frameworks ... etc . What I actually need is to embed JavaScript for handling socket chat using (socket.io) on some of the website(wordpress, magento, drupal ....), so what I finally have is a set of javascript code (client side), and a server running in nodejs (with socket.io)
The problem I faced is to manage session for registered users after login. Since my code is embedded on different websites and the node server resides on other server , On each page refresh I faced difficult to validate user session session. Could you please help me how I can manage session in a best way for this application.
If you feel difficulty to understand my need , I can explain in detail with examples
Thanking You
If I understand your problem, you just need to handle user sessions? More specifically on the client side?
Based on the information you give, I will just assume you either return a unique string representing the session on the server to the client. The format of this can either be a cookie, a normal string/token, etc.
For cookies, you shouldn't have much problems, since the browser deals with this. Although you might need to set it up correctly on the server.
For tokens/strings that needs to be returned to the server for each request requiring authentication, you should store it in the session-storage/local storage of the browser, depending on your need. Then you should embed it in every requests back to the server and authenticate it.
I am trying to setup a user login system with Node.js (Express), Socket.io, and Redux/ReactJS. This is the approach I'm taking:
The user connects through Socket.io as soon as he/she gets to the web app.
Through socketio-auth the user is required to authenticate and passes their username and password to the server.
Then, using socket.io-express-session, like in this example, I set a cookie with the user's username and password, so that every time they come back to the website they can be re-authenticated through socketio-auth. (I realize I could probably save a unique token in the cookie instead, would this be better?)
On the server, upon authentication, I just save their details with their socketId to the Redux store for use with every Socket.io request while the session lasts.
Assuming this is all done over SSL, is this safe? What changes would you suggest? I'm trying to make it as simple as possible yet still very safe.
It seems like point 3, with Local Storage, is the best way to go for now.
See someone else interrogation: https://github.com/hueniverse/hawk/issues/138#issuecomment-196989520
I have two sailsjs applications running on the same machine (locally), with the first providing REST endpoints for the second. I use the same browser to interact with both the applications. The apps run on different ports.
The problem is, each time I access one application from the browser, the session for the other gets lost, requiring me to login every time I use the browser for testing the REST endpoints. I tried setting the same session secret for both application as a wild guess but it didn't work.
Is there a way to get around this?
I'm using Firefox and the applications are hosted on localhost:9999 and localhost:1337.
Thanks in advance.
You can store your session in your database, that's what connect-mongo does, for instance. I'm sure you can find something like that for sails too.
The issue was that Sails uses the same cookie name/key ('sails.sid') for each application by default. Accessing different Sails applications made the browser override the same session cookie, leading to the described condition.
Changing the key for every application fixed the problem.
In config/session.js, include a key attribute and set it to something application-specific to avoid using sails.sid.
I have two different applications running on the same server, one is Java-based running in Tomcat with spring-social and spring-security, and the other is a NodeJS application using PassportJS as security framework.
Both apps are configured to access using Google OAuth2 with the same clientId/secret, so I can login with my google account in each of them. But if I change from one of them to another, I need to login again, because the session doesn't exist on the other app.
I'm looking at the session cookies, the Java app creates the JSESSIONID cookie whereas the Node app creates a "connect.sid" cookie. Maybe I could create a session in each app everytime a user do a login? Or I have to deal with OAuth tokens?
Please, could you point me in the right direction? Should I use another library/framework?
Thank you in advance.
This might be of help; it looks like it's relatively easy to change the name of the cookie for Express/Connect. The question then just becomes whether the contents of JSESSIONID and connect.sid are in fact the same.