HTTP Server custom client authorization and session

[sazanof]

Hello!
Now I'm doing authorization on ESP32 and I ran into a problem.
I know there are build-in basic and digest authorization, but as frontend I use Vue.js framework and I want to do separate page for authorization.

The solutions I am currently using:
1) when loading the page / I'm initializing the authenticated = false variable. Later, in the code, when authorization is successful, it changes the value. One of the disadvantages of this approach is that if I refresh the page, I will have to re-enter the login password.

2) I tried using

Code: Select all

user_ctx

, but if I open the site address in another browser, then I will be authorized there too! This is fundamentally not what I wanted.

Some code from 2):

in header

Code: Select all

typedef struct rest_server_context
{
    char base_path[ESP_VFS_PATH_MAX + 1];
    char scratch[SCRATCH_BUFSIZE];
    bool authenticated;
} rest_server_context_t;

in login_handler

Code: Select all

// here is auth = OK, continue
if (!req->sess_ctx)
            {
                req->sess_ctx = malloc(sizeof(rest_server_context_t)); /*!< Pointer to context data */
                req->free_ctx = free_ctx_func;                         /*!< Function to free context data */
                ((rest_server_context_t *)(req->user_ctx))->authenticated = true;
            }

method, that checking out is user authenticated or not

Code: Select all

bool is_authenticated(httpd_req_t *req)
{
    rest_server_context_t *context = (rest_server_context_t *)req->user_ctx;
    if (req->user_ctx)
    {
        bool auth = context->authenticated;
        ESP_LOGW("AUTH TAG", "Authenticated is %d", auth);
        if (auth)
        {
            return true;
        }
    }
    return false;
}

So, if I log in to my ESP32 on PC1, then I will be authorized on PC2 as well too

The main question is:

How to split client sessions on the server and check exactly a specific client session? Is it possible to access exactly the current user session and change its data?

Thank you!

[sazanof]

I think, i found an answer, but it needed tests.

Code: Select all

int sockfd = httpd_req_to_sockfd(req); // get socket fd
if (server != NULL)
    {
        // (void *)sockfd or someone else struct I think
        httpd_sess_set_ctx(server, sockfd, (void *)sockfd, free_ctx_func); // get session
        // get session
        int context = (int)httpd_sess_get_ctx(server, sockfd);

        ESP_LOGW(REST_TAG, "Authenticated is %d, sockfd is %d, context %d", is_authenticated(req), sockfd, context);
    }
  

UPD: no, session resets after open other url
Any comments are welcome

[MicroController]

You'll want to send a cookie to the client after a successful login. After that, the client will send you the cookie back with every HTTP request and you can decide if the cookie is still valid or if you want the user to authenticate again.

[sazanof]

Thank you, I will add a solution later