<p>The generic-sessions protocol plugin provides cookie-based login authentication for lws web and ws connections.</p>
<p>The plugin handles everything about generic account registration, email verification, lost password, account deletion, and other generic account management.</p>
<p>Other code, in another eg, ws protocol handler, only needs very high-level state information from generic-sessions, ie, which user the client is authenticated as. Everything underneath is managed in generic-sessions.</p>
<ul>
<li>random 20-byte session id managed in a cookie</li>
<li>all information related to the session held at the server, nothing managed clientside</li>
<li>sqlite3 used at the server to manage active sessions and users</li>
<li>defaults to creating anonymous sessions with no user associated</li>
<li>admin account (with user-selectable username) is defined in config with a SHA-1 of the password; rest of the accounts are in sqlite3</li>
<li>user account passwords stored as salted SHA-1 with additional confounder only stored in the JSON config, not the database</li>
<li>login, logout, register account + email verification built-in with examples</li>
<li>in a mount, some file suffixes (ie, .js) can be associated with a protocol for the purposes of rewriting symbolnames. These are read-only copies of logged-in server state.</li>
<li>When your page fetches .js or other rewritten files from that mount, "$lwsgs_user" and so on are rewritten on the fly using chunked transfer encoding</li>
<li>Eliminates server-side scripting with a few rewritten symbols and javascript on client side</li>
<li>32-bit bitfield for authentication sectoring, mounts can provide a mask on the loggin-in session's associated server-side bitfield that must be set for access.</li>
<li>No code (just config) required for, eg, private URL namespace that requires login to access.</li>
<p>When the protocol is initialized, it gets per-vhost information from the config, such as where the sqlite3 databases are to be stored. The admin username and sha-1 of the admin password are also taken from here.</p>
<p>In the mounts using protocol-generic-sessions, a cookie is maintained against any requests; if no cookie was active on the initial request a new session is created with no attached user.</p>
<p>So there should always be an active session after any transactions with the server.</p>
<p>In the example html going to the mount /lwsgs loads a login / register page as the default.</p>
<p>The <form> in the login page contains 'next url' hidden inputs that let the html 'program' where the form handler will go after a successful admin login, a successful user login and a failed login.</p>
<p>After a successful login, the sqlite record at the server for the current session is updated to have the logged-in username associated with it.</p>
<li>b0 is set if you are logged in as a user at all.</li>
<li>b1 is set if you are logged in with the user configured to be admin</li>
<li>b2 is set if the account has been verified (the account configured for admin is always verified)</li>
<li>b3 is set if your session just did the forgot password flow successfully</li>
</ul>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> {</div><divclass="line"><aname="l00002"></a><spanclass="lineno"> 2</span>  # things in here can always be served</div><divclass="line"><aname="l00003"></a><spanclass="lineno"> 3</span> "mountpoint": "/lwsgs",</div><divclass="line"><aname="l00004"></a><spanclass="lineno"> 4</span> "origin": "file:///usr/share/libwebsockets-test-server/generic-sessions",</div><divclass="line"><aname="l00005"></a><spanclass="lineno"> 5</span> "origin": "callback://protocol-lws-messageboard",</div><divclass="line"><aname="l00006"></a><spanclass="lineno"> 6</span> "default": "generic-sessions-login-example.html",</div><divclass="line"><aname="l00007"></a><spanclass="lineno"> 7</span> "auth-mask": "0",</div><divclass="line"><aname="l00008"></a><spanclass="lineno"> 8</span> "interpret": {</div><divclass="line"><aname="l00009"></a><spanclass="lineno"> 