Safety between rails and nodes

Question

Safety between rails and nodes

I have an application that is mainly used on rails, but also uses nodejs for some real-time functions like chat. Users log in through Rails and receive a scheduled session, etc., as usual. However, what is the best way to authenticate with nodejs as the same user? For example, I would like to prevent users from personalizing each other, but login is now done on rails, and messaging is done on nodes. Rails and nodejs have access to the same database.

I use devosis and socketio if that matters.

+6

security node.js ruby-on-rails ruby-on-rails-3

jhchen 01 Oct '11 at 23:38

source share

2 answers

You can always generate a one-time token for any user transferred between the rails and node. Much easier than repeating (and supporting) the cryptographic strategy used in development and rails.

However, sharing sessions between servers creates a lot of additional work for you and effectively doubles the error surface area (layout, checks, etc.).

Faye is a terrific project that handles this exact use case, so it's probably worth a look :) http://faye.jcoglan.com/

+3

Ed mcmanus Oct 20 '11 at 9:32

source share

Gavin miller · Accepted Answer · 2011-10-01T23:50:59+0000

There are several implementation methods that can help you deal with this. The one that comes to mind is sharing a session cookie that is being developed using nodejs through a database.

IIRC dev creates an encrypted session cookie during authentication; temporarily store this value in your database and let nodejs pull it out of the database to authenticate it. There are probably some difficulties in doing this (porting some of the encryption methods to nodejs, etc.), but if you are making a rails / nodejs application, I'm sure you can handle it .: D

The advantage here is that the user cannot get between the distribution in order to perform the impersonation.

Safety between rails and nodes

More articles: