Sharing a rails session with an erlang server

I'm planning a multiplayer web turn-base开发者_Python百科d game. The entry point will be a normal rails application, but the backend will be written in erlang. I will probably use socket.io for communication.

The thing is, how should I approach sessions sharing between rails and erlang? I can think of several options, you can provide more if you want :D

1. Setting the rails session cookie httpOnly value to false, and deserialize it on the erlang side. I have already tried this with a custom websocket server in erlang. It works but it's a bit less secure and I am tied to ruby 1.8 because I haven't found a library to unmarshal ruby 1.9 stuff from erlang. Apart from that, socket.io in erlang does not provide a way to get the request headers yet.
2. Token based approach. Ideally, the client would send some token and erlang should be able to certify that the user is who is supposed to be. I'm not sure about how this should be done.
3. HTTP API. The rails application can provide some API that the erlang server can use to check the user credentials.

Please tell me about your experiences with similar problems and how you handled them. Thanks in advance!

I have used the second approach, to have one app generate a token that you can then later authenticate and authorize in an erlang app. This works out very well, as the two systems are completely independent from each other except for creating the token in the same way.

With this approach however you have to take special care that the token cannot be recreated by users. For example if a user were to discover how to create a valid token for a different users, he could access any user account in your system. Please understand that crypto is hard and even the professional crypto guys gets it wrong from time to time. I would suggest asking an expert on the area for help on how to create the token.

The third option of asking the first app for authenticating and authorizing the token could also be a viable solution. The problems I see with this is that you would only like to call the first app once per token and authenticate and authorize the token in the following requests inside the erlang app. Another problem is that your erlang app is now depending on your rails app.

Give a look to this: Panmind