diff --git a/.gitignore b/.gitignore
index 25a2816b..527f3261 100644
--- a/.gitignore
+++ b/.gitignore
@@ -367,3 +367,4 @@ FodyWeavers.xsd
 /zefie_wtvp_minisrv/UserServiceVault/*-*/
 /zefie_wtvp_minisrv/ServiceLogPost/*.log
 /zefie_wtvp_minisrv/SessionStore/*.json
+/zefie_wtvp_minisrv/SessionStore/*/
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js
index 1c063b1e..8548ff59 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js
@@ -2,7 +2,7 @@
 
 	if (socket.ssid) {
 		if (ssid_sessions[socket.ssid].loadSessionData() == true) {
-			console.log(" * Loaded session data from disk for", filterSSID(socket.ssid))
+			console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
 			ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
 		} else {
 			ssid_sessions[socket.ssid].session_data = {};
@@ -20,11 +20,11 @@
 						}
 					}
 				});
-				if (i > 0 && zdebug) console.log(" # Closed", i, "previous sockets for", filterSSID(socket.ssid));
+				if (i > 0 && zdebug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
 			}
 		}
 		if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
-			if (zdebug) console.log(" # Recreating primary WTVSec login instance for", filterSSID(socket.ssid));
+			if (zdebug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
 			delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
 		}
 
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js
index 7e39e784..7352e28f 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js
@@ -1,10 +1,8 @@
-// todo: async
+const WTVDownloadList = require("./WTVDownloadList.js");
+var wtvdl = new WTVDownloadList(minisrv_config, service_name);
 
 var force_update = (request_headers.query.force == "true") ? true : false;
 if (request_headers['wtv-request-type'] == 'download') {
-    const WTVDownloadList = require("./WTVDownloadList.js");
-    var wtvdl = new WTVDownloadList();
-
     var content_dir = "content/"
     var diskmap_dir = content_dir + "diskmaps/";
 
@@ -272,58 +270,6 @@ if (request_headers['wtv-request-type'] == 'download') {
 } else if (request_headers.query.group && request_headers.query.diskmap) {
     var message = request_headers.query.message || "Retrieving files...";
     var main_message = request_headers.query.main_message || "Your receiver is downloading files.";
-    headers = `200 OK
-Content-Type: text/html`;
-
-    data = `
-<html>
-<head>
-        <meta
-                http-equiv=refresh
-                    content="0;url=client:Fetch?group=${escape(request_headers.query.group)}&source=${service_name}:/sync%3Fdiskmap%3D${escape(escape(request_headers.query.diskmap))}%26force%3D${force_update}&message=${escape(message)}"
-        >
-        <display downloadsuccess="client:ShowAlert?message=Download%20successful%21&buttonlabel1=Okay&buttonaction1=client:goback&image=${minisrv_config.config.service_logo}&noback=true" downloadfail="client:ShowAlert?message=Download%20failed...&buttonlabel1=Okay...&buttonaction1=client:goback&image=${minisrv_config.config.service_logo}&noback=true">
-        <title>Retrieving files...</title>
-</head>
-<body bgcolor=#0 text=#42CC55 fontsize=large hspace=0 vspace=0>
-<table cellspacing=0 cellpadding=0>
-        <tr>
-                <td width=104 height=74 valign=middle align=center bgcolor=3B3A4D>
-                        <img src="${minisrv_config.config.service_logo}" width=86 height=64>
-                <td width=20 valign=top align=left bgcolor=3B3A4D>
-                        <spacer>
-                <td colspan=2 width=436 valign=middle align=left bgcolor=3B3A4D>
-                        <font color=D6DFD0 size=+2><blackface><shadow>
-                                <spacer type=block width=1 height=4>
-                                <br>
-                                        ${message}
-                                </shadow>
-                                </blackface>
-                        </font>
-        <tr>
-                <td width=104 height=20>
-                <td width=20>
-                <td width=416>
-                <td width=20>
-        <tr>
-                <td colspan=2>
-                <td>
-                        <font size=+1>
-                               ${main_message}
-                                <p>This may take a while.
-                        </font>
-        <tr>
-                <td colspan=2>
-                <td>
-                        <br><br>
-                        <font color=white>
-                        <progressindicator name="downloadprogress"
-                           message="Preparing..."
-                           height=40 width=250>
-                        </font>
-</table>
-</body>
-</html>
-`;
-
+    headers = "200 OK\nContent-Type: text/html";
+    data = wtvdl.getSyncPage(message, request_headers.query.group, request_headers.query.diskmap, main_message, message, force_update)
 }
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/uptest.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/uptest.js
new file mode 100644
index 00000000..b015f7a8
--- /dev/null
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/uptest.js
@@ -0,0 +1,57 @@
+const WTVDownloadList = require("./WTVDownloadList.js");
+var wtvdl = new WTVDownloadList(minisrv_config);
+if (request_headers['wtv-request-type'] == 'download') {
+    console.log(request_headers.post_data.toString(CryptoJS.enc.Latin1));
+    wtvdl.reset();
+    var froot = "file://disk/Demo/";
+    var fget = [
+        "attract.mpg",
+        "can-you-hear.mpg",
+        "explore.mpg",
+        "hear.html",
+        "index.html",
+        "menu1.html",
+        "menu2.html",
+        "menu3.html",
+        "menu4.html",
+        "service.html",
+        "splash-mits.mpg",
+        "splash-phil.mpg",
+        "splash-sony.mpg",
+        "splash1.html",
+        "splash2.html",
+        "splash3.html",
+        "what-is-it.html",
+        "what-is-it.mpg",
+        "what-others.html",
+        "what-others.mpg",
+        "whats-in-it.html",
+        "whats-in-it.mpg",
+        "whats-in-it.mpg.old"
+    ];
+
+    Object.keys(fget).forEach(function (k) {
+        wtvdl.putUserStore(froot + fget[k]);
+    });
+    headers = "200 OK\nContent-type: " + wtvdl.content_type;
+    data = wtvdl.getDownloadList();
+    console.log(data);
+} else {
+    headers = "200 OK\nContent-type: text/html";
+    var success_url = new clientShowAlert({
+        'image': minisrv_config.config.service_logo,
+        'message': "Upload successful!",
+        'buttonlabel1': "Okay",
+        'buttonaction1': "client:goback",
+        'noback': true,
+    }).getURL();
+
+    var fail_url = new clientShowAlert({
+        'image': minisrv_config.config.service_logo,
+        'message': "Upload failed...",
+        'buttonlabel1': "Okay...",
+        'buttonaction1': "client:goback",
+        'noback': true,
+    }).getURL();
+    data = wtvdl.getSyncPage("Testing", "UploadTest", null, "Your receiver is uploading files.", "Sending files", null, success_url, fail_url, "wtv-disk:/uptest");
+}
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userbrowser.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userbrowser.js
new file mode 100644
index 00000000..72804117
--- /dev/null
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userbrowser.js
@@ -0,0 +1,23 @@
+// todo some fancy ass file manager or something
+
+
+if (socket.ssid) {
+    if (ssid_sessions[socket.ssid]) {
+        if (ssid_sessions[socket.ssid].isRegistered()) {
+            data = ssid_sessions[socket.ssid].getUserStoreFileByURL("file://Disk/Demo/allyouneed.html");
+            //data = ssid_sessions[socket.ssid].getUserStoreFile("Disk/Demo/allyouneed.html");
+            var contype = ssid_sessions[socket.ssid].getUserStoreContentType("file://Disk/Demo/allyouneed.html");
+
+            if (data) {
+                headers = "200 OK\n";
+                headers += "Content-Type: " + contype;
+            }
+        }
+    }
+}
+
+if (!headers) {
+    var errpage = doErrorPage(400)
+    headers = errpage[0];
+    data = errpage[1];
+}
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js
new file mode 100644
index 00000000..2ca7c442
--- /dev/null
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js
@@ -0,0 +1,21 @@
+if (request_headers.post_data) {
+    if (request_headers.query.partialPath) {
+        if (socket.ssid) {
+            if (ssid_sessions[socket.ssid]) {
+                if (ssid_sessions[socket.ssid].isRegistered()) {
+                    var result = ssid_sessions[socket.ssid].storeUserStoreFile(request_headers.query.partialPath, new Buffer.from(request_headers.post_data.toString(CryptoJS.enc.Hex), 'hex'), request_headers.query['last-modified-seconds'] || null, (request_headers.query.no_overwrite) ? false : true);
+                    if (result) {
+                        headers = "200 OK\n";
+                        headers += "Content-Type: text/plain";
+                    } 
+                }
+            }
+        }
+    }
+}
+
+if (!headers) {
+    var errpage = doErrorPage(400)
+    headers = errpage[0];
+    data = errpage[1];
+}
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
index aaff9e62..40281814 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
@@ -16,11 +16,11 @@ if (socket.ssid !== null) {
 		var client_challenge_response = request_headers["wtv-challenge-response"] || null;
 		if (challenge_response && client_challenge_response) {
 			if (challenge_response.toString(CryptoJS.enc.Base64) == client_challenge_response) {
-				console.log(" * wtv-challenge-response success for " + filterSSID(socket.ssid));
+				console.log(" * wtv-challenge-response success for " + wtvshared.filterSSID(socket.ssid));
 				wtvsec_login.PrepareTicket();
 
