Building Web Scripts with Lua


CGILua uses Lua as a server-side scripting language for creating dynamic Web pages. Both pure Lua Scripts and Lua Pages (LP) are supported by CGILua. A Lua Script is essentially a Lua program that creates the whole contents of a web page and returns it to the client. A Lua Page is a conventional markup text (HTML, XML etc) file that embeds Lua code using some special tags. Those tags are processed by CGILua and resulting page is returned to the client.

Lua Scripts and Lua Pages are equally easy to use, and choosing one of them basically depends on the characteristics of the resulting page. While Lua Pages are more convenient for the separation of logic and format, Lua Scripts are more adequate for creating pages that are simpler in terms of its structure, but require a more significative amount of internal processing.

Allowing these two methods to be intermixed, CGILua provides Web applications developers with great flexibility when both requirements are present. For a detailed description of both scripting methods and some examples of their use see Lua Scripts and Lua Pages.


CGILua architecture is divided in two layers. The lower level is represented by the Server API (SAPI) and the higher level is represented by the CGILua API itself. SAPI is the interface between the web server and the CGILua API, so it needs to be implemented for each Web server and launching method used.

A launcher is responsible for the interaction of CGILua and the Web server, implementing SAPI for example using ISAPI on IIS or mod_lua on Apache. The reference implementation of CGILua launchers is Kepler.

The CGILua API is implemented using only SAPI and is totally portable over different launchers and their supporting Web servers. This way any Lua Script or Lua Page can be used by any launcher.

Request life cycle

CGILua processes requests using a CGI metaphor (even if the launcher is not based on CGI) and requests have a life cycle that can be customized by the programmer. The CGILua request life cycle consists in the following sequence of steps for each request:

  1. Add default handlers such as LuaScripts and Lua Pages and commom file formats.
  2. Execute the config.lua file, allowing the customization of the next steps.
  3. Build the cgilua.POST and cgilua.QUERY tables (processing POST and QUERY data).
  4. Change to user script directory.
  5. Execute the registered open functions.
  6. Execute the requested script with the correct environment.
  7. Execute the registered close functions.
  8. Change back to the original directory

Editing the config.lua file one can customize the CGILua behaviour. One typical use would be registering the open and close functions in order to change the request processing behavior. With this customization it is possible to implement new features like session management and private library directories as shown in section Configuration, or even to implement new abstractions over the whole CGILua way of live, like MVC-frameworks such as Orbit.


CGILua follows the package model for Lua 5.1, therefore it should be "installed" in your package.path.

You can also install CGILua using LuaRocks:

luarocks install cgilua


The Kepler distribution of CGILua 5.1 offers a single configuration file, called config.lua. This file can be used to alter the default CGILua behaviour and is located in the Kepler configuration directory.

Some of the uses of config.lua customization are:

Script Handlers
A handler is responsible for the response of a request. You can add new CGILua handlers using cgilua.addscripthandler (see also cgilua.buildplainhandler and cgilua.buildprocesshandler for functions that build simple handlers).
POST Data Sizes
You can change the POST data size limits using cgilua.setmaxinput and cgilua.setmaxfilesize.
Opening and Closing Functions
You can add your functions to the life cycle of CGILua using cgilua.addopenfunction and cgilua.addclosefunction. These functions are executed just before and just after the script execution, even when an error occurs in the script processing.

In particular, the opening and closing functions are useful for different things. Some examples of the use of such functions in config.lua are shown next.

Previous versions of CGILua loaded a env.lua file from the script directory before processing it. To emulate this with CGILua 5.1 you can use something like:

cgilua.addopenfunction (function ()
	cgilua.doif ("env.lua")

If every script needs to load a module (such as the sessions library), you can do:

cgilua.addopenfunction (
cgilua.addclosefunction (cgilua.session.close)

Note that the function cgilua.addopenfunction must be used to call because this function needs to change the cgi table (see section Receiving parameters for more information on this special table) which is not yet available during the execution of the config.lua file (see the Request life cycle).

