0

Edit

A simple and effective answer, as pointed out by 04FS and Magnus Eriksson, is to send a crypted token through the IFrame, identifying the user.

Here is what I did :

  1. Create a crypted token with PHP's random_bytes() for each user and store them in the database.
  2. When a user logs in, query the database for the token and place it a $_SESSION variable.
  3. Send the token as a parameter to the url in the IFrame.

<iframe src="http://localhost:3381/?token=(some hashed string)"></iframe>

(note : it may be better not to use the easily recognizable word "token" but something else)

  1. Query the same database from the Node.js server, looking for the token, and log in the correponding user.

End edit

I am pretty new to web developpment.

I am working on a PHP/Node.js hybrid web app. I am using PHP to build the page, and Node.js with Express.js and Socket.io to build a real-time chatbox.

At the moment, I am using an IFrame in my PHP Page to display the chatbox from the Node.js server. It seems to be the best solution, as I cannot use php functions such as file_get_content() to query the Node.js server, because I need the real-time display.

Here is what works :

index.php on localhost:8080 (Apache)

<iframe src="http://localhost:3381/?userid=1"></iframe>

The Node.js server on localhost:3381 (routing done with Express.js)

app.get('/', function (req, res) {
  res.sendfile(__dirname + '/template-chat.html');
  console.log(req.query.userid);
});

The template-chat.html file contains the chat interface.

So everything works as I desire : the chatbox is updated in real time while the user navigates the website.

My problem is : I want to identify the user that is typing messages in the chatbox. I want to be sure it is the same that navigates the PHP website (I already did a PHP/Mysql login form). I obviously cannot do what I did here, sending the user id in the url, as someone simply has to manually change this id to be identifyed as someone else.

I do not think I can make an http.get request from Node.js to Apache, because PHP does not keep the user's data in memory.

I read here : PHP, nodeJS and sessions that I can use memcached to get the content of a PHP session inside my Node.js server.

This is what I am trying to achieve right now, but it seems that it needs extensions / drivers I am unfamiliar with, so I am asking if there is a better or simpler or more secure solution than memcached to identify the user on the chatbox, maybe by sending login credentials (or even a simple user_id) from PHP to Node.js.

Thank you !

Improve this question
4
  • if you are using express then you can manage view pages using express/nodejs, no need of php when you are using one backend technology, because with only one technology it would be easy integration. Commented Oct 23, 2019 at 12:35
  • 1
    Send the user id, and a hash of (user id + some secret value). On the receiving end, calculate the hash from the passed user id value and the same secret again, and check if it matches the hash value that was send … if yes, the user id can be considered genuine. Commented Oct 23, 2019 at 12:46
  • 1
    You could generate a random token for each user that you pass to the iframe. If you use random_bytes() with a decent length to generate the token, it's not very probable that someone manage to guess someone elses token. Commented Oct 23, 2019 at 12:51
  • Thanks a lot, it is simple indeed. I'm editing my answer. Commented Oct 23, 2019 at 13:10
Related questions
2
Writing a login in node.js using express
1
Passing Username and Password with IFrame
2
Node.js username and password authentication
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.