 			} else {
-				console.log(" * wtv-challenge-response FAILED for " + filterSSID(socket.ssid));
+				console.log(" * wtv-challenge-response FAILED for " + wtvshared.filterSSID(socket.ssid));
 				if (zdebug) console.log("Response Expected:", challenge_response.toString(CryptoJS.enc.Base64));
 				if (zdebug) console.log("Response Received:", client_challenge_response)
 				gourl = "wtv-head-waiter:/login?reissue_challenge=true";
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js b/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js
index 9d4473fb..6b804319 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js
@@ -5,14 +5,9 @@ wtv-expire-all: wtv-flashrom:
 Content-type: text/html`
 
 if (request_headers.query.url) headers += "\nwtv-visit: " + request_headers.query.url;
+var cryptstatus = ((socket_sessions[socket.id].secure === true) ? "Encrypted" : "Not Encrypted")
 
-if (ssid_sessions[socket.ssid].get('box-does-psuedo-encryption')) {
-	var cryptstatus = "<a href='client:showalert?message=Your%20WebTV%20Unit%20sent%20us%20a%20request%20for%20SECURE%20ON%2C%20but%20did%20not%20encrypt%20any%20data%2C%20nor%20will%20accept%20it.%20However%2C%20we%20send%20the%20wtv-encryption%20flag%20to%20roll%20with%20it%2C%20enabling%20%27psuedo-encryption%27.%20Nothing%20is%20encrypted%2C%20but%20the%20box%20trusts%20us.%20This%20will%20probably%20go%20away%20if%20you%20reload%20or%20change%20pages.&buttonaction1=client:donothing&buttonlabel1=Oh%2C%20okay...'>Psuedo-encrypted</a>";
-} else {
-	var cryptstatus = ((socket_sessions[socket.id].secure === true) ? "Encrypted" : "Not Encrypted")
-}
-
-var comp_type = shouldWeCompress(socket.ssid,'text/html');
+var comp_type = wtvmime.shouldWeCompress(ssid_sessions[socket.ssid],'text/html');
 var compstatus = "uncompressed";
 switch (comp_type) {
 	case 1:
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js b/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js
index 47fa7299..84c43d47 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js
@@ -22,7 +22,7 @@ Content-length: 0`;
     logdata_outstring_hex += request_headers.post_data.toString(CryptoJS.enc.Hex);
     if (minisrv_config.services[service_name].write_logs_to_disk) {
         fs.writeFile(fullpath, logdata_outstring_hex, "Hex", function () {
-            if (!zquiet) console.log(" * Wrote POST log data from", filterSSID(socket.ssid), "for", socket.id);
+            if (!zquiet) console.log(" * Wrote POST log data from", wtvshared.filterSSID(socket.ssid), "for", socket.id);
             sendToClient(socket, headers, data);
         });
     } else {
@@ -41,7 +41,7 @@ Content-length: 0`;
     var logdata_outstring_hex = Buffer.from(logdata_outstring, 'utf8').toString('hex');
     if (minisrv_config.services[service_name].write_logs_to_disk) {
         fs.writeFile(fullpath, logdata_outstring_hex, "Hex", function () {
-            if (!zquiet) console.log(" * Wrote GET log data from", filterSSID(socket.ssid), "for", socket.id);
+            if (!zquiet) console.log(" * Wrote GET log data from", wtvshared.filterSSID(socket.ssid), "for", socket.id);
             sendToClient(socket, headers, data);
         });
     } else {
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js
index 06550461..bc3d6111 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js
@@ -18,7 +18,7 @@ Content-Type: text/html`
 
 	var wtv_system_version = ssid_sessions[socket.ssid].get("wtv-system-version");
 	var wtv_client_bootrom_version = ssid_sessions[socket.ssid].get("wtv-client-bootrom-version");
-	var wtv_client_serial_number = filterSSID(ssid_sessions[socket.ssid].get("wtv-client-serial-number"));
+	var wtv_client_serial_number = wtvshared.filterSSID(ssid_sessions[socket.ssid].get("wtv-client-serial-number"));
 	var wtv_client_rom_type = ssid_sessions[socket.ssid].get("wtv-client-rom-type");
 	var wtv_system_chipversion_str = ssid_sessions[socket.ssid].get("wtv-system-chipversion");
 	var wtv_system_sysconfig_hex = parseInt(ssid_sessions[socket.ssid].get("wtv-system-sysconfig")).toString(16);
diff --git a/zefie_wtvp_minisrv/WTVClientSessionData.js b/zefie_wtvp_minisrv/WTVClientSessionData.js
index d8bd9e70..48adda55 100644
--- a/zefie_wtvp_minisrv/WTVClientSessionData.js
+++ b/zefie_wtvp_minisrv/WTVClientSessionData.js
@@ -4,55 +4,118 @@ class WTVClientSessionData {
 
     fs = require('fs');
     path = require('path');
+
     ssid = null;
     data_store = null;
     session_store = null;
     login_security = null;
     capabilities = null;
     session_storage = "";
-    hide_ssid_in_logs = true;
+    minisrv_config = [];
+    wtvshared = null;
+    wtvmime = null;
 
-    filterSSID(obj) {
-        if (this.hide_ssid_in_logs === true) {
-            if (typeof (obj) == "string") {
-                if (obj.substr(0, 8) == "MSTVSIMU") {
-                    return obj.substr(0, 10) + ('*').repeat(10) + obj.substr(20);
-                } else if (obj.substr(0, 5) == "1SEGA") {
-                    return obj.substr(0, 6) + ('*').repeat(6) + obj.substr(13);
-                } else {
-                    return obj.substr(0, 6) + ('*').repeat(9);
-                }
-            } else {
-                if (obj["wtv-client-serial-number"]) {
-                    var ssid = obj["wtv-client-serial-number"];
-                    if (ssid.substr(0, 8) == "MSTVSIMU") {
-                        obj["wtv-client-serial-number"] = ssid.substr(0, 10) + ('*').repeat(10) + ssid.substr(20);
-                    } else if (ssid.substr(0, 5) == "1SEGA") {
-                        obj["wtv-client-serial-number"] = ssid.substr(0, 6) + ('*').repeat(6) + ssid.substr(13);
-                    } else {
-                        obj["wtv-client-serial-number"] = ssid.substr(0, 6) + ('*').repeat(9);
-                    }
-                }
-                return obj;
-            }
-        } else {
-            return obj;
-        }
-    }
+    constructor(minisrv_config, ssid) {
+        if (!minisrv_config) throw ("minisrv_config required");
+        var WTVShared = require('./WTVShared.js')['WTVShared'];
+        var WTVMime = require('./WTVMime.js');
+        this.minisrv_config = minisrv_config;
+        this.wtvshared = new WTVShared(minisrv_config);
+        this.wtvmime = new WTVMime(minisrv_config);
 
