Server authentication via PHP session

Question

I have a little question about possibilities to change authentication on my C# server from Login\Password to PHP session. I am using PHP, HTML5, and JavaScript as client side, and C# server with WebSockets lib as server side. I already have authorization code, but it works only with login and password.

Well, I have the same authentication code, that checks login & password via PHP. But how I can authorize client on C# server, by using WebSockets with PHP session, instead account login & password?

Little pic:

Is this possible? And any piece of code, demo, etc. for it?

Answer 1

Genreate an access token that your c# server can validate. This is how i would implement it:

share a secret between your PHP and C# server (e.g. 64 randcom bytes)

When PHP validates the user/login, generate a token: it contains random characters, the user ID and a signature that was created using the shared secret. E.g. something like this:

$random = base64_encode(mcrypt_create_iv(32));
$token = $random . '_' . $userID . '_' . hash_hmac('sha256', $random . '_' . $userID, SHARED_SECRET);

The C# server can then verify this token by calcuating the HMAC signature from $random and $token with the shared secret. If correct, the C# server can work with the $userID and the MySQL databse.

As long as you pass the token to your JS code via https, you should be secure.

P.S.: You can improve the security of this scheme by adding an expiration date to the token and make your JS code request a new token in time. Dont forget to include the expiry in the signature.