通过cookie在php和node.js之间安全地共享数据
我有一个 PHP 网站,为了实时更新和聊天,我安装了 Node.js 并且它运行良好。
PHP 和 Node.js 都可以访问相同的 MySQL 数据库。
但问题是验证已经登录 PHP 站点的用户的身份。
我不想通过任何方式与 PHP 应用程序交谈,无论是否 REST。因为,对我来说,这将违背使用 Node.js 的相同目的,因为每个 Node.js 请求都会发出一个新的 PHP 页面请求。
我想要的是 PHP 和 node.js 都能理解的加密和解密方法,
这样我就可以为 Node.js 请求设置一个带有加密值的 cookie,该请求将位于 update.mydomain.com 子域。通过读取 cookie,Node.js 可以解密其值并验证用户的身份。
所以,我的问题:是否有 PHP 和 Node.js 支持使用相同加密密钥的加密和相应的解密方法?
更新
实际上我并不期待在客户端解密它:D,因为那样整个解密就没有意义了。我想要做的是-
1) PHP 生成一个 cookie 加密的用户信息,并将该 cookie 用于特定域,如 update.mydomain.com
2) 然后,node.js 将为每个后续请求获取 cookie,并解密数据在服务器端,使用相同的加密密钥。
正如你所看到的,这就是为什么我想知道 PHP 和 Node.js 之间是否存在通用的加密/解密系统,以便其中一个加密的数据可以被另一个解密,反之亦然。
这样我就可以安全地将当前登录的用户身份从 PHP 传输到 Node.js,并且我不必担心其他类型的会话管理:)
简而言之,Encrypt by PHP ->通过 Node.js 解密 ->取回相同的数据。可能的?
谢谢,
安坚
I have a PHP site, and for real time updates and chat I have installed Node.js and its running fine.
Both PHP and Node.js have access to the same MySQL database.
But the problem is to verify the identity of an user, who is already logged in to the PHP site.
I don't want to talk to the PHP app via any means, REST or not. As, to me this will defeat the same purpose of using Node.js, as then each Node.js request, a new PHP page request would be made.
What I want is, a encryption and decryption method which is understood by both PHP and node.js
So that I can set a cookie with the encrypted value for Node.js request, which will be at updates.mydomain.com subdomain. By reading the cookie, Node.js can decrypt its value and verify the user's identity.
So, my question: is there any encrypt and corresponding decrypt method that is supported via both PHP and Node.js, using same encryption key?
Updates
Actually i m not looking forward to decrypt it on client side :D as then the whole point of decryption is pointless. What i want to do is-
1) PHP to generate a cookie encrypted user info and use that cookie for a specific domain like updates.mydomain.com
2) Then node.js will get the cookie for each subsequent request, and decrypt the data on server side, using the same encryption key.
As u can see, that is why i wanted to know, if there is a common encryption/decryption system between PHP and node.js, so that encrypted data by one can be decrypted by the other and vice versa.
This way i can securly transfer the current logged in users identity from PHP to node.js and i don't have to worry about session management of other kinds :)
So in short, Encrypt by PHP -> Decrypt by Node.js -> get back same data. Possible?
Thanks,
Anjan
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这里最好的方法(恕我直言)是将 将会话信息存储在数据库,然后确保 Node 可以读取 PHP 应用程序设置的会话 cookie。
然后它可以根据数据库检查会话 cookie,以确保用户已登录。
加密示例
如果您真的确实想要使用加密,请注意这可能不太安全,并采取比简单地更改 PHP 会话后端需要更多时间,但这里有一个可能有效的示例:
在 PHP 中,加密数据:
并在 Node.js 中解密;
请注意这段代码。我绝不是安全专家,所以如果您想加密任何敏感内容,您应该得到安全专家的同行评审:)
The best approach here (imho) would be to store the session information in the database, and then make sure that Node can read the session cookie set by the PHP app.
Then it can just check the session cookie against the database to make sure the user is logged in.
Encryption example
If you really really want to use encryption, be aware that this'll probably be less secure and take more time to do than simply changing PHPs session backend, but here's an example that could probably work:
In PHP, encrypt the data:
And to decrypt in Node.js;
And please, please be careful with this code. I am by no means a security expert, so if you want to encrypt anything sensitive, you should get peer review from someone who is :)
另一种方法是使用 node.js 作为 PHP 会话存储本身。 Gonzalo Ayuso 有一篇有趣的文章:
http://gonzalo123.wordpress.com/2011/07/25/using-node-js-to-store-php-sessions/
Another approach would be to use node.js as a the PHP session store itself. Gonzalo Ayuso has an interesting article on it:
http://gonzalo123.wordpress.com/2011/07/25/using-node-js-to-store-php-sessions/