-    constructor(ssid, hide_ssid_in_logs, session_storage_directory) {
         this.ssid = ssid;
-        if (hide_ssid_in_logs) this.hide_ssid_in_logs = hide_ssid_in_logs;
-        if (!session_storage_directory) session_storage_directory = __dirname + "/SessionStore";
-        this.session_storage = session_storage_directory;
         this.data_store = new Array();
         this.session_store = {};
     }
 
+    /**
+     * Returns the absolute path to the user's file store, or false if unregistered
+     * @returns {string|boolean} Absolute path to the user's file store, or false if unregistered
+     */
+    getUserStoreDirectory() {
+        if (!this.isRegistered()) return false;
+        return this.minisrv_config.config.SessionStore + this.path.sep + this.ssid + this.path.sep;
+    }
+
+    /**
+     * Store a file in the user's file store
+     * @param {string} path Relative path to User's file store
+     * @param {Buffer} data File data
+     * @param {number|null} last_modified Unix timestamp to set last modified date to
+     * @param {boolean} overwrite Overwrite if file exists
+     * @returns {boolean} Whether or not the file was written
+     */
+    storeUserStoreFile(path, data, last_modified = null, overwrite = true) {
+        var store_dir = this.getUserStoreDirectory();
+        if (!store_dir) return false; // unregistered
+        var result = false;        
+        var path_split = path.split('/');
+        var file_name = path_split.pop();
+        var store_dir_path = this.wtvshared.makeSafePath(store_dir, path_split.join('/').replace('/', this.path.sep));
+        var store_full_path = this.wtvshared.makeSafePath(store_dir_path, file_name);
+
+        try {
+            if (!this.fs.existsSync(store_dir_path)) this.fs.mkdirSync(store_dir_path, { recursive: true });
+            var file_exists = this.fs.existsSync(store_full_path);
+            if (!file_exists || (file_exists && overwrite)) result = this.fs.writeFileSync(store_full_path, data);
+            if (result !== false && last_modified) {
+                var file_timestamp = new Date(last_modified * 1000);
+                fs.utimesSync(store_full_path, Date.now(), file_timestamp)
+            }
+        } catch (e) {
+            console.error(" # User File Store failed", e);
+        }
+        return (result === false) ? false : true;
+    }
+
+    /**
+     * Retrieves a file from the user store
+     * @param {string} path Path relative to the User File Store
+     * @returns {Buffer|false} Buffer data, or false if could not open file
+     */
+    getUserStoreFile(path) {
+        var store_dir = this.getUserStoreDirectory();
+        if (!store_dir) return false; // unregistered
+        var store_dir_path = this.wtvshared.makeSafePath(store_dir, path.replace('/', this.path.sep));
+        if (this.fs.existsSync(store_dir_path)) return this.fs.readFileSync(store_dir_path);
+        else return false;
+    }
+
+    /**
+     * Retrieves a file from the user store with a file://Disk/ url
+     * @param {string} url file://Disk/ base url
+     * @returns {Buffer|false} Buffer data, or false if could not open file
+     */
+    getUserStoreFileByURL(url) {
+        var path_split = url.split('/');
+        path_split.shift();
+        path_split.shift();
+        var store_dir_path = path_split.join('/').replace('/', this.path.sep);
+        return this.getUserStoreFile(store_dir_path);
+    }
+
+    /**
+    * Retrieves the Content-Type of a User Store File
+    * @param {string} path Path relative to the User File Store
+    * @returns {string|false} Content-Type, or false if could not open file
+    */
+    getUserStoreContentType(path) {
+        return this.wtvmime.getSimpleContentType(path);
+    }
+
+    /**
+     * Returns a RFC7231 compliant UTC Date String from the current time
+     * @param {Number} offset Offset from current time (+/-)
+     * @returns {string} A RFC7231 compliant UTC Date String from the current time
+     */
     getUTCTime(offset = 0) {
         return new Date((new Date).getTime() + offset).toUTCString();
     }
 
+    /**
+     * Returns the number of user cookies
+     * @returns {number} Number of cookies
+     */
     countCookies() {
         return Object.keys(this.session_store.cookies).length || 0;
     }
@@ -174,8 +237,8 @@ class WTVClientSessionData {
 
     loadSessionData(raw_data = false) {
         try {
-            if (this.fs.lstatSync(this.session_storage + this.path.sep + this.ssid + ".json")) {
-                var json_data = this.fs.readFileSync(this.session_storage + this.path.sep + this.ssid + ".json", 'Utf8')
+            if (this.fs.lstatSync(this.minisrv_config.config.SessionStore + this.path.sep + this.ssid + ".json")) {
+                var json_data = this.fs.readFileSync(this.minisrv_config.config.SessionStore + this.path.sep + this.ssid + ".json", 'Utf8')
                 if (raw_data) return json_data;
 
                 var session_data = JSON.parse(json_data);
@@ -184,7 +247,7 @@ class WTVClientSessionData {
             }
         } catch (e) {
             // Don't log error 'file not found', it just means the client isn't registered yet
-            if (e.code != "ENOENT") console.error(" # Error loading session data for", this.filterSSID(this.ssid), e);
+            if (e.code != "ENOENT") console.error(" # Error loading session data for", this.wtvshared.filterSSID(this.ssid), e);
             return false;
         }
     }
@@ -206,10 +269,10 @@ class WTVClientSessionData {
             // only save if file has changed
             var json_save_data = JSON.stringify(this.session_store);
             var json_load_data = this.loadSessionData(true);
-            if (json_save_data != json_load_data) this.fs.writeFileSync(this.session_storage + this.path.sep + this.ssid + ".json", JSON.stringify(this.session_store), "Utf8");
+            if (json_save_data != json_load_data) this.fs.writeFileSync(this.minisrv_config.config.SessionStore + this.path.sep + this.ssid + ".json", JSON.stringify(this.session_store), "Utf8");
             return true;
         } catch (e) {            
-            console.error(" # Error saving session data for", this.filterSSID(this.ssid), e);
+            console.error(" # Error saving session data for", this.wtvshared.filterSSID(this.ssid), e);
             return false;
         }
     }
@@ -232,7 +295,7 @@ class WTVClientSessionData {
     isRegistered() {
         var self = this;
         var ssid_match = false;
-        this.fs.readdirSync(this.session_storage).forEach(file => {
+        this.fs.readdirSync(this.minisrv_config.config.SessionStore).forEach(file => {
             if (!file.match(/.*\.json/ig)) return;
             if (ssid_match) return;
             if (file.split('.')[0] == self.ssid) ssid_match = true;
@@ -242,14 +305,14 @@ class WTVClientSessionData {
 
     unregisterBox() {
         try {
-            if (this.fs.lstatSync(this.session_storage + this.path.sep + this.ssid + ".json")) {
-                this.fs.unlinkSync(this.session_storage + this.path.sep + this.ssid + ".json");
+            if (this.fs.lstatSync(this.minisrv_config.config.SessionStore + this.path.sep + this.ssid + ".json")) {
+                this.fs.unlinkSync(this.minisrv_config.config.SessionStore + this.path.sep + this.ssid + ".json");
                 this.session_store = {};
                 return true;
             }
         } catch (e) {
             // Don't log error 'file not found', it just means the client isn't registered yet
-            console.error(" # Error deleting session data for", this.filterSSID(this.ssid), e);
+            console.error(" # Error deleting session data for", this.wtvshared.filterSSID(this.ssid), e);
             return false;
         }
     }
diff --git a/zefie_wtvp_minisrv/WTVDownloadList.js b/zefie_wtvp_minisrv/WTVDownloadList.js
index d685ca9d..5e3c60f1 100644
--- a/zefie_wtvp_minisrv/WTVDownloadList.js
+++ b/zefie_wtvp_minisrv/WTVDownloadList.js
@@ -3,10 +3,24 @@
  * By: zefie
  */
 class WTVDownloadList {
-    download_list = "";
-    content_type = "wtv/download-list";
 
