Cookie encryption

I'm trying to mix the CI3 framework with a node.js server (socket.io) to make real-time chats rooms depending on CI's users groups.

I'm using the redis driver and i need to pass datas from the php server to the node server. 

As i'm using Redis for the session management, i suppose that i could just pass the session_id of the logged user to node (reading the cookie genberated by CI) , and from this id, retrieve redis session datas with node. ( basically i need to know the group of the logged user)


I dont understand how works the cookie encryption in CI. I just get an hash. I dont know how to decrypt it , and i dont know how CI can retrieve its own datas inside.

There's nothing to decrypt - the hash is the data, i.e. the session ID.

then how does CI stock sessions userdatas with redis, because when i browse redis table, i just see
ci_session:127.0.0.1:7dbef53e55bc194e8fbc4a00ad729bd9a9a7c25a
__ci_last_regenerate|i:1458519122; where are my datas ?

in addition, after some reading in the session library, i found that cookies settled by CI was flagged httponly. Thats why i misenderstood the reaction of my get_session_id js function. It seems that i just cant get the session_id from local node without set the httponly param to false ( which is not a good idea for security reasons). Then i just wander how i could pass datas from php server to node.

then how does CI stock sessions userdatas with redis, because when i browse redis table, i just see
ci_session:127.0.0.1:7dbef53e55bc194e8fbc4a00ad729bd9a9a7c25a
__ci_last_regenerate|i:1458519122; where are my datas ?

in addition, after some reading in the session library, i found that cookies settled by CI was flagged httponly. Thats why i misenderstood the reaction of my get_session_id js function. It seems that i just cant get the session_id from local node without set the httponly param to false ( which is not a good idea for security reasons). Then i just wander how i could pass datas from php server to node.

The session ID stored in the cookie tells CI which particular Redis cache item to read/write.
Or if you're using file-based sessions (which PHP also does by default) - which file to use; for databases - which database row to look for.

Most session implementations work like this.

But I can't answer your other question ... it's too broad.

Ok , thanks for the answer. I really try to know better Codeigniter , i'm still a beginner

Ill try to be be more precise. I have 2 webservers : the php/codeigniter webserver, and a node.js server

All i want is just let the node.js server know some datas presents in the CI session userdatas. (user group mainly).

i could just display it in a view with php,  take it with javascript, and send it with socket.io to the node.js server but i dont want : the node.js server willl use this group name to instanciate  a socket used to join group chat rooms. If i let the client side know the real name of the socket/room, it would be easy to join any socket, connected or not. So i have to share session datas between node.js and apache. Thats fine : redis is made for that !

I had the idea to read the session_id locally from the user cookie, then send this id to the node server, and retrieve redis session form the redis server side. It was possible with CI2 but now, codeigniter 3 flags the cookie as "httponly" i can't read userdatas from the users active cookie locally with javascript. I suppose there are good reasons for this.

Then i decided to make a small function inside a controller :

Code:

public function get_sessionid() {
        if ($this->session->userdata('logged_in')) {  
                echo "ci_session:".$this->input->ip_address().':'.$this->session->session_id;
        }
        else {
            echo 'disconnected';
        }
    }

I call this function from an AJAX query locally($.get), and i send the result to my nodeserver.

Now my node.js server can retrieve the right session with redis.


My first question: is it a bad way to do this ? I'm not really confident.


My second question : i read that CI2 used to store session userdatas in JSON. Now i get a strange format that i dont understand: 

for exemple

 __ci_last_regenerate|i:1458680030;id|s:2:"17";name|s:1:" ";email|s:26:"[email protected]";isAdmin|s:1:"0";logged_in|b:1;

How it it parsed ?

Have you try using websocket. Got several php websocket library at github you can try. Or you can searching in NPM for package to parse php session. Read more at http://stackoverflow.com/questions/32266...javascript

Keep calm.

That's not a good solution, and it probably can't work ... if you're trying to read the serialized session data, you're doing something very wrong.

People with similar ideas have asked the same questions in other threads - use the search function to find them.

My second question : i read that CI2 used to store session userdatas in JSON. Now i get a strange format that i dont understand: 

for exemple

 __ci_last_regenerate|i:1458680030;id|s:2:"17";name|s:1:" ";email|s:26:"[email protected]";isAdmin|s:1:"0";logged_in|b:1;

How it it parsed ?

CI2 didn't use JSON, and you can't parse this.

Have you try using websocket. Got several php websocket library at github you can try. Or you can searching in NPM for package to parse php session. Read more at http://stackoverflow.com/questions/32266...javascript

Thanks, i found php-unserialize at npm. exactly what i was looking for

if you're trying to read the serialized session data, you're doing something very wrong.

The fact is that i dont see any other solution. Why is it wrong ?


For exemple , if i create a controller function which generate a key with a unique hash, and a value same as the userdatas session values, and insert that key:value into Redis, it would be the same result as reading directly the redis session, but i have to make that line destroyed automatically... that is exactly what does the php session.

I found some explanations on other forums which not concern my particular case, but i dont find any correlative subject on this forum

It's a very, very, very, VERY broad topic - a whole book could be written on it. You simply can't reasonably expect anybody to answer all your "why" questions on a forum board ...
I hate to put it this way but: I wrote that whole library, just take my word for it when I say you're doing something wrong with it.

Also, I told you to search within this forum, because I've given other solutions to other people on this forum.