28     "Cache: no-cache\r\n"
29     "Content-Type: application/x-javascript\r\n"
32 // Describes single message sent to a chat. If user is empty (0 length),
36     char user[MAX_USER_LEN];     // User that have sent the message  member
44     char random[20];          // Random data used for extra user validation
45     char user[MAX_USER_LEN];  // Authenticated user  member
77     const char *qs = request_info->query_string;  in get_qsvar()
91     // Read-lock the ringbuffer. Loop over all messages, making a JSON string.  in messages_to_json()
96     if (last_message_id - last_id > max_msgs) {  in messages_to_json()
97         last_id = last_message_id - max_msgs;  in messages_to_json()
101         if (message->timestamp == 0) {  in messages_to_json()
107         len += snprintf(buf + len, sizeof(buf) - len,  in messages_to_json()
108                         "{user: '%s', text: '%s', timestamp: %lu, id: %ld},",  in messages_to_json()
109                         message->user, message->text, message->timestamp, message->id);  in messages_to_json()
161     message->id = last_message_id++;  in new_message()
162     message->timestamp = time(0);  in new_message()
169     dst[len - 1] = '\0';  in my_strlcpy()
178     char text[sizeof(message->text) - 1];  in ajax_send_message()
186         // We have a message to store. Write-lock the ringbuffer,  in ajax_send_message()
190         // TODO(lsm): JSON-encode all text strings  in ajax_send_message()
193         my_strlcpy(message->text, text, sizeof(text));  in ajax_send_message()
194         my_strlcpy(message->user, session->user, sizeof(message->user));  in ajax_send_message()
205 // Redirect user to the login form. In the cookie, store the original URL
211               "Set-Cookie: original_url=%s\r\n"  in redirect_to_login()
213               request_info->uri, login_url);  in redirect_to_login()
217 static int check_password(const char *user, const char *password)  in check_password()  argument
220     // to authenticate the user.  in check_password()
221     // Here however we do trivial check that user and password are not empty  in check_password()
222     return (user[0] && password[0]);  in check_password()
243 // This is why all communication must be SSL-ed.
245                                 const char *user)  in generate_session_id()  argument
247     mg_md5(buf, random, user, NULL);  in generate_session_id()
257     message->user[0] = '\0';  // Empty user indicates server message  in send_server_message()
259     vsnprintf(message->text, sizeof(message->text), fmt, ap);  in send_server_message()
266 // Login page form sends user name and password to this endpoint.
270     char user[MAX_USER_LEN], password[MAX_USER_LEN];  in authorize()  local
273     // Fetch user name and password.  in authorize()
274     get_qsvar(request_info, "user", user, sizeof(user));  in authorize()
277     if (check_password(user, password) && (session = new_session()) != NULL) {  in authorize()
281         //   3. remove original_url from the cookie - not needed anymore  in authorize()
287         // be stolen and an attacker may impersonate the user.  in authorize()
289         my_strlcpy(session->user, user, sizeof(session->user));  in authorize()
290         snprintf(session->random, sizeof(session->random), "%d", rand());  in authorize()
291         generate_session_id(session->session_id, session->random, session->user);  in authorize()
292         send_server_message("<%s> joined", session->user);  in authorize()
294                   "Set-Cookie: session=%s; max-age=3600; http-only\r\n"  // Session ID  in authorize()
295                   "Set-Cookie: user=%s\r\n"  // Set user, needed by Javascript code  in authorize()
296                   "Set-Cookie: original_url=/; max-age=0\r\n"  // Delete original_url  in authorize()
298                   session->session_id, session->user);  in authorize()
314     if (!strcmp(request_info->uri, login_url) ||  in is_authorized()
315         !strcmp(request_info->uri, authorize_url)) {  in is_authorized()
321         generate_session_id(valid_id, session->random, session->user);  in is_authorized()
322         if (strcmp(valid_id, session->session_id) == 0) {  in is_authorized()
323             session->expire = time(0) + SESSION_TTL;  in is_authorized()
339                   (int) (p - host), host, request_info->uri);  in redirect_to_ssl()
350     if (!request_info->is_ssl) {  in begin_request_handler()
354     } else if (strcmp(request_info->uri, authorize_url) == 0) {  in begin_request_handler()
356     } else if (strcmp(request_info->uri, "/ajax/get_messages") == 0) {  in begin_request_handler()
358     } else if (strcmp(request_info->uri, "/ajax/send_message") == 0) {  in begin_request_handler()