-    constructor() {
+    download_list = "";
+    service_name = "";
+    content_type = "wtv/download-list";
+    wtvshared = null;
+    clientShowAlert = null;
+    minisrv_config = [];
+
+    /**
+     * Constructs the WTVDownloadList Class
+     * @param {string} service_name Service name to use in wtv-urls
+     */
+    constructor(minisrv_config, service_name = "wtv-disk") {
+        var { WTVShared, clientShowAlert } = require('./WTVShared.js');
+        this.minisrv_config = minisrv_config;
+        this.wtvshared = new WTVShared(minisrv_config);
+        this.clientShowAlert = clientShowAlert;
+        this.service_name = service_name
         this.clear();
     }
 
@@ -98,13 +112,31 @@ class WTVDownloadList {
      * Adds a PUT command to the download list
      * @param {string} path Absolute file://Disk/ path of a file to upload to the service
      * @param {string} destination Destination address (wtv url on service) in which to POST upload the file to
-     * @param {string} display Message to display while working on this file
      */
     put(path, destination) {
         this.download_list += "PUT " + path + "\n";
         this.download_list += "location: " + destination + "\n";
     }
 
+    /**
+    * Alias to put() for User Store
+    * @param {string} path Absolute file://Disk/ path of a file to upload to the service
+    * @param {string} destination Destination file path in the User Store
+    */
+    putUserStoreDest(path, destination) {
+        this.download_list += "PUT " + path + "\n";
+        this.download_list += "location: " + this.service_name + ":/userstore?partialPath="+escape(destination) + "\n";
+    }
+
+    /**
+     * Alias to putUserStoreDest() that generates the destination
+     * @param {any} path
+     */
+    putUserStore(path) {
+        var destination = path.replace("file://", "");
+        this.download_list += "PUT " + path + "\n";
+        this.download_list += "location: " + this.service_name + ":/userstore?partialPath=" + escape(destination) + "\n\n";
+    }
     /**
      * Adds a GET command to the download list
      * @param {string} file Non-absolute path of client destination file (relative to group base)
@@ -169,6 +201,99 @@ class WTVDownloadList {
         this.deleteGroup(group + "-UPDATE");
         this.delete(path + ".GROUP-UPDATE/");
     }
+
+   /**
+    * Generates the Download page
+    * @param {object} minisrv_config minisrv config object
+    * @param {string} title Page title
+    * @param {string} group
+    * @param {string|null} diskmap
+    * @param {string|null} main_message Message displayed in the center of the page
+    * @param {string|null} message Initial progress bar message
+    * @param {boolean|null} force_update Force this update even if the client reports the files are synced
+    * @param {string|null} success_url Where the client goes when the process succeeds
+    * @param {string|null} fail_url  Where the client goes when the process fails.
+    * @param {string|null} url Use your own URL for client:fetch?source= instead of our generated one
+    * @returns {string} HTML Download Page
+    */
+    getSyncPage(title, group, diskmap = null, main_message = null, message = null, force_update = null, success_url = null, fail_url = null, url = null) {
+        // Begin Set defaults
+        if (main_message === null) main_message = "Your receiver is downloading files.";
+
+        if (message === null) message = "Retrieving files";
+
+        if (force_update === null) force_update = false;
+
+        if (url === null) url = this.service_name + ":/sync?diskmap=" + escape(diskmap) + "&force=" + force_update;
+
+        if (success_url === null) success_url = new this.clientShowAlert({
+            'image': this.minisrv_config.config.service_logo,
+            'message': "Download successful!",
+            'buttonlabel1': "Okay",
+            'buttonaction1': "client:goback",
+            'noback': true,
+        }).getURL();
+
+        if (fail_url === null) fail_url = new this.clientShowAlert({
+            'image': this.minisrv_config.config.service_logo,
+            'message': "Download failed...",
+            'buttonlabel1': "Okay...",
+            'buttonaction1': "client:goback",
+            'noback': true,
+        }).getURL();
+        // End set defaults
+        return `<html>
+<head>
+        <meta
+                http-equiv=refresh
+                    content="0;url=client:Fetch?group=${escape(group)}&source=${escape(url)}&message=${escape(message)}"
+        >
+        <display downloadsuccess="${success_url}" downloadfail="${fail_url}">
+        <title>${title}</title>
+</head>
+<body bgcolor=#0 text=#42CC55 fontsize=large hspace=0 vspace=0>
+<table cellspacing=0 cellpadding=0>
+        <tr>
+                <td width=104 height=74 valign=middle align=center bgcolor=3B3A4D>
+                        <img src="${this.minisrv_config.config.service_logo}" width=86 height=64>
+                <td width=20 valign=top align=left bgcolor=3B3A4D>
+                        <spacer>
+                <td colspan=2 width=436 valign=middle align=left bgcolor=3B3A4D>
+                        <font color=D6DFD0 size=+2><blackface><shadow>
+                                <spacer type=block width=1 height=4>
+                                <br>
+                                        ${message}
+                                </shadow>
+                                </blackface>
+                        </font>
+        <tr>
+                <td width=104 height=20>
+                <td width=20>
+                <td width=416>
+                <td width=20>
+        <tr>
+                <td colspan=2>
+                <td>
+                        <font size=+1>
+                               ${main_message}
+                                <p>This may take a while.
+                        </font>
+        <tr>
+                <td colspan=2>
+                <td>
+                        <br><br>
+                        <font color=white>
+                        <progressindicator name="downloadprogress"
+                           message="Preparing..."
+                           height=40 width=250>
+                        </font>
+</table>
+</body>
+</html>
+
+`
+    }
+
 }
 