9</span> ".js": "protocol-lws-messageboard"</div><divclass="line"><aname="l00010"></a><spanclass="lineno"> 10</span>  }</div><divclass="line"><aname="l00011"></a><spanclass="lineno"> 11</span>  }, {</div><divclass="line"><aname="l00012"></a><spanclass="lineno"> 12</span>  # things in here can only be served if logged in as a user</div><divclass="line"><aname="l00013"></a><spanclass="lineno"> 13</span> "mountpoint": "/lwsgs/needauth",</div><divclass="line"><aname="l00014"></a><spanclass="lineno"> 14</span> "origin": "file:///usr/share/libwebsockets-test-server/generic-sessions/needauth",</div><divclass="line"><aname="l00015"></a><spanclass="lineno"> 15</span> "origin": "callback://protocol-lws-messageboard",</div><divclass="line"><aname="l00016"></a><spanclass="lineno"> 16</span> "default": "generic-sessions-login-example.html",</div><divclass="line"><aname="l00017"></a><spanclass="lineno"> 17</span> "auth-mask": "5", # logged in as a verified user</div><divclass="line"><aname="l00018"></a><spanclass="lineno"> 18</span> "interpret": {</div><divclass="line"><aname="l00019"></a><spanclass="lineno"> 19</span> ".js": "protocol-lws-messageboard"</div><divclass="line"><aname="l00020"></a><spanclass="lineno"> 20</span>  }</div><divclass="line"><aname="l00021"></a><spanclass="lineno"> 21</span>  }, {</div><divclass="line"><aname="l00022"></a><spanclass="lineno"> 22</span>  # things in here can only be served if logged in as admin</div><divclass="line"><aname="l00023"></a><spanclass="lineno"> 23</span> "mountpoint": "/lwsgs/needadmin",</div><divclass="line"><aname="l00024"></a><spanclass="lineno"> 24</span> "origin": "file:///usr/share/libwebsockets-test-server/generic-sessions/needadmin",</div><divclass="line"><aname="l00025"></a><spanclass="lineno"> 25</span> "origin": "callback://protocol-lws-messageboard",</div><divclass="line"><aname="l00026"></a><spanclass="lineno"> 26</span> "default": "generic-sessions-login-example.html",</div><divclass="line"><aname="l00027"></a><spanclass="lineno"> 27</span> "auth-mask": "7", # b2 = verified (by email / or admin), b1 = admin, b0 = logged in with any user name</div><divclass="line"><aname="l00028"></a><spanclass="lineno"> 28</span> "interpret": {</div><divclass="line"><aname="l00029"></a><spanclass="lineno"> 29</span> ".js": "protocol-lws-messageboard"</div><divclass="line"><aname="l00030"></a><spanclass="lineno"> 30</span>
<p>The vhost configures the storage dir, admin credentials and session cookie lifetimes:</p>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> "ws-protocols": [{</div><divclass="line"><aname="l00002"></a><spanclass="lineno"> 2</span> "protocol-generic-sessions": {</div><divclass="line"><aname="l00003"></a><spanclass="lineno"> 3</span> "status": "ok",</div><divclass="line"><aname="l00004"></a><spanclass="lineno"> 4</span> "admin-user": "admin",</div><divclass="line"><aname="l00005"></a><spanclass="lineno"> 5</span> </div><divclass="line"><aname="l00006"></a><spanclass="lineno"> 6</span> # create the pw hash like this (for the example pw, "jipdocesExunt" )</div><divclass="line"><aname="l00007"></a><spanclass="lineno"> 7</span> # $ echo -n "jipdocesExunt" | sha1sum</div><divclass="line"><aname="l00008"></a><spanclass="lineno"> 8</span> # 046ce9a9cca769e85798133be06ef30c9c0122c9 -</div><divclass="line"><aname="l00009"></a><spanclass="lineno"> 9</span> #</div><divclass="line"><aname="l00010"></a><spanclass="lineno"> 10</span> # Obviously ** change this password hash to a secret one before deploying **</div><divclass="line"><aname="l00011"></a><spanclass="lineno"> 11</span> #</div><divclass="line"><aname="l00012"></a><spanclass="lineno"> 12</span> "admin-password-sha1": "046ce9a9cca769e85798133be06ef30c9c0122c9",</div><divclass="line"><aname="l00013"></a><spanclass="lineno"> 13</span> "session-db": "/var/www/sessions/lws.sqlite3",</div><divclass="line"><aname="l00014"></a><spanclass="lineno"> 14</span> "timeout-idle-secs": "600",</div><divclass="line"><aname="l00015"></a><spanclass="lineno"> 15</span> "timeout-anon-idle-secs": "1200",</div><divclass="line"><aname="l00016"></a><spanclass="lineno"> 16</span> "timeout-absolute-secs": "6000",</div><divclass="line"><aname="l00017"></a><spanclass="lineno"> 17</span> # the confounder is part of the salted password hashes. If this config</div><divclass="line"><aname="l00018"></a><spanclass="lineno"> 18</span> # file is in a 0700 root:root dir, an attacker with apache credentials</div><divclass="line"><aname="l00019"></a><spanclass="lineno"> 19</span> # will have to get the confounder out of the process image to even try</div><divclass="line"><aname="l00020"></a><spanclass="lineno"> 20</span> # to guess the password hashes.