Skip to content

Instantly share code, notes, and snippets.

@mscdex mscdex/test.js
Last active Apr 30, 2020

What would you like to do?
sharing sessions between node.js and php using redis
var express = require('express'),
app = express(),
cookieParser = require('cookie-parser'),
session = require('express-session'),
RedisStore = require('connect-redis')(session);
app.use(express.static(__dirname + '/public'));
app.use(function(req, res, next) {
if (~req.url.indexOf('favicon'))
return res.send(404);
store: new RedisStore({
// this is the default prefix used by redis-session-php
prefix: 'session:php:'
// use the default PHP session cookie name
name: 'PHPSESSID',
secret: 'node.js rules',
resave: false,
saveUninitialized: false
app.use(function(req, res, next) {
req.session.nodejs = 'Hello from node.js!';
res.send('<pre>' + JSON.stringify(req.session, null, ' ') + '</pre>');
// this must match the express-session `secret` in your Express app
define('EXPRESS_SECRET', 'node.js rules');
// this id mutator function helps ensure we look up
// the session using the right id
define('REDIS_SESSION_ID_MUTATOR', 'express_mutator');
function express_mutator($id) {
if (substr($id, 0, 2) === "s:")
$id = substr($id, 2);
$dot_pos = strpos($id, ".");
if ($dot_pos !== false) {
$hmac_in = substr($id, $dot_pos + 1);
$id = substr($id, 0, $dot_pos);
return $id;
// check for existing express-session cookie ...
$sess_name = session_name();
if (isset($_COOKIE[$sess_name])) {
// here we have to manipulate the cookie data in order for
// the lookup in redis to work correctly
// since express-session forces signed cookies now, we have
// to deal with that here ...
if (substr($_COOKIE[$sess_name], 0, 2) === "s:")
$_COOKIE[$sess_name] = substr($_COOKIE[$sess_name], 2);
$dot_pos = strpos($_COOKIE[$sess_name], ".");
if ($dot_pos !== false) {
$hmac_in = substr($_COOKIE[$sess_name], $dot_pos + 1);
$_COOKIE[$sess_name] = substr($_COOKIE[$sess_name], 0, $dot_pos);
$hmac_calc = str_replace("=", "", base64_encode(hash_hmac('sha256', $_COOKIE[$sess_name], EXPRESS_SECRET, true)));
if ($hmac_calc !== $hmac_in) {
// the cookie data has been tampered with, you can decide
// how you want to handle this. for this example we will
// just ignore the cookie and generate a new session ...
} else {
// let PHP generate us a new id
$sess_id = session_id();
$hmac = str_replace("=", "", base64_encode(hash_hmac('sha256', $sess_id, EXPRESS_SECRET, true)));
// format it according to the express-session signed cookie format
$_SESSION["php"] = "Hello from PHP";
if (!isset($_SESSION["cookie"]))
$_SESSION["cookie"] = array();
echo "<pre>";
echo json_encode($_COOKIE, JSON_PRETTY_PRINT);
echo json_encode($_SESSION, JSON_PRETTY_PRINT);
echo "</pre>";

This comment has been minimized.

Copy link

pharsi commented Jul 4, 2015

Hi Brian, thanks for sharing this with us 😄 I want to see this code in action, I'll be grateful if you could help me run this code and see for myself :)


This comment has been minimized.

Copy link

bensontung commented Jul 29, 2015



This comment has been minimized.

Copy link

josuedor commented Aug 18, 2015

Beautiful! Thank you.


This comment has been minimized.

Copy link

ZeSoft commented Aug 23, 2015

hello brian , i have a problem when i try to set session id to be compatible with express session format i got this error in php :Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' it's understandable because the session id we set contains : and . and other caracters that are not alphanumeric, second question is how can i get the phpsessid from redis in node ,
i will really appreciate it if u help me ,thanks in advance


This comment has been minimized.

Copy link

ramin-git commented Nov 15, 2015

I have different problem. When first execute "php file" then execute "node js server page" - "node js server page" have not seen session creation from "php file". When vice versa (first execute "node js server page" then execute "php file") session variables have seen in both page


This comment has been minimized.

Copy link

tuxbotix commented Jan 19, 2016

Just as @ramin-git mentioned, I also experienced the issue of express-session not accepting cookie by PHP but other way works.

The issue happens when a new session start, the calls for session_regenerate_id(); (line 45) to (re)generate a new ID for the new session (and cookie). But the next call for session_id() returns empty since both these functions should be called after session_start().


if you are 100% sure that regenerate_id() will not work before session_start() (I'm not completely sure :P), then just replace line 45 and 46 with the following, that way executing regenerate and asking for a session id is avoided. This method should work definitely but I have to do further testing.

$sessHandlerInst=new SessionHandler();

or append the following instead, between line 46 and line 47 (after $sess_id = session_id();, before $hmac = str_replace.... - this will generate a new ID if $sess_id turns out empty (which will be*).

            $sessHandlerInst=new SessionHandler();

Explanation :

Since the expectation for calling

 $sess_id = session_id();

is to generate a new ID which the script modify to match express-session format, calling SessionHandler::create_sid() can be used. Yes the session_regenerate() internally calls create_sid() but will only work if the session has been started (which is not* otherwise setting session ID is not possible).


This comment has been minimized.

Copy link

rustigano commented Jul 17, 2019

what is the best approach for using this with multiple domains?
Example of the domains that need to be aware of the session:


I have tried adding the domain to the cookie (prefixed with and without a dot) but no success yet.

Same problem is in this thread: expressjs/session#633

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.