 module.exports = WTVDownloadList;
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/WTVMime.js b/zefie_wtvp_minisrv/WTVMime.js
new file mode 100644
index 00000000..ac9e1eaf
--- /dev/null
+++ b/zefie_wtvp_minisrv/WTVMime.js
@@ -0,0 +1,198 @@
+/**
+ * Simple class for WebTV Mime Types and overrides
+ */
+
+
+class WTVMime {
+
+    mime = require('mime-types');
+    wtvshared = null;
+    minisrv_config = [];
+
+
+    constructor(minisrv_config) {
+        var WTVShared = require('./WTVShared.js')['WTVShared'];
+        this.minisrv_config = minisrv_config;
+        this.wtvshared = new WTVShared(minisrv_config);
+        if (!String.prototype.reverse) {
+            String.prototype.reverse = function () {
+                var splitString = this.split("");
+                var reverseArray = splitString.reverse();
+                var joinArray = reverseArray.join("");
+                return joinArray;
+            }
+        }
+    }
+
+
+    shouldWeCompress(ssid_session, headers_obj) {
+        var compress_data = false;
+        var compression_type = 0; // no compression
+        if (ssid_session) {
+            if (ssid_session.capabilities) {
+                if (ssid_session.capabilities['client-can-receive-compressed-data']) {
+
+                    if (this.minisrv_config.config.enable_lzpf_compression || this.minisrv_config.config.force_compression_type) {
+                        compression_type = 1; // lzpf
+                    }
+
+                    if (ssid_session) {
+                        // if gzip is enabled...
+                        if (this.minisrv_config.config.enable_gzip_compression || this.minisrv_config.config.force_compression_type) {
+                            var is_bf0app = ssid_session.get("wtv-client-rom-type") == "bf0app";
+                            var is_minibrowser = (ssid_session.get("wtv-needs-upgrade") || ssid_session.get("wtv-used-8675309"));
+                            var is_softmodem = ssid_session.get("wtv-client-rom-type").match(/softmodem/);
+                            if (!is_bf0app && ((!is_softmodem && !is_minibrowser) || (is_softmodem && !is_minibrowser))) {
+                                // softmodem boxes do not appear to support gzip in the minibrowser
+                                // LC2 appears to support gzip even in the MiniBrowser
+                                // LC2 and newer approms appear to support gzip
+                                // bf0app does not appear to support gzip
+                                compression_type = 2; // gzip
+                            }
+                        }
+                    }
+
+
+
+                    // mostly for debugging
+                    if (this.minisrv_config.config.force_compression_type == "lzpf") compression_type = 1;
+                    if (this.minisrv_config.config.force_compression_type == "gzip") compression_type = 2;
+
+                    // do not compress if already encoded
+                    if (headers_obj["Content-Encoding"]) return 0;
+
+                    // should we bother to compress?
+                    var content_type = "";
+                    if (typeof (headers_obj) == 'string') content_type = headers_obj;
+                    else content_type = (typeof (headers_obj["wtv-modern-content-type"]) != 'undefined') ? headers_obj["wtv-modern-content-type"] : headers_obj["Content-Type"];
+
+                    if (content_type) {
+                        // both lzpf and gzip
+                        if (content_type.match(/^text\//) && content_type != "text/tellyscript") compress_data = true;
+                        else if (content_type.match(/^application\/(x-?)javascript$/)) compress_data = true;
+                        else if (content_type == "application/json") compress_data = true;
+                        if (compression_type == 2) {
+                            // gzip only
+                            if (content_type.match(/^audio\/(x-)?[s3m|mod|xm]$/)) compress_data = true; // s3m, mod, xm
+                            if (content_type.match(/^audio\/(x-)?[midi|wav|wave]$/)) compress_data = true; // midi & wav
+                            if (content_type.match(/^binary\/x-wtv-approm$/)) compress_data = true; // approms    
+                            if (content_type.match(/^binary\/doom-data$/)) compress_data = true; // DOOM WADs
+                        }
+                    }
+                }
+            }
+        }
+
+        // return compression_type if compress_data = true
+        return (compress_data) ? compression_type : 0;
+    }
+
+    /**
+     * Gets the WebTV Content-Type
+     * @param {string} path Path to a file
+     * @returns {string} Content-Type
+     */
+    getSimpleContentType(path) {
+        return this.getContentType(path)[0];
+    }
+
+    /**
+     * Gets both the WebTV Content-Type and the Modern Content-Type
+     * @param {string} path Path to a file
+     * @returns {Array} (WebTV Content-Type, Modern Content-Type)
+     */
+    getContentType(path) {
+        var file_ext = this.wtvshared.getFileExt(path).toLowerCase();
+        var wtv_mime_type = "";
+        var modern_mime_type = "";
+        // process WebTV overrides, fall back to generic mime lookup
+        switch (file_ext) {
+            case "aif":
+                wtv_mime_type = "audio/x-aif";
+                break;
+            case "aifc":
+                wtv_mime_type = "audio/x-aifc";
+                break;
+            case "aiff":
+                wtv_mime_type = "audio/x-aiff";
+                break;
+            case "ani":
+                wtv_mime_type = "x-wtv-animation";
+                break;
+            case "brom":
+                wtv_mime_type = "binary/x-wtv-bootrom";
+                break;
+            case "cdf":
+                wtv_mime_type = "application/netcdf";
+                break;
+            case "dat":
+                wtv_mime_type = "binary/cache-data";
+                break;
+            case "dl":
+                wtv_mime_type = "wtv/download-list";
+                break;
+            case "gsm":
+                wtv_mime_type = "audio/x-gsm";
+                break;
+            case "gz":
+                wtv_mime_type = "application/gzip";
+                break;
+            case "ini":
+                wtv_mime_type = "wtv/jack-configuration";
+                break;
+            case "mips-code":
+                wtv_mime_type = "code/x-wtv-code-mips";
+                break;
+            case "o":
+                wtv_mime_type = "binary/x-wtv-approm";
+                break;
+            case "ram":
+                wtv_mime_type = "audio/x-pn-realaudio";
+                break;
+            case "rom":
+                wtv_mime_type = "binary/x-wtv-flashblock";
+                break;
+            case "rsp":
+                wtv_mime_type = "wtv/jack-response";
+                break;
+            case "swa":
+            case "swf":
+                wtv_mime_type = "application/x-shockwave-flash";
+                break;
+            case "srf":
+            case "spl":
+                wtv_mime_type = "wtv/jack-data";
+                break;
+            case "ttf":
+                wtv_mime_type = "wtv/jack-fonts";
+                break;
+            case "tvch":
+                wtv_mime_type = "wtv/tv-channels";
+                break;
+            case "tvl":
+                wtv_mime_type = "wtv/tv-listings";
+                break;
+            case "tvsl":
+                wtv_mime_type = "wtv/tv-smartlinks";
+                break;
+            case "wad":
+                wtv_mime_type = "binary/doom-data";
+                break;
+            case "mp2":
+            case "hsb":
+            case "rmf":
+            case "s3m":
+            case "mod":
+            case "xm":
+                wtv_mime_type = "application/Music";
+                break;
+        }
+
+        modern_mime_type = this.mime.lookup(path);
+        if (wtv_mime_type == "") wtv_mime_type = modern_mime_type;
+        return new Array(wtv_mime_type, modern_mime_type);
+    }
+
+}
+
+module.exports = WTVMime;
diff --git a/zefie_wtvp_minisrv/WTVShared.js b/zefie_wtvp_minisrv/WTVShared.js
new file mode 100644
index 00000000..eb744aff
--- /dev/null
+++ b/zefie_wtvp_minisrv/WTVShared.js
@@ -0,0 +1,143 @@
+/**
+ * Shared functions across all classes and apps
+ */
+
+class WTVShared {
+
+    path = require('path');
+    minisrv_config = [];
+
+    constructor(minisrv_config) {
+        this.minisrv_config = minisrv_config;
+        if (!String.prototype.reverse) {
+            String.prototype.reverse = function () {
+                var splitString = this.split("");
+                var reverseArray = splitString.reverse();
+                var joinArray = reverseArray.join("");
+                return joinArray;
+            }
+        }
+    }
+
+    /**
+    * Returns a censored SSID
+    * @param {string|Array} obj SSID String or Headers Object
+    */
+    filterSSID(obj) {
+        if (this.minisrv_config.config.hide_ssid_in_logs === true) {
+            if (typeof (obj) == "string") {
+                if (obj.substr(0, 8) == "MSTVSIMU") {
+                    return obj.substr(0, 10) + ('*').repeat(10) + obj.substr(20);
+                } else if (obj.substr(0, 5) == "1SEGA") {
+                    return obj.substr(0, 6) + ('*').repeat(6) + obj.substr(13);
+                } else {
+                    return obj.substr(0, 6) + ('*').repeat(9);
+                }
+            } else {
+                if (obj["wtv-client-serial-number"]) {
+                    var ssid = obj["wtv-client-serial-number"];
+                    if (ssid.substr(0, 8) == "MSTVSIMU") {
+                        obj["wtv-client-serial-number"] = ssid.substr(0, 10) + ('*').repeat(10) + ssid.substr(20);
+                    } else if (ssid.substr(0, 5) == "1SEGA") {
+                        obj["wtv-client-serial-number"] = ssid.substr(0, 6) + ('*').repeat(6) + ssid.substr(13);
+                    } else {
+                        obj["wtv-client-serial-number"] = ssid.substr(0, 6) + ('*').repeat(9);
+                    }
+                }
+                return obj;
+            }
+        } else {
+            return obj;
+        }
+    }
+
+    /**
+    * Returns an absolute path
+    * @param {string} path 
+    * @param {string} directory Root directory
+    */
+    getAbsolutePath(path, directory = __dirname) {
+        if (path.substring(0, 1) != this.path.sep && path.substring(1, 1) != ":") {
+            // non-absolute path, so use current directory as base
+            path = (directory + this.path.sep + path);
+        } else {
+            // already absolute path
+        }
+        return path;
+    }
+
+    /**
+     * Gets the file extension from a path
+     * @param {string} path
+     * @returns {String} File Extension (without dot)
+     */
+    getFileExt(path) {
+        return path.reverse().split(".")[0].reverse();
+    }
+
+    /**
+     * Strips bad things from paths
+     * @param {string} base Base path
+     * @param {string} target Sub path
+     */
+    makeSafePath(base, target) {
+        target.replace(/[\|\&\;\$\%\@\"\<\>\+\,\\]/g, "");
+        if (this.path.sep != "/") target = target.replace(/\//g, this.path.sep);
+        var targetPath = this.path.posix.normalize(target)
+        return base + this.path.sep + targetPath;
+    }
+
+    /**
+     * Makes sure an SSID is clean, and doesn't contain any exploitable characters
+     * @param {string} ssid
+     * @returns {string} Sanitized SSID
+     */
+    makeSafeSSID(ssid = "") {
+        ssid = ssid.replace(/[^a-zA-Z0-9]/g, "");
+        if (ssid.length == 0) ssid = null;
+        return ssid;
+    }
+}
+
+class clientShowAlert {
+    message = null;
+    buttonlabel1 = null;
+    buttonlabel2 = null;
+    buttonaction1 = null;
+    buttonaction2 = null;
+    noback = null;
+    image = null;
+
+    constructor(image = null, message = null, buttonlabel1 = null, buttonaction1 = null, buttonlabel2 = null, buttonaction2 = null, noback = null) {
+        this.message = message;
+        this.buttonlabel1 = buttonlabel1;
+        this.buttonlabel2 = buttonlabel2;
+        this.buttonaction1 = buttonaction1;
+        this.buttonaction2 = buttonaction2;
+        this.message = message;
+        this.noback = noback;
+        if (typeof image === 'object') {
+            this.image = null;
+            Object.keys(image).forEach(function (k) {
+                if (this[k] === null) this[k] = image[k];
+            }, this);
+        } else {
+            this.image = image;
+        }
+    }
+
+    getURL() {
+        var url = "client:ShowAlert?";
+        if (this.message) url += "message=" + escape(this.message) + "&";
+        if (this.buttonlabel1) url += "buttonlabel1=" + escape(this.buttonlabel1) + "&";
+        if (this.buttonaction1) url += "buttonaction1=" + escape(this.buttonaction1) + "&";
+        if (this.buttonlabel2) url += "buttonlabel2=" + escape(this.buttonlabel2) + "&";
+        if (this.buttonaction2) url += "buttonaction2=" + escape(this.buttonaction2) + "&";
+        if (this.image) url += "image=" + escape(this.image) + "&";
+        if (this.noback) url += "noback=true&";
+        return url.substring(0, url.length - 1);
+    }
+}
+
+module.exports.WTVShared = WTVShared;
+module.exports.clientShowAlert = clientShowAlert;
\ No newline at end of file
diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js
index 039445ae..fa4463a7 100644
--- a/zefie_wtvp_minisrv/app.js
+++ b/zefie_wtvp_minisrv/app.js
@@ -8,13 +8,14 @@ const https = require('https');
 const strftime = require('strftime'); // used externally by service scripts
 const net = require('net');
 const CryptoJS = require('crypto-js');
-const mime = require('mime-types');
 const { crc16 } = require('easy-crc');
 const process = require('process');
 var WTVSec = require('./WTVSec.js');
 var WTVLzpf = require('./WTVLzpf.js');
 var WTVClientCapabilities = require('./WTVClientCapabilities.js');
 var WTVClientSessionData = require('./WTVClientSessionData.js');
+var WTVMime = require("./WTVMime.js");
+var { WTVShared, clientShowAlert } = require("./WTVShared.js");
 
