javascript - How to organize authentication in websockets

Question

I have project on php and websocket server, written on C using libwebsockets.

And i have to organize some authentication logic between client side js code and server side.

On php i use sessions with PHPSESSID cookie set on client side after successfull login.

I can access that cookie on websocket server but,

how to compare it with session_id() on server's php side?

question from:https://stackoverflow.com/questions/65883573/how-to-organize-authentication-in-websockets

Answer 1

You will need to create an API endpoint for your js on the client side to call and provide the cookie ID to a PHP function. The PHP function with then do the comparison and provided a response to the API call of either validate pass or fail.

i.e

JS calls > https://example.com/api/varifyuser with JSON

{ 
  user_id: 321, 
  session_id: [ENTER PHPSESSID]
}

PHP does comparison and returns

{response:   
  {
    valid_session: true, 
    session_token: 123ad12dasf312af3123, 
    user_id: 321, 
    session_id: 123ABC
  }
}

All comparisons should be handled on the server side to maintain security. Anything done on the client side is exposed to easy interception and vulnerabilities

---

Basic example of processing the sent key from cookie on PHP server

    if(preg_match("/Sec-WebSocket-Key: (.*)
/", $headers, $match))
        $key = $match[1];

    $comparedKey = $key.'2642975-A114-47DA-95CA-342345685B11';
    $comparedKey = base64_encode(sha1($comparedKey, true));

    $upgrade = "HTTP/1.1 101 Switching Protocols
".
               "Upgrade: websocket
".
               "Connection: Upgrade
".
               "Sec-WebSocket-Accept: $comparedKey".
               "

";

    socket_write($client->getSocket(), $upgrade);
    $client->setHandshake(true);
    return true;