I don't understand how to use nodejs+socket.io for my php engine.
Or, how to use this ? if this is not php - so how i take userid/username/images?
All scripts what i see in the internet - without security and anyone can use not his username or userid (just change js), and nobody don't said, how to protect this.
Maybe u can help me and say how do this - with example code :)
Regarding the Security Layer, you should implement your own algorithm. I can't show you an example since it depends on your architecture.
IMHO, I suggest to Use Stomp over PHP & nodeJS. It is simple enough and can handle a great variety of messages (Most common is JSON-body-Messages).
To Scale this solution I would also suggest to Use activeMQ. ActiveMQ is a Message broker and it can help you to implement your security layer since it provides a SSL support over STOMP and a Username/password option.
This solution has been tested in real life to handle ~6k TPS.
Cheers!