 process
     .on('SIGTERM', shutdown('SIGTERM'))
@@ -70,10 +71,6 @@ function getServiceString(service, overrides = {}) {
     }
 }
 
-function getFileExt(path) {
-    return path.reverse().split(".")[0].reverse();
-}
-
 function doErrorPage(code, data = null, pc_mode = false) {
     var headers = null;
     switch (code) {
@@ -105,99 +102,6 @@ function doErrorPage(code, data = null, pc_mode = false) {
     return new Array(headers, data);
 }
 
-
-function getConType(path) {
-    var file_ext = getFileExt(path).toLowerCase();
-    var wtv_mime_type = "";
-    var modern_mime_type = "";
-    // process WebTV overrides, fall back to generic mime lookup
-    switch (file_ext) {
-        case "aif":
-            wtv_mime_type = "audio/x-aif";
-            break;
-        case "aifc":
-            wtv_mime_type = "audio/x-aifc";
-            break;
-        case "aiff":
-            wtv_mime_type = "audio/x-aiff";
-            break;
-        case "ani":
-            wtv_mime_type = "x-wtv-animation";
-            break;
-        case "brom":
-            wtv_mime_type = "binary/x-wtv-bootrom";
-            break;
-        case "cdf":
-            wtv_mime_type = "application/netcdf";
-            break;
-        case "dat":
-            wtv_mime_type = "binary/cache-data";
-            break;
-        case "dl":
-            wtv_mime_type = "wtv/download-list";
-            break;
-        case "gsm":
-            wtv_mime_type = "audio/x-gsm";
-            break;
-        case "gz":
-            wtv_mime_type = "application/gzip";
-            break;
-        case "ini":
-            wtv_mime_type = "wtv/jack-configuration";
-            break;
-        case "mips-code":
-            wtv_mime_type = "code/x-wtv-code-mips";
-            break;
-        case "o":
-            wtv_mime_type = "binary/x-wtv-approm";
-            break;
-        case "ram":
-            wtv_mime_type = "audio/x-pn-realaudio";
-            break;
-        case "rom":
-            wtv_mime_type = "binary/x-wtv-flashblock";
-            break;
-        case "rsp":
-            wtv_mime_type = "wtv/jack-response";
-            break;
-        case "swa":
-        case "swf":
-            wtv_mime_type = "application/x-shockwave-flash";
-            break;
-        case "srf":
-        case "spl":
-            wtv_mime_type = "wtv/jack-data";
-            break;
-        case "ttf":
-            wtv_mime_type = "wtv/jack-fonts";
-            break;
-        case "tvch":
-            wtv_mime_type = "wtv/tv-channels";
-            break;
-        case "tvl":
-            wtv_mime_type = "wtv/tv-listings";
-            break;
-        case "tvsl":
-            wtv_mime_type = "wtv/tv-smartlinks";
-            break;
-        case "wad":
-            wtv_mime_type = "binary/doom-data";
-            break;
-        case "mp2":
-        case "hsb":
-        case "rmf":
-        case "s3m":
-        case "mod":
-        case "xm":
-            wtv_mime_type = "application/Music";
-            break;
-    }
-
-    modern_mime_type = mime.lookup(path);
-    if (wtv_mime_type == "") wtv_mime_type = modern_mime_type;
-    return new Array(wtv_mime_type, modern_mime_type);
-}
-
 async function processPath(socket, service_vault_file_path, request_headers = new Array(), service_name) {
     var headers, data = null;
     var request_is_async = false;
@@ -206,7 +110,7 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
     try {
         service_vaults.forEach(function (service_vault_dir) {
             if (service_vault_found) return;
-            service_vault_file_path = makeSafePath(service_vault_dir, service_path);
+            service_vault_file_path = wtvshared.makeSafePath(service_vault_dir, service_path);
 
