Sharing session data between Rails and Nodejs

In a previous post I wrote about securing my NodeJS service by enforcing authentication using a session token. Now there was another problem: the node service was vulnerable to identity spoofing because the client tells the service who he is, and the service will always trust him. This is bad.

Fortunately, the Rails app uses Redis as its session store and it already stores the user id in there. So the only thing that left to be done is for Node to read the session data out of Redis.

After a few hours of experimentation and looking around, I learned a few things:

  • Rails serializes the session data before storing it
  • Rails uses the Marshal module to serialize session data
  • The result of serialization is not exactly plain text, which explains some gibberish characters I saw when I print it out in redis-cli / nodejs
  • Marshal is version sensitive
  • There is a nodejs library node-marshal to parse the Ruby Marshal output
  • There is a monkey patch to change the default from marshal to JSON
  • There is another nodejs library called marsha, but for whatever reasons it didn’t work for me

So with node-marshal I was able to deserialize the Rails session data and read it in nodejs, closing the door on spoofing attacks.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s