[Libwebsockets] generic-sessions update

Andy Green andy at warmcat.com
Tue May 31 03:42:24 CEST 2016


Hi -

A big update to the generic-sessions stuff, it's still not quite 
complete but almost at "0.1" state now.  (You'll need to nuke the old 
lws.sqlite3 if you have one due to schema changes).

   - user db working, self-registration from the web with email 
verification, login / logout as user or admin

   - registration and forgot password emails sent using SMTP on localhost

   - JS dynamic serverside username and email validation in the 
registration form, also password length and both the same checks on client

   - restrict to one account per registered email

   - removed LWS_WITH_GENERIC_SESSIONS from automatically being applied 
with LWS_WITH_LWSWS.  You now need to give -DLWS_WITH_GENERIC_SESSIONS 
at cmake.

   - User registration and login as the registered user, logout is working

   - Added a per-vhost confounder that goes in the per-vhost config for 
generic-sessions

           "confounder": "Change to <=31 chars of junk";

     When the password is accepted, a 20-byte random salt is generated, 
and an aggregation formed

    password-confounder-salt

which is then hashed and stored in the user db along with the salt.

The confounder isn't stored in the db, and if your config dir is 
root:root 0700, this makes it harder for a non-root attacker to get the 
info he needs to try to reverse the hashed passwords even against a 
dictionary.

   - Unified login, logout and registration into a single div in the 
example html, the main part of that is in 
/usr/share/libwebsockets-test-server/generic-sessions/index.html now 
(from ./plugins/index.html)


The missing pieces now before it's "complete enough" AFAIK are:

  - a change user settings form, which will double as where you go after 
completing the "forgot password" flow (it sends you by email a link that 
will log you in, and processes it correctly giving you a cookie, but 
takes you to a blank page right now).

  - an api to expose the logged-in user to other plugins cleanly

-Andy




More information about the Libwebsockets mailing list