Sharing data between php and node.js via cookie securely

Question

I have a PHP site, and for real time updates and chat I have installed Node.js and its running fine.

Both PHP and Node.js have access to the same MySQL database.

Answer 1

Another approach would be to use node.js as a the PHP session store itself. Gonzalo Ayuso has an interesting article on it:

http://gonzalo123.wordpress.com/2011/07/25/using-node-js-to-store-php-sessions/

Answer 2

The best approach here (imho) would be to store the session information in the database, and then make sure that Node can read the session cookie set by the PHP app.

Then it can just check the session cookie against the database to make sure the user is logged in.

Encryption example

If you really really want to use encryption, be aware that this'll probably be less secure and take more time to do than simply changing PHPs session backend, but here's an example that could probably work:

In PHP, encrypt the data:

<?php
$encryption_key = 'somethingverysecretandpreferrablylong';
$vector = 'anotherlongwindedstring';
mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $encryption_key, 'My secret message', MCRYPT_MODE_CBC, $vector);
?>

And to decrypt in Node.js;

var crypto = require('crypto');
var decipher = crypto.createDecipher('aes-256-cbc','InmbuvP6Z8');
decipher.update(crypted_string_from_cookie,'hex','utf8');
decipher.final('utf8');

And please, please be careful with this code. I am by no means a security expert, so if you want to encrypt anything sensitive, you should get peer review from someone who is :)