When some scripts may use the library but others may not, you could define an "enabling" function (which should be called at the very beginning of each script that needs to use sessions):

cgilua.enablesession = function () ()
	cgilua.addclosefunction (cgilua.session.close)

Sometimes you need to configure a private libraries directory for each application hosted in the server. This configuration allows the function require to find packages installed in the private directory and in the system directory but not in other application's private directory. To implement this you could do:

local app_lib_dir = {
	["/virtual/path/"] = "/absolute/path/lib/",
local package = package
cgilua.addopenfunction (function ()
	local app = app_lib_dir[cgilua.script_vdir]
	if app then
		package.path = app..'/?.lua'..';'..package.path

Lua Scripts

Lua Scripts are text files containing valid Lua code. This style of usage adopts a more "raw" form of web programming, where a program is responsible for the entire generation of the resulting page. Lua Scripts have a default .lua extension.

To generate a valid web document (HTML, XML, WML, CSS etc) the Lua Script must follow the expected HTTP order to produce its output, first sending the correct headers and then sending the actual document contents.

CGILua offers some functions to ease these tasks, such as cgilua.htmlheader to produce the header for a HTML document and cgilua.put to send the document contents (or part of it).

For example, a HTML document which displays the sentence "Hello World!" can be generated with the following Lua Script:

  <title>Hello World</title>
  <strong>Hello World!</strong>

It should be noted that the above example generates a "fixed" page: even though the page is generated at execution time there is no "variable" information. That means that the very same document could be generated directly with a simple static HTML file. However, Lua Scripts become especially useful when the document contains information which is not known beforehand or changes according to passed parameters, and it is necessary to generate a "dynamic" page.

Another easy example can be shown, this time using a Lua control structure, variables, and the concatenation operator:


if cgilua.QUERY.language == 'english' then
  greeting = 'Hello World!'
elseif cgilua.QUERY.language == 'portuguese' then
  greeting = 'Olá Mundo!'
  greeting = '[unknown language]'

cgilua.put('  <title>'..greeting..'</title>')
cgilua.put('  <strong>'..greeting..'</strong>')

In the above example the use of cgilua.QUERY.language indicates that language was passed to the Lua Script as a CGILua parameter, coming from the URL used to activate it (via GET). If you were using a form, the parameter would be available in cgilua.POST.language. CGILua automatically decodes such QUERY and POST parameters so you can use them at will on your Lua Scripts and Lua Pages.

Lua Pages

A Lua Page is a text template file which will be processed by CGILua before the HTTP server sends it to the client. CGILua does not process the text itself but look for some special markups that include Lua code into the file. After all those markups are processed and merged with the template file, the results are sent to the client.

Lua Pages have a default .lp extension. They are a simpler way to make a dynamic page because there is no need to send the HTTP headers. Usually Lua Pages are HTML pages so CGILua sends the HTML header automatically.

Since there are some restrictions on the uses of HTTP headers sometimes a Lua Script will have to be used instead of a Lua Page.

The fundamental Lua Page markups are:

<?lua chunk ?>
Processes and merges the Lua chunk execution results where the markup is located in the template. The alternative form <% chunk %> can also be used.
<?lua= expression ?>
Processes and merges the Lua expression evaluation where the markup is located in the template. The alternative form <%= expression %> can also be used.

Note that the ending mark could not appear inside a Lua chunk or Lua expression even inside quotes. The Lua Pages pre-processor just makes global substitutions on the template, searching for a matching pair of markups and generating the corresponding Lua code to achieve the same result as the equivalent Lua Script.

The second example on the previous section could be written using a Lua Page like:

if cgilua.QUERY.language == 'english' then
  greeting = 'Hello World!'
elseif cgilua.QUERY.language == 'portuguese' then
  greeting = 'Olá Mundo!'
  greeting = '[unknown language]'
  <title><%= greeting %></title>
  <strong><%= greeting %></strong>

HTML tags and Lua Page tags can be freely intermixed. However, as on other template languages, it's considered a best practice to not use explicit Lua logic on templates. The recommended aproach is to use only function calls that returns content chunks, so in this example, assuming that function getGreeting was definied in file functions.lua as follows:

function getGreeting()
  local greeting
  if cgilua.QUERY.language == 'english' then
    greeting = 'Hello World!'
  elseif cgilua.QUERY.language == 'portuguese' then
    greeting = 'Olá Mundo!'
    greeting = '[unknown language]'
  return greeting

the Lua Page could be rewriten as:

assert (loadfile"functions.lua")()
  <title><%= getGreeting() %></title>
  <strong><%= getGreeting() %></strong>

Another interesting feature of Lua Pages is the intermixing of Lua and HTML. It is very usual to have a list of values in a table, iterate over the list and show the items on the page.

