This is a working specification for a new interface JSON interface for CoovaChilli. Please note that this is different from the existing XML based interface used for WISPr messages, and extended as a previous attempt for browser based clients.

Architecture of a Browser Based Smart Client

To communicate with the CoovaChilli Controller, the application uses the methods exposed by the chilliController javascript object. This object sends commands as HTTP GET requests to CoovaChilli and receives JSON formatted replies from CoovaChilli. This chilliController object can issue three main commands to the Controller:

  • logon, attempt a CHAP login. The reply will contain the session data and initial accounting data.
  • logoff, ends the current session.
  • status, provide the latest accounting data

A Browser Based Smart Client Application downloads the ChilliLibrary.js javascript library and is then be able to use the global chilliController object with three methods:

  • logon
  • logoff
  • refresh

When a client is authorized, the chilliController object will periodically update accounting data by issuing periodic status commands to refresh the data (autorefresh).

Only CHAP authentication supported method. The password will never leave the browser executing the BBSC application.

The security model of both Web browsers and the Flash player will not allow programmatic HTTP request to URLs residing on a different host/domain/port, after the containing page/movie is loaded. However, there are workarounds:

Javascript: Use DOM API to dynamically create a tag. This will load a JavaScript file from any destination, without security restrictions. This file contains a JSON object passed to a callback function. This callback must already exist in the JS contect of the containing page. See here

Flash we can override the default security policy with cross domain policy files as described here Using these two workarounds, any HTML page (Flash movie), from any domain, can include a single ChilliLibrary.js file (ChilliLibrary.swf) to create a Controller object that will allow communication from the client application to CoovaChilli.

BBSCs could also be implemented as FireFox extensions or IE add-ons.

chilliController interface

JavaScript pseudo code

<script src="http&#58;//"></script>
// The included script creates a global chilliController object
// If you use non standard configuration, define your configuration = "";  // Default is
chilliController.port  = 4003     ; //  Default is 3990
chilliController.interval = 60    ; // Default is 30 seconds
// then define event handler functions
chilliController.onError  = handleErrors;
chilliController.onUpdate = updateUI ;

// when the reply is ready, this handler function is called
function updateUI( cmd ) {
  alert ( ‘You called the method' + cmd +
    '\n Your current state is =’ + chilliController.clientState ) ;
// If an error occurs, this handler will be called instead
function handleErrors ( code ) {
  alert ( 'The last contact with the Controller failed. Error code =' + code );
//  finally, get current state


The chilliController is a global object created by the included script. By default, it is configured to contact the CoovaChilli gateway at every 30 seconds. If required, you must modify these values to match your specific configuration before calling a method.

After the chilliController object is configured, you must explicitly call the refresh method to determine the current state of the client.


logon ( username , password )

CHAP login attempt.


Logoff the current session.


Refresh the accounting and session data immediately, i.e. without waiting for the next scheduled autorefresh.


host ip address of the CoovaChilli access controller
port HTTP port for the JSON requests
interval in seconds. While the user is authenticated, session/accounting data is refreshed by polling CoovaChilli at this rate,
language Preferred language for the Reply-Message (Two letter ISO language code, eg. ‘en’).
clientState State of the terminal. UNKNOWN means that no information has been received from CoovaChilli yet. <ul><li>UNKNOWN (-1)</li><li>NOT_AUTHORIZED (0)</li><li>AUTHORIZED (1)</li><li>AUTH_PENDING (2)</li></ul>
command last command send to CoovaChilli (may still be pending): logon, logoff, refresh, autorefresh
terminateCause Same value as the Acct-Terminate-Cause attribute + UNKOWN value when no information from CoovaChilli has been received yet (-1). Not yet implemented. <ul><li>User-Request (1)</li><li>Lost-Carrier (2)</li><li>Idle-Timeout (4)</li><li>Session-Timeout (5)</li><li>NAS-Reboot (11)</li><li>UNKOWN (-1)</li></ul>
sessionId unique identifier of the session as generated by CoovaChilli (Acct-Session-Id). This is used to make sure the properties found in the session member and the accounting member do belong to the same session.
message Message to be displayed to the user (Can be the radius Reply-Message or a CoovaChilli generated message)
redir this member exposes data read on the URL of the initial redirection to uamhomepage. This member will exist only if the uamhomepage is including chilliController.js…. (Alternative: Chilli could memorize it during a session, and always return it in the JSON reply… this would avoid using cookies to store this data to survive the browser being closed )
originalURL URL originally requested by the client (before the redirection)
redirectionURL URL to redirecto to next, WISPr-Redirection-URL or otherwise
macAddress Calling-Station-Id - mac address of the client device
ipAddress Framed-IP-Address (not yet implemented)
location this member object contains basic information about the location
name WISPr-Location-Name - name of the location (chilli.conf locationname or radiuslocationname)
session this member exposes the radius attributes received in the radius access-accept packet. These attributes are fixed during a session (unless the option to update the properties of a live session is implemented in CoovaChilli)
userName User-Name (not yet implemented)
startTime CoovaChilli time session start time. ECMAScript Date object. This one is not a radius attribute, but useful in the BBSC user interface.
terminateTime WISPr-Session-Terminate-Time. ECMAScript Date object. (not yet implemented)
sessionTimeout Session-Timeout
idleTimeout Idle-Timeout
maxInputOctets ChilliSpot-Max-Input-Octets (not yet)
maxOutputOctets ChilliSpot-Max-Output-Octets (not yet)
maxTotalOctets ChilliSpot-Max-Total-Octets (not yet)
bandwidthMaxDown WISPr-Bandwidth-Max-Down (not yet)
bandwidthMaxUp WISPr-Bandwidth-Max-Up (not yet)
accounting Volume/Time accounting attributes. These attributes will change during a session.
sessionTime Acct-Session-Time - session duration
idleTime Idle time calculated by CoovaChilli (traffic to/from CoovaChilli is ignored). This one is not a radius attribute, but the Controller object will use it to schedule the next refresh just after a likely IdleTimeout disconnection. It’s also exposed in the API, to be comprehensive.
inputOctets Acct-Input-Octets
outputOctets Acct-Output-Octets
inputGigawords Acct-Input-Gigawords
outputGigawords Acct-Output-Gigawords