</div><divclass="line"><aname="l00021"></a><spanclass="lineno"> 21</span> "confounder": "Change to <=31 chars of junk",</div><divclass="line"><aname="l00022"></a><spanclass="lineno"> 22</span> </div><divclass="line"><aname="l00023"></a><spanclass="lineno"> 23</span> "email-from": "noreply@example.com",</div><divclass="line"><aname="l00024"></a><spanclass="lineno"> 24</span> "email-smtp-ip": "127.0.0.1",</div><divclass="line"><aname="l00025"></a><spanclass="lineno"> 25</span> "email-expire": "3600",</div><divclass="line"><aname="l00026"></a><spanclass="lineno"> 26</span> "email-helo": "myhost.com",</div><divclass="line"><aname="l00027"></a><spanclass="lineno"> 27</span> "email-contact-person": "Set Me <real-person@email.com>",</div><divclass="line"><aname="l00028"></a><spanclass="lineno"> 28</span> "email-confirm-url-base": "http://localhost:7681/lwsgs"</div><divclass="line"><aname="l00029"></a><spanclass="lineno"> 29</span>  }</div></div><!-- fragment --><p>The email- related settings control generation of automatic emails for registration and forgotten passwor
<ul>
<li><code>email-from</code>: The email address automatic emails are sent from</li>
<li><code>email-smtp-ip</code>: Normally 127.0.0.1, if you have a suitable server on port 25 on your lan you can use this instead here.</li>
<li><code>email-expire</code>: Seconds that links sent in email will work before being deleted</li>
<li><code>email-helo</code>: HELO to use when communicating with your SMTP server</li>
<li><code>email-contact-person</code>: mentioned in the automatic emails as a human who can answer questions</li>
<li><code>email-confirm-url-base</code>: the URL to start links with in the emails, so the recipient can get back to the web server</li>
</ul>
<p>The real protocol that makes use of generic-sessions must also be listed and any configuration it needs given</p>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> "protocol-lws-messageboard": {</div><divclass="line"><aname="l00002"></a><spanclass="lineno"> 2</span> "status": "ok",</div><divclass="line"><aname="l00003"></a><spanclass="lineno"> 3</span> "message-db": "/var/www/sessions/messageboard.sqlite3"</div><divclass="line"><aname="l00004"></a><spanclass="lineno"> 4</span> },</div></div><!-- fragment --><p>Notice the real application uses his own sqlite db, no details about how generic-sessions works or how it stores data are available to it.</p>
<p>You can also define a per-vhost confounder shown in the example above, used when aggregating the password with the salt when it is hashed. Any attacker will also need to get the confounder along with the database, which you can make harder by making the config dir only eneterable / readable by root.</p>
<p>lwsgs will can send emails by talking to an SMTP server on localhost:25. That will usually be sendmail or postfix, you should confirm that works first by itself using the <code>mail</code> application to send on it.</p>
<p>lwsgs has been tested on stock Fedora sendmail and postfix.</p>
<p>The basic approach is the 'real' protocol handler (usually a plugin itself) subclasses the generic-sessions plugin and calls through to it by default.</p>
<p>The "real" protocol handler entirely deals with ws-related stuff itself, since generic-sessions does not use ws. But for</p>
<ul>
<li>LWS_CALLBACK_HTTP</li>
<li>LWS_CALLBACK_HTTP_BODY</li>
<li>LWS_CALLBACK_HTTP_BODY_COMPLETION</li>
<li>LWS_CALLBACK_HTTP_DROP_PROTOCOL</li>
</ul>
