[Libwebsockets] RFC: lightweight sessions

Andy Green andy at warmcat.com
Mon May 23 13:44:37 CEST 2016

Hi -

I am partway through making a plugin called "generic-sessions", intended 
to provide lightweight persistent http sessions without a server-side 

The overall ideas are:

  - random 20-byte session id managed in a cookie

  - all information related to the session held at the server, nothing 
managed clientside

  - sqlite3 used at the server to manage active sessions and users

  - defaults to creating anonymous sessions with no user associated

  - admin account (with user-selectable username) is defined in config 
with a SHA-1 of the password; rest of the accounts are in sqlite3

  - login, logout, register account + email verification built-in with 

  - in a mount, some file suffixes (ie, .js) can be associated with a 
protocol for the purposes of rewriting symbolnames.  These are read-only 
copies of logged-in server state.

  - When your page fetches .js or other rewritten files from that mount, 
"$lwsgs_user" and so on are rewritten on the fly using chunked transfer 

  - Eliminates server-side scripting with a few rewritten symbols and 
javascript on client side

  - 32-bit bitfield for authentication sectoring, mounts can provide a 
mask on the loggin-in session's associated server-side bitfield that 
must be set for access.

  - No code (just config) required for, eg, private URL namespace that 
requires login to access.

Login, logout, cookies, rewriting are already done, I am curious about 
any comments or suggestions to make it more useful (especially if anyone 
is motivated to contribute).


More information about the Libwebsockets mailing list