Re: Installing encrypted-session-nginx-module with openresty

fc23229

Hello agentzh,

Thank you so much for answering my newbie question in great details. That's very helpful. I discovered openresty only recently and is very impressed by its performance and especially the nice connectivity with memcached and redis.

I asked about the encrypted session module because I am considering migrating my PHP app to openresty. In php it is quite easy to store user specific data at server side like

session_start();

$_SESSION['nickname']= "Dave";

May I ask what would be the best way achieve similar function in openresty? I suppose it is somewhat like authenticate first with the encrypted session module and then get from redis/memcached/mysql, but I am still studying the documentation so your expert advice would be much helpful.

BTW I guess that is unlikely, but is that a way for PHP and openresty-lua to share the same session?

Thanks again and keep up on the good work!

Best Regards,

Arthur

fc2...@gmail.com於 2013年6月11日星期二UTC+8下午4時56分36秒寫道：

The instruction on https://github.com/agentzh/encrypted-session-nginx-module is about installing with native nginx. Is there a easy way to install it with openresty? Would something like ./configure --with-encrypted-session-nginx-module work?

agentzh

Hello!

On Thu, Jun 13, 2013 at 12:40 PM,  <fc2...@gmail.com> wrote:
>
> I asked about the encrypted session module because I am considering
> migrating my PHP app to openresty. In php it is quite easy to store user
> specific data at server side like
> session_start();
> $_SESSION['nickname']= "Dave";
>
> May I ask what would be the best way achieve similar function in openresty?

Just do something like below in Lua for user login:

    local expires = 3600 * 24  -- 1 day
    local nickname = "Dave"
    local binary = ndk.set_var.set_encrypt_session(nickname)
    local base32 = ndk.set_var.set_encode_base32(binary)
    ngx.header["Set-Cookie"] = "session=" .. base32
               .. "; Expires=" .. ngx.cookie_time(ngx.time() + expires)

And then for subsequent authenticated requests:

    local base32 = ngx.var.cookie_session
    local binary = ndk.set_var.set_decode_base32(base32)
    local nickname = ndk.set_var.set_decrypt_session(binary)
    if nickname and nickname ~= "" then
        -- great! successfully authenticated!
        -- go ahead with the nickname...
    else
        -- go to the login page with an error message...
    end

assuming you've also configured encrypted_session_expires as 1 day in
your nginx.conf:

    encrypted_session_expires 1d;

And never never store passwords or other sensitive information in
encrypted sessions! Storing the user ID (and user IP address) only in
the session is recommended.

> I suppose it is somewhat like authenticate first with the encrypted session
> module and then get from redis/memcached/mysql, but I am still studying the
> documentation so your expert advice would be much helpful.
>

The beauty of encrypted sessions is that you do not have to store the
sessions on the server side.

> BTW I guess that is unlikely, but is that a way for PHP and openresty-lua to
> share the same session?
>

As long as you implement exactly the same encryption and decryption
and related verification logic in PHP.

Best regards,
-agentzh