[Libwebsockets] RFC: lightweight sessions
andy at warmcat.com
Mon May 23 13:44:37 CEST 2016
I am partway through making a plugin called "generic-sessions", intended
to provide lightweight persistent http sessions without a server-side
The overall ideas are:
- random 20-byte session id managed in a cookie
- all information related to the session held at the server, nothing
- sqlite3 used at the server to manage active sessions and users
- defaults to creating anonymous sessions with no user associated
- admin account (with user-selectable username) is defined in config
with a SHA-1 of the password; rest of the accounts are in sqlite3
- login, logout, register account + email verification built-in with
- in a mount, some file suffixes (ie, .js) can be associated with a
protocol for the purposes of rewriting symbolnames. These are read-only
copies of logged-in server state.
- When your page fetches .js or other rewritten files from that mount,
"$lwsgs_user" and so on are rewritten on the fly using chunked transfer
- Eliminates server-side scripting with a few rewritten symbols and
- 32-bit bitfield for authentication sectoring, mounts can provide a
mask on the loggin-in session's associated server-side bitfield that
must be set for access.
- No code (just config) required for, eg, private URL namespace that
requires login to access.
Login, logout, cookies, rewriting are already done, I am curious about
any comments or suggestions to make it more useful (especially if anyone
is motivated to contribute).
More information about the Libwebsockets