             // deny access to catchall file name directly
             var service_path_split = service_path.split("/");
@@ -231,7 +135,7 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
                 service_vault_found = true;
                 request_is_async = true;
                 if (!zquiet) console.log(" * Found " + service_vault_file_path + " to handle request (Direct File Mode) [Socket " + socket.id + "]");
-                var contypes = getConType(service_vault_file_path);
+                var contypes = wtvmime.getContentType(service_vault_file_path);
                 headers = "200 OK\n"
                 headers += "Content-Type: " + contypes[0] + "\n";
                 headers += "wtv-modern-content-type" + contypes[1];
@@ -345,47 +249,6 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
     }
 }
 
-function filterSSID(obj) {
-    if (minisrv_config.config.hide_ssid_in_logs === true) {
-        if (typeof (obj) == "string") {
-            if (obj.substr(0, 8) == "MSTVSIMU") {
-                return obj.substr(0, 10) + ('*').repeat(10) + obj.substr(20);
-            } else if (obj.substr(0, 5) == "1SEGA") {
-                return obj.substr(0, 6) + ('*').repeat(6) + obj.substr(13);
-            } else {
-                return obj.substr(0, 6) + ('*').repeat(9);
-            }
-        } else {
-            if (makeSafeSSID(obj["wtv-client-serial-number"])) {
-                var ssid = makeSafeSSID(obj["wtv-client-serial-number"]);
-                if (ssid.substr(0, 8) == "MSTVSIMU") {
-                    obj["wtv-client-serial-number"] = ssid.substr(0, 10) + ('*').repeat(10) + ssid.substr(20);
-                } else if (ssid.substr(0, 5) == "1SEGA") {
-                    obj["wtv-client-serial-number"] = ssid.substr(0, 6) + ('*').repeat(6) + ssid.substr(13);
-                } else {
-                    obj["wtv-client-serial-number"] = ssid.substr(0, 6) + ('*').repeat(9);
-                }
-            }
-            return obj;
-        }
-    } else {
-        return obj;
-    }
-}
-
-function makeSafeSSID(ssid = "") {
-    ssid = ssid.replace(/[^a-zA-Z0-9]/g, "");
-    if (ssid.length == 0) ssid = null;
-    return ssid;
-}
-
-function makeSafePath(base, target) {
-    target.replace(/[\|\&\;\$\%\@\"\<\>\+\,\\]/g, "");
-    if (path.sep != "/") target = target.replace(/\//g, path.sep);
-    var targetPath = path.posix.normalize(target)
-    return base + path.sep + targetPath;
-}
-
 async function processURL(socket, request_headers) {
     var shortURL, headers, data = "";
     request_headers.query = new Array();
@@ -408,28 +271,33 @@ async function processURL(socket, request_headers) {
         }
 
         if (request_headers.post_data) {
-            var post_data_string = request_headers.post_data.toString(CryptoJS.enc.Utf8).replace("\0", "");
-            if (isUnencryptedString(post_data_string)) {
-                if (post_data_string.indexOf('=')) {
-                    if (post_data_string.indexOf('&')) {
-                        var qraw = post_data_string.split('&');
-                        if (qraw.length > 0) {
-                            for (let i = 0; i < qraw.length; i++) {
-                                var qraw_split = qraw[i].split("=");
-                                if (qraw_split.length == 2) {
-                                    var k = qraw_split[0];
-                                    request_headers.query[k] = unescape(qraw[i].split("=")[1].replace(/\+/g, "%20"));
+            var post_data_string = '';
+            try {
+                post_data_string = request_headers.post_data.toString(CryptoJS.enc.Utf8).replace("\0", ""); // if not text this will probably throw an exception
+                if (isUnencryptedString(post_data_string)) {
+                    if (post_data_string.indexOf('=')) {
+                        if (post_data_string.indexOf('&')) {
+                            var qraw = post_data_string.split('&');
+                            if (qraw.length > 0) {
+                                for (let i = 0; i < qraw.length; i++) {
+                                    var qraw_split = qraw[i].split("=");
+                                    if (qraw_split.length == 2) {
+                                        var k = qraw_split[0];
+                                        request_headers.query[k] = unescape(qraw[i].split("=")[1].replace(/\+/g, "%20"));
+                                    }
                                 }
                             }
-                        }
-                    } else {
-                        var qraw_split = post_data_string.split("=");
-                        if (qraw_split.length == 2) {
-                            var k = qraw_split[0];
-                            request_headers.query[k] = unescape(qraw_split[1].replace(/\+/g, "%20"));
+                        } else {
+                            var qraw_split = post_data_string.split("=");
+                            if (qraw_split.length == 2) {
+                                var k = qraw_split[0];
+                                request_headers.query[k] = unescape(qraw_split[1].replace(/\+/g, "%20"));
+                            }
                         }
                     }
                 }
+            } catch (e) {
+                // do nothing
             }
         }
 
@@ -469,26 +337,21 @@ async function processURL(socket, request_headers) {
             var ssid = socket.ssid;
             if (ssid == null) {
                 // prevent possible injection attacks via SSID and filesystem SessionStore
-                ssid = makeSafeSSID(request_headers["wtv-client-serial-number"]);
+                ssid = wtvshared.makeSafeSSID(request_headers["wtv-client-serial-number"]);
                 if (ssid == "") ssid = null;
             }
 
             var reqverb = "Request";
-            if (request_headers.encrypted || request_headers.secure) {
-                reqverb = "Encrypted " + reqverb;
-            }
-            if (request_headers.psuedo_encryption) {
-                reqverb = "Psuedo-encrypted " + reqverb;
-            }
+            if (request_headers.encrypted || request_headers.secure) reqverb = "Encrypted " + reqverb;
             if (ssid != null) {
-                console.log(" * " + reqverb + " for " + request_headers.request_url + " from WebTV SSID " + (await filterSSID(ssid)), 'on', socket.id);
+                console.log(" * " + reqverb + " for " + request_headers.request_url + " from WebTV SSID " + (await wtvshared.filterSSID(ssid)), 'on', socket.id);
             } else {
                 console.log(" * " + reqverb + " for " + request_headers.request_url, 'on', socket.id);
             }
             // assume webtv since there is a :/ in the GET
             var service_name = shortURL.split(':/')[0];
             var urlToPath = service_name + path.sep + shortURL.split(':/')[1];
-            if (zshowheaders) console.log(" * Incoming headers on socket ID", socket.id, (await filterSSID(request_headers)));
+            if (zshowheaders) console.log(" * Incoming headers on socket ID", socket.id, (await wtvshared.filterSSID(request_headers)));
             processPath(socket, urlToPath, request_headers, service_name);
         } else if (shortURL.indexOf('http://') >= 0 || shortURL.indexOf('https://') >= 0) {
             doHTTPProxy(socket, request_headers);
@@ -505,7 +368,7 @@ async function processURL(socket, request_headers) {
 
 async function doHTTPProxy(socket, request_headers) {
     var request_type = (request_headers.request_url.substring(0, 5) == "https") ? "https" : "http";
-    if (zshowheaders) console.log(request_type.toUpperCase() +" Proxy: Client Request Headers on socket ID", socket.id, (await filterSSID(request_headers)));
+    if (zshowheaders) console.log(request_type.toUpperCase() +" Proxy: Client Request Headers on socket ID", socket.id, (await wtvshared.filterSSID(request_headers)));
     switch (request_type) {
         case "https":
             var proxy_agent = https;
@@ -670,67 +533,6 @@ function headerStringToObj(headers, response = false) {
     return headers_obj;
 }
 
