How to protect PHPSESSID from theft and leave access to the token for "your" JS? Am I thinking right?

L

LeonidPokrovskiy2019-12-17 13:01:02

PHP

LeonidPokrovskiy, 2019-12-17 13:01:02

What we are dealing with:
I have a chat server written in Ratchet. The problem is that to access the user's session, I can't just look in $_SESSION and find out what I need, for example, if the user is logged in at all.
Therefore, in order to fix this, I simply take PHPSESSID from document.cookie, send it to the server, there I find a file that belongs to this session and I have all the information about the user's session.
The Heart of the Problem
One way to protect the PHPSESSID cookie is to store the cookie as httponly. Thus, a hacker will not be able to receive this cookie through malicious JS and send it to his server.
But in this case, I will not be able to get this cookie to send it to my WS server.
What am I missing?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Shokhrov, 2019-12-17
@LeonidPokrovskiy

You can request a temporary token via HTTP(S) (the server understands by the cookie which user it gave it to), send a message like "I am such and such, here is a confirmation token, authenticate me" via the socket, the server checks, and after successful completion of the check, it starts counting the given channel associated with the specified user.
You can also safely use HTTP(S) for anything that isn't directly related to realtime roundtrip (chat messages).
upd: GitHub: how to check if user is authorized