A Lua Script could do that using a loop like:

for i, item in ipairs(list) do

The equivalent loop in Lua Page would be:

    <% for i, item in ipairs(list) do %>
    <li><%= item %></li>
    <% end %>

Receiving parameters: the QUERY and POST tables

CGILua offers both types of request parameters (QUERY strings and POST data) in the cgilua.QUERY and cgilua.POST tables.

Usually all types of parameters will be available as strings. If the value of a parameter is a number, it will be converted to its string representation.

There are only two exceptions where the value will be a Lua table. The first case occurs on file uploads, where the corresponding table will have the following fields:

the file name as given by the client.
the file size in bytes.
the temporary file handle. The file must be copied because CGILua will remove it after the script ends.

The other case that uses Lua tables occurs when there is more than one value associated with the same parameter name. This happens in the case of a selection list with multiple values; but it also occurs when the form (of the referrer) had two or more elements with the same name attribute (maybe because one was on a form and another was in the query string). All values will be inserted in an indexed table in the order in which they are handled.


If you want to use more sophisticated URLs, the Kepler distribution includes a dispatching script called app.lua that can be used to handle URLs in the format .../app.lua/app_name/path_info in a standard way. URLs in this format are said to refer to CGILua spplications, which consists in a standard loading sequence for web applications using CGILua and app.lua as their dispatcher:

  • there is an app_name as the start of path_info
  • there is an init.lua file in CGILUA_APPS/app_name
  • changes the current directory to CGILUA_APPS/app_name
  • sets cgilua.app_name to app_name
  • adds CGILUA_APPS/app_name/lua to the start of package.path
  • executes init.lua

CGILua applications usually need to dispatch their actions using the remaining path_info and for that they can use cgilua.dispatcher as a helper library. The example below uses it to dispatch URLs that follow a convention similar to Rails. Let's assume that this is a init.lua file in the CGILUA_APPS/blog directory:

return cgilua.dispatcher.route{"/$controller/$action/$ID", handle, "rails"}

In this example URLs like .../app.lua/blog/post/edit/2 would result in the function handle being called as

handle({controller="post", action="edit", ID="2"})

the handle function would then decide how to proceed depending on the parameters received and generate the corresponding response using CGILua functions or a template engine like Lua Pages or Cosmo.

Note that this example does not include error handling for invalid URLs or default values.


CGILua offers a simple but useful authentication mechanism that can be shared by different CGILua applications or even applications developed in other platforms. The authentication mechanism is based on HTTP redirections and assumes three different participants.

The first one is the controller script, which is responsible for centralizing the user authentication control and deciding if the application should continue depending on a user being logged in or not. An example of such controller would be the app.lua dispatcher script distributed with Kepler. As most of the controllers would do, it checks for the presence of an authenticated user and redirects to the checking script when that fails:

-- checks for authenticated users
if not cgilua.authentication.username() then
    -- continues with the application flow

If your application is not handled by a single script like one using app.lua then you would need to repeat this check in every script that requires authenticated users.

The second participant in the authentication mechanism is the checking script. This script should ask for user credentials, check them using the adequate method and redirect back to the original URL if the user was succesfully authenticated.