-function shouldWeCompress(ssid, headers_obj) {
-    var compress_data = false;
-    var compression_type = 0; // no compression
-    if (ssid_sessions[ssid]) {
-        if (ssid_sessions[ssid].capabilities) {
-            if (ssid_sessions[ssid].capabilities['client-can-receive-compressed-data']) {
-
-                if (minisrv_config.config.enable_lzpf_compression || minisrv_config.config.force_compression_type) {
-                    compression_type = 1; // lzpf
-                }
-
-                if (ssid_sessions[ssid]) {
-                    // if gzip is enabled...
-                    if (minisrv_config.config.enable_gzip_compression || minisrv_config.config.force_compression_type) {
-                        var is_bf0app = ssid_sessions[ssid].get("wtv-client-rom-type") == "bf0app";
-                        var is_minibrowser = (ssid_sessions[ssid].get("wtv-needs-upgrade") || ssid_sessions[ssid].get("wtv-used-8675309"));
-                        var is_softmodem = ssid_sessions[ssid].get("wtv-client-rom-type").match(/softmodem/);
-                        if (!is_bf0app && ((!is_softmodem && !is_minibrowser) || (is_softmodem && !is_minibrowser))) {
-                            // softmodem boxes do not appear to support gzip in the minibrowser
-                            // LC2 appears to support gzip even in the MiniBrowser
-                            // LC2 and newer approms appear to support gzip
-                            // bf0app does not appear to support gzip
-                            compression_type = 2; // gzip
-                        }
-                    }
-                }
-
-
-
-                // mostly for debugging
-                if (minisrv_config.config.force_compression_type == "lzpf") compression_type = 1;
-                if (minisrv_config.config.force_compression_type == "gzip") compression_type = 2;
-
-                // do not compress if already encoded
-                if (headers_obj["Content-Encoding"]) return 0;
-
-                // should we bother to compress?
-                var content_type = "";
-                if (typeof (headers_obj) == 'string') content_type = headers_obj;
-                else content_type = (typeof (headers_obj["wtv-modern-content-type"]) != 'undefined') ? headers_obj["wtv-modern-content-type"] : headers_obj["Content-Type"];
-
-                if (content_type) {
-                    // both lzpf and gzip
-                    if (content_type.match(/^text\//) && content_type != "text/tellyscript") compress_data = true;
-                    else if (content_type.match(/^application\/(x-?)javascript$/)) compress_data = true;
-                    else if (content_type == "application/json") compress_data = true;
-                    if (compression_type == 2) {
-                        // gzip only
-                        if (content_type.match(/^audio\/(x-)?[s3m|mod|xm]$/)) compress_data = true; // s3m, mod, xm
-                        if (content_type.match(/^audio\/(x-)?[midi|wav|wave]$/)) compress_data = true; // midi & wav
-                        if (content_type.match(/^binary\/x-wtv-approm$/)) compress_data = true; // approms                        
-                    }
-                }
-            }
-        }
-    }
-
-    // return compression_type if compress_data = true
-    return (compress_data) ? compression_type : 0;
-}
-
 async function sendToClient(socket, headers_obj, data) {
     var headers = "";
     var content_length = 0;
@@ -768,7 +570,7 @@ async function sendToClient(socket, headers_obj, data) {
     // if box can do compression, see if its worth enabling
     // small files actually get larger, so don't compress them
     var compression_type = 0;
-    if (content_length >= 256) compression_type = shouldWeCompress(socket.ssid, headers_obj);
+    if (content_length >= 256) compression_type = wtvmime.shouldWeCompress(ssid_sessions[socket.ssid], headers_obj);
 
     // compress if needed
     if (compression_type > 0 && content_length > 0 && headers_obj['http_response'].substring(0,3) == "200") {
@@ -841,7 +643,7 @@ async function sendToClient(socket, headers_obj, data) {
     }
 
     // header object to string
-    if (zshowheaders) console.log(" * Outgoing headers on socket ID", socket.id, (await filterSSID(headers_obj)));
+    if (zshowheaders) console.log(" * Outgoing headers on socket ID", socket.id, (await wtvshared.filterSSID(headers_obj)));
     Object.keys(headers_obj).forEach(function (k) {
         if (k == "http_response") {
             headers += headers_obj[k] + end_of_line;
@@ -882,7 +684,7 @@ async function sendToClient(socket, headers_obj, data) {
     if (socket_sessions[socket.id].post_data) delete socket_sessions[socket.id].post_data;
     if (socket_sessions[socket.id].post_data_length) delete socket_sessions[socket.id].post_data_length;
     if (socket_sessions[socket.id].post_data_percents_shown) delete socket_sessions[socket.id].post_data_percents_shown;
-
+    socket.setTimeout(minisrv_config.config.socket_timeout * 1000);
     if (socket_sessions[socket.id].close_me) socket.end();
     if (headers_obj["Connection"]) {
         if (headers_obj["Connection"].toLowerCase() == "close" && wtv_connection_close == "true") {
@@ -921,6 +723,89 @@ function moveObjectElement(currentKey, afterKey, obj) {
     if (next !== -1) return result; else return obj;
 }
 
+function checkSecurity(socket) {
+    var out = null;
+    var ip2long = function (ip) {
+        var components;
+
+        if (components = ip.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/)) {
+            var iplong = 0;
+            var power = 1;
+            for (var i = 4; i >= 1; i -= 1) {
+                iplong += power * parseInt(components[i]);
+                power *= 256;
+            }
+            return iplong;
+        }
+        else return -1;
+    };
+
+    var isInSubnet = function (ip, subnet) {
+        var mask, base_ip, long_ip = ip2long(ip);
+        if ((mask = subnet.match(/^(.*?)\/(\d{1,2})$/)) && ((base_ip = ip2long(mask[1])) >= 0)) {
+            var freedom = Math.pow(2, 32 - parseInt(mask[2]));
+            return (long_ip > base_ip) && (long_ip < base_ip + freedom - 1);
+        }
+        else return false;
+    };
+
+    var rejectSSIDConnection = function (ssid, blacklist) {
+        if (blacklist) console.log(" * Request from SSID", wtvshared.filterSSID(ssid), "(" + socket.remoteAddr + "), but that SSID is in the blacklist, rejecting.");
+        else console.log(" * Request from SSID", wtvshared.filterSSID(socket.ssid), "(" + socket.remoteAddress + "), but that SSID is not in the whitelist, rejecting.");
+
+        var errpage = doErrorPage(401, "Access to this service is denied.");
+        out = errpage;
+    }
+
+    var checkSSIDIPWhitelist = function (ssid, blacklist) {
+        var ssid_access_list_ip_override = false;
+        if (minisrv_config.config.ssid_ip_allow_list) {
+            if (minisrv_config.config.ssid_ip_allow_list[socket.ssid]) {
+                Object.keys(minisrv_config.config.ssid_ip_allow_list[socket.ssid]).forEach(function (k) {
+                    if (minisrv_config.config.ssid_ip_allow_list[socket.ssid][k].indexOf('/') > 0) {
+                        if (isInSubnet(socket.remoteAddress, minisrv_config.config.ssid_ip_allow_list[socket.ssid][k])) {
+                            // remoteAddr is in allowed subnet
+                            ssid_access_list_ip_override = true;
+                        }
+                    } else {
+                        if (socket.remoteAddress == minisrv_config.config.ssid_ip_allow_list[socket.ssid][k]) {
+                            // remoteAddr directly matches IP
+                            ssid_access_list_ip_override = true;
+                        }
+                    }
+                });
+                if (!ssid_access_list_ip_override) rejectSSIDConnection(socket.ssid, blacklist);
+            } else {
+                rejectSSIDConnection(socket.ssid, blacklist);
+            }
+        } else {
+            rejectSSIDConnection(socket.ssid, blacklist);
+        }
+        if (ssid_access_list_ip_override && zdebug) console.log(" * Request from disallowed SSID", wtvshared.filterSSID(ssid), "was allowed due to IP address whitelist");
+    }
+
+    // process whitelist first
+    if (socket.ssid && minisrv_config.config.ssid_allow_list) {
+        var ssid_is_in_whitelist = minisrv_config.config.ssid_allow_list.findIndex(element => element == socket.