I recently wrote a socket server in PHP that will handle the connection between an Android phone and my PHP web server. Due to the fact that Android does not support push style alerts, we will use our web server as an intermediate layer to handle our “clicks”.
The socket server is stable, works well, and seems beautiful. While I would eventually like to rewrite this in C, I don't have the skill necessary for this, so I'm going to stay in PHP for at least a short time. From now on, our Android emulator can communicate through the server, receive clicks, etc., so that part is covered.
I am worried that right now anyone can open a socket on my server and get a client connection. Although we will not transfer sensitive data back and forth, I do not want to allow anyone to connect and receive broadcast information, eat my resources and clog up my server as a whole.
The question is, how can I protect such a server? Suppose I work on 25,000 ports - can I configure some kind of SSL level on this port and expect devices such as Android to communicate through this port without any special protocols or jump through hoops?
I decided to ask the connecting clients to authenticate their user against our user database before you are provided with a client connection, but this will require the transfer of credentials in plain text over the network, which I am NOT going to do.
Any suggestions on this subject will be very useful - I am pretty new to direct exchange of TCP with PHP and I feel that I can just skip something simple, which allows authentication at this level.
Additional information: if I can reliably get the correct username and password, I would use MySQL to verify the user, and then accept / reject their connection based on the results of the request.
Thanks in advance.