Private chat (PHP + Socket.io) with PHP Sessions

Question

I am developing a website which uses a private messaging system using php + socket.io.

From the beginning i passed the sender_id, recipient_id and text to socket.io using socket.emit but later realized that this could be easily tampered with and wanted to use my php sessions in some way to be sure that the sender_id is indeed the sender_id.

I have the following setup right now but i dont really understand how to pass the session from index.php to app.js and then connect to redis-server in app.js to get the PHPSESSID which holds the user_id.

• Server 1 running nginx + php-fpm (index.php)
• Server 2 running node.js with socket.io (app.js)
• Server 3 running redis for session management

My code right now looks like the following but is obviously missing the redis part right now which i would really appriciate some help with.

Thanks!

index.php

<?php
    session_start();

    if ($_SESSION['user_id'] == false){
        header("Location:login.php");die;
    }
?>

<script>
var socket = io('https://app01.dev.domain.com:8895');

socket.on('connect', function(){
    console.log("Connected to websockets");
});
socket.on('event', function(data){});
socket.on('disconnect', function(){});

$('.chat-message').keypress(function (e) {
  if (e.which == 13) {
    console.log("send message");

    var friend_id = $(this).attr('id');

    friend_id = friend_id.split("-");
    friend_id = friend_id[3];    

    var obj = {
        recipient_id: friend_id, 
        text: $(this).val()
    };

    socket.emit('chat_message', obj);

    $(this).val('');
    return false; 
  }
});
</script>

app.js

var https = require("https"), fs = require("fs");
var options = {
    key:    fs.readFileSync('/etc/letsencrypt/live/domain/privkey.pem'),
    cert:   fs.readFileSync('/etc/letsencrypt/live/domain/cert.pem'),
    ca:     fs.readFileSync('/etc/letsencrypt/live/domain/chain.pem')
};
var app = https.createServer(options);
var io = require("socket.io")(app);
var redis = require("redis");

// This i want to fill with for example PHPSESSION:user_id that i get from redis and later use it as sender
// var all_clients = {};

io.set("transports", ["websocket", "polling"]);

io.on("connection", function(client){
    console.log("Client connected");

    // Here i would like to connect to redis in some way and get the user_id but dont really understand how

    //all_clients[USER_ID_FROM_REDIS] = client.id;
    //var user_id = USER_ID_FROM_REDIS;

    client.on("chat_message", function(data){

        var obj = {
            to: data.recipient_id,
            text: data.text
        };        

        console.log("Message inbound from socket: "+client.id+" from: "+data.user_id+" to: "+data.recipient_id+" with text: "+data.text);
    });

    client.on("disconnect", function(){
        console.log("Client disconnected ");
        //delete all_clients[USER_ID_FROM_REDIS];
    });    
});

app.listen(8895, function(){
  console.log("listening on *:8895");
});

var recursive = function () {
  //console.log("Connected clients: "+Object.keys(all_clients).length);
  //console.log(JSON.stringify(all_clients));
  setTimeout(recursive,2000);
}
recursive();

Answer 1

1. HTTP in itself does not protect against MITM attacks, to protect against MITM the server certificate needs to be pined.

2. To protect against a user being spoofed you need authentication such as logging-in or a secret token like Dropbox.

3. Add certificate pinning, that is just jargon for validating that you are connecting to the correct server and not a MITM by verifying the certificate that is sent by the server. MITM used to be harder but WiFi has made it easy to connect to the wrong end-point at Hot Sports, even at home I have seen this.