<p>the "real" protocol handler checks if it recognizes the activity (eg, his own POST form URL) and if not, passes stuff through to the generic-sessions protocol callback to handle it. To simplify matters the real protocol can just pass through any unhandled messages to generic-sessions.</p>
<p>The "real" protocol can get a pointer to generic-sessions protocol on the same vhost using</p>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> vhd->gsp = lws_vhost_name_to_protocol(vhd->vh, "protocol-generic-sessions");</div></div><!-- fragment --><p>The "real" protocol must also arrange generic-sessions per_session_data in his own per-session allocation. To allow keeping generic-sessions opaque, the real protocol must allocate that space at runtime, using the pss size the generic-sessions protocol struct exposes</p>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> struct per_session_data__myapp {</div><divclass="line"><aname="l00002"></a><spanclass="lineno"> 2</span>  void *pss_gs;</div><divclass="line"><aname="l00003"></a><spanclass="lineno"> 3</span> ...</div><divclass="line"><aname="l00004"></a><spanclass="lineno"> 4</span> </div><divclass="line"><aname="l00005"></a><spanclass="lineno"> 5</span>  pss->pss_gs = malloc(vhd->gsp->per_session_data_size);</div></div><!-- fragment --><p>The allocation reserved for generic-sessions is then used as user_space when the real protocol calls through to the generic-sessions callback</p>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> vhd->gsp->callback(wsi, reason, &pss->pss_gs, in, len);</div></div><!-- fragment --><p>In that way the "real" protocol can subclass generic-sessions functionality.</p>
<p>To ease management of these secondary allocations, there are callbacks that occur when a wsi binds to a protocol and when the binding is dropped. These should be used to malloc and free and kind of per-connection secondary allocations.</p>
<p>At least at the time when someone tries to upgrade an http(s) connection to ws(s) with your real protocol, it is necessary to confirm the cookie the http(s) connection has with generic-sessions and find out his username and other info.</p>
<p>Generic sessions lets another protocol check it again by calling his callback, and lws itself provides a generic session info struct to pass the related data</p>
<divclass="fragment"><divclass="line"><aname="l00001"></a><spanclass="lineno"> 1</span> struct lws_session_info {</div><divclass="line"><aname="l00002"></a><spanclass="lineno"> 2</span>  char username[32];</div><divclass="line"><aname="l00003"></a><spanclass="lineno"> 3</span>  char email[100];</div><divclass="line"><aname="l00004"></a><spanclass="lineno"> 4</span>  char ip[72];</div><divclass="line"><aname="l00005"></a><spanclass="lineno"> 5</span>  unsigned int mask;</div><divclass="line"><aname="l00006"></a><spanclass="lineno"> 6</span>  char session[42];</div><divclass="line"><aname="l00007"></a><spanclass="lineno"> 7</span> };</div><divclass="line"><aname="l00008"></a><spanclass="lineno"> 8</span> </div><divclass="line"><aname="l00009"></a><spanclass="lineno"> 9</span> struct lws_session_info sinfo;</div><divclass="line"><aname="l00010"></a><spanclass="lineno"> 10</span> ...</div><divclass="line"><aname="l00011"></a><spanclass="lineno"> 11</span> vhd->gsp->callback(wsi, LWS_CALLBACK_SESSION_INFO,</div><divclass="line"><aname="l00012"></a><spanclass="lineno"> 12</span> &pss->pss_gs, &sinfo, 0);</div></div><!-- fragment --><p>After the call to generic-sessions, the results can be</p>
<ul>
<li>all the strings will be zero-length and .mask zero, there is no usable cookie<ul>
<li>only .ip and .session are set: the cookie is OK but no user logged in</li>
<li>all the strings contain information about the logged-in user</li>
</ul>
</li>
</ul>
<p>the real protocol can use this to reject attempts to open ws connections from http connections that are not authenticated; afterwards there's no need to check the ws connection auth status again. </p>
</div></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<divid="nav-path"class="navpath"><!-- id is needed for treeview function! -->