One simple example of such a checking script is the one found in /examples/check.lua in CGILua CVS, but usually a checking script implemented in CGILua would do the following:

-- Checking script example
-- Assumes that the login form will use two fields called username and pass

local username = cgilua.POST.username
local pass = cgilua.POST.pass
local logged, err, logoutURL

if cgilua.authentication then
    logged, err = cgilua.authentication.check(username, pass)
    username = cgilua.authentication.username() or ""
    logoutURL = cgilua.authentication.logoutURL()
    logged = false
    err = "No authentication configured!"
    username = ""

if logged and username then
    -- goes back to the application
    err = err or ""
    -- displays the login form which submits to this same script
	cgilua.lp.include ("login.lp", {
        logged = logged, errorMsg = err, username = username,
        cgilua = cgilua, logoutURL = logoutURL})

The login form for this example can be fount at /examples/login.lp in CGILua CVS and consists of:

<% if logged then %>
<p>User <%= username %> logged in</p>
<a href="<%= logoutURL %>">Logout</a>
<% else %>
<p style="color:#ff0000"><%= errorMsg %> </p>
<form method="post" action="" >
    User name: <input name="username" maxlength="20" size="20" value="<%= username %>" ><br />
    Password: <input name="pass" type="password" maxlength="20" size="20"><br />
    <input type="submit" value="Login">
    <input type="reset" value="Reset">
<% end %>

Finally the third participant in the authentication process is the configuration file. This file is used to set the authentication method and other details. Each method has it's set of parameters and defines a check callback used by CGILua during the authentication process. See /examples/authentication_conf.lua for configuration examples using database, LDAP and Web server authentication methods.

Error Handling

There are three functions for error handling in CGILua:

The function cgilua.seterrorhandler defines the error handler, a function called by Lua when an error has just occurred. The error handler has access to the execution stack before the error is thrown so it can build an error message using stack information. Lua also provides a function to do that: debug.traceback.

The function cgilua.seterroroutput defines the function that decides what to do with the error message. It could be sent to the client's browser, written to a log file or sent to an e-mail address (with the help of LuaSocket or LuaLogging for example).

The function cgilua.errorlog is provided to write directly to the http server error log file.

An useful example of its use could be handling unexpected errors. Customizing unexpected error messages to the end user but giving all the information to the application's developers is the goal of the following piece of code:

local ip = cgilua.servervariable"REMOTE_ADDR"
local developers_machines = {
	[""] = true,
	[""] = true,
	[""] = true,
local function mail (s)
	-- Build the message
	local msg = {}
	table.insert (msg, tostring(s))
	-- Tries to obtain the REFERER URL
	table.insert (msg, tostring (cgilua.servervariable"HTTP_REFERER"))
	table.insert (msg, cgilua.servervariable"SERVER_NAME"..
	-- CGI parameters
	table.insert (msg, "CGI")
	cgilua.serialize(cgi, function (s) table.insert (msg, s) end)
	table.insert (msg, tostring (
	table.insert (msg, tostring (ip))
	table.insert (msg, "Cookies:")
	table.insert (msg, tostring (cgilua.servervariable"HTTP_COOKIE" or "no cookies"))
	-- Formats message according to LuaSocket-2.0b3
	local source = socket.smtp.message {
		headers = { subject = "Script Error", },
		body = table.concat (msg, '\n'),
	-- Sends the message
	local r, e = socket.smtp.send {
		from = "",
		rcpt = "",
		source = source,
if developers_machines[ip] then
	-- Developer's error treatment: write to the display
	cgilua.seterroroutput (function (msg)
		cgilua.errorlog (msg)
		cgilua.errorlog (cgilua.servervariable"REMOTE_ADDR")
		cgilua.errorlog (
		cgilua.htmlheader ()
		msg = string.gsub (string.gsub (msg, "\n", "<br>\n"), "\t", "  ")
		cgilua.put (msg)
	-- User's error treatment: shows a standard page and sends an e-mail to
	-- the developer
	cgilua.seterroroutput (function (s)
		cgilua.htmlheader ()
		cgilua.put"<h1>An error occurred</h1>\n"
		cgilua.put"The responsible is being informed."
		mail (s)

The message is written to the browser if the request comes from one of the developer's machines. If it is not the case, a simple polite message is given to the user and a message is sent to the developer's e-mail account containing all possible information to help reproduce the situation.

Valid XHTML 1.0!

$Id: manual.html,v 1.27 2008/05/19 18:13:36 carregal Exp $