Event handlers


Handler function called when the chilliController object has been updated. Updates are triggered when new data has been received from the controller. This is the case:

  • after a method is explicitly called (logon,logoff,refresh)
  • automatically every interval seconds, when the client is authorized (autorefresh)

The handler function receives the name of the command that triggered the update as an argument (logon,logoff,refresh,autorefresh).


Handler function called when a correct JSON response cannot be obtained from the controller. (e.g. wireless link down, wrong JSON syntax,….). The handler function receives an error code as an argument.

Interface to CoovaChilli

Commands are send to CoovaChilli with HTTP requests. The lang GET parameter is used on all URLs to pass the preferred language (only used in logon for the time being).

The version field is used to track different versions of the CoovaChilli JSON protocol.

If a callback parameter (callback=function) is present, then CoovaChilli will wrap the JSON output text in parentheses and prepend it with the callback function. The output will look like a function call with a JSON object passed as parameter. This will allow cross domain access to the JSON feed from JavaScript.


When the logon() method of the Controller object is called, the Controller object:

  • generates a random CHAP-challenge (hex string)
  • requests

CoovaChilli replies with a JSON formated object like this

  "version" : "1.0",
  "clientState" : 1 ,
  "sessionId" : "4662e92b0000000e" ,
  "message" : "You’re now connected" ,
  "location" : {
     "name":  "Coova labs"
  "redir" : {
    "macAddress" : "00-30-1B-B5-03-6B",
    "originalURL" : "",
    "redirectionURL" : "",
    "ipAddress" : ""
  "session" : {
    "startTime" : 137550720,
    "terminateTime" : 13756072,
    "sessionTimeout" : 3600,
    "idleTimeout" : 240,
    "maxInputOctets" : 100000000,
    "maxOutputOctets" : 100000000,
    "maxTotalOctets" : 100000000,
    "bandwidthMaxDown" : 1000000,
    "bandwidthMaxUp" : 1000000
  "accounting": {
     "sessionTime" : 2,
     "idleTime" : 0,
     "inputOctets" : 0,
     "outputOctets" : 0,
     "inputGigawords" : 0,
     "outputGigawords" : 0

If the authorization, does not succeed. The JSON reply will look like this

  "version": "1.0",
  "clientState": 0,
  "message": "This username does not exist",
  "location" : { "name":"My HotSpot" }


Request to

The JSON reply will look like this:

 myfunc ( { "version": "1.0", "clientState": 0 } )

Status refresh

Request to

The JSON reply will look like this:

 "version" : "1.0",
 "clientState" : 1 ,
 "sessionId" : "4662e92b0000000e" ,
 "accounting": {
     "sessionTime" : 1230,
     "idleTime" : 240,
     "inputOctets" : 2912981 ,
     "outputOctets" : 51498511,
     "inputGigawords" : 0,
     "outputGigawords" : 0

It’s not necessary to repeat the fixed session properties here. The sessionId is used to associate the newly received accounting values with the session values received with the initial logon command.

Problem: What if a someone uses the HTML form to connect and then uses a BBSC for status display?

If the client is not authorized:

 "version" : "1.0",
 "clientState" : 0