[Libwebsockets] generic-sessions update

Andy Green andy at warmcat.com
Tue May 31 03:42:24 CEST 2016

Hi -

A big update to the generic-sessions stuff, it's still not quite 
complete but almost at "0.1" state now.  (You'll need to nuke the old 
lws.sqlite3 if you have one due to schema changes).

   - user db working, self-registration from the web with email 
verification, login / logout as user or admin

   - registration and forgot password emails sent using SMTP on localhost

   - JS dynamic serverside username and email validation in the 
registration form, also password length and both the same checks on client

   - restrict to one account per registered email

   - removed LWS_WITH_GENERIC_SESSIONS from automatically being applied 
at cmake.

   - User registration and login as the registered user, logout is working

   - Added a per-vhost confounder that goes in the per-vhost config for 

           "confounder": "Change to <=31 chars of junk";

     When the password is accepted, a 20-byte random salt is generated, 
and an aggregation formed


which is then hashed and stored in the user db along with the salt.

The confounder isn't stored in the db, and if your config dir is 
root:root 0700, this makes it harder for a non-root attacker to get the 
info he needs to try to reverse the hashed passwords even against a 

   - Unified login, logout and registration into a single div in the 
example html, the main part of that is in 
/usr/share/libwebsockets-test-server/generic-sessions/index.html now 
(from ./plugins/index.html)

The missing pieces now before it's "complete enough" AFAIK are:

  - a change user settings form, which will double as where you go after 
completing the "forgot password" flow (it sends you by email a link that 
will log you in, and processes it correctly giving you a cookie, but 
takes you to a blank page right now).

  - an api to expose the logged-in user to other plugins cleanly


More information about the Libwebsockets mailing list