安全地通过cookie在php和node.js之间共享数据 [英] Sharing data between php and node.js via cookie securely
问题描述
我有一个PHP网站,并为实时更新和聊天我安装了Node.js及其运行良好。
I have a PHP site, and for real time updates and chat I have installed Node.js and its running fine.
PHP和Node.js都有访问权限到同一个MySQL数据库。
Both PHP and Node.js have access to the same MySQL database.
但问题是验证用户的身份,谁已经登录到PHP网站。
But the problem is to verify the identity of an user, who is already logged in to the PHP site.
我不想通过任何方式谈论PHP应用程序,REST或不。因为,对我来说,这将击败使用Node.js的相同目的,因为每个Node.js请求,将发出一个新的PHP页面请求。
I don't want to talk to the PHP app via any means, REST or not. As, to me this will defeat the same purpose of using Node.js, as then each Node.js request, a new PHP page request would be made.
我想要的是PHP和node.js都能理解的加密和解密方法。
What I want is, a encryption and decryption method which is understood by both PHP and node.js
所以我可以设置一个cookie加上Node.js请求的加密值,它将在updates.mydomain.com子域。通过阅读cookie,Node.js可以解密它的值并验证用户的身份。
So that I can set a cookie with the encrypted value for Node.js request, which will be at updates.mydomain.com subdomain. By reading the cookie, Node.js can decrypt its value and verify the user's identity.
所以,我的问题:有什么加密和相应的解密方法, PHP和Node.js,使用相同的加密密钥?
So, my question: is there any encrypt and corresponding decrypt method that is supported via both PHP and Node.js, using same encryption key?
更新
实际上我不期望在客户端解密它:D因为整个解密点是无意义的。我想做的是 -
Actually i m not looking forward to decrypt it on client side :D as then the whole point of decryption is pointless. What i want to do is-
1)PHP生成一个cookie加密的用户信息,并使用该cookie为特定的域,如updates.mydomain.com
1) PHP to generate a cookie encrypted user info and use that cookie for a specific domain like updates.mydomain.com
2)然后node.js将获取每个后续请求的cookie,并使用相同的加密密钥解密服务器端的数据。
2) Then node.js will get the cookie for each subsequent request, and decrypt the data on server side, using the same encryption key.
可以看到,这就是为什么我想知道,如果PHP和node.js之间有一个通用的加密/解密系统,所以加密的数据可以由其他人解密,反之亦然。
As u can see, that is why i wanted to know, if there is a common encryption/decryption system between PHP and node.js, so that encrypted data by one can be decrypted by the other and vice versa.
这样我就可以将当前登录的用户身份从PHP转移到node.js,而不必担心其他类型的会话管理:)
This way i can securly transfer the current logged in users identity from PHP to node.js and i don't have to worry about session management of other kinds :)
简而言之,PHP加密 - > Node.js解密 - >获取相同的数据。可能?
So in short, Encrypt by PHP -> Decrypt by Node.js -> get back same data. Possible?
感谢,
Anjan
Thanks,
Anjan
推荐答案
这里的最佳方法(imho)是存储会话在数据库中的信息,然后确保Node可以读取PHP应用程序设置的会话cookie。
The best approach here (imho) would be to store the session information in the database, and then make sure that Node can read the session cookie set by the PHP app.
然后它可以检查会话cookie
Then it can just check the session cookie against the database to make sure the user is logged in.
如果您确实 希望使用加密,请注意,这可能会不那么安全,需要更多的时间来做,而不是简单地更改PHP会话后端,但这里是一个可能工作的示例:
If you really really want to use encryption, be aware that this'll probably be less secure and take more time to do than simply changing PHPs session backend, but here's an example that could probably work:
在PHP中,加密数据:
In PHP, encrypt the data:
<?php
$encryption_key = 'somethingverysecretandpreferrablylong';
$vector = 'anotherlongwindedstring';
mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $encryption_key, 'My secret message', MCRYPT_MODE_CBC, $vector);
?>
并在Node.js中解密;
And to decrypt in Node.js;
var crypto = require('crypto');
var decipher = crypto.createDecipher('aes-256-cbc','InmbuvP6Z8');
decipher.update(crypted_string_from_cookie,'hex','utf8');
decipher.final('utf8');
请注意这段代码。我绝不是一个安全专家,所以如果你想加密任何敏感,你应该得到同行评审的人是:)
And please, please be careful with this code. I am by no means a security expert, so if you want to encrypt anything sensitive, you should get peer review from someone who is :)
这篇关于安全地通过cookie在php和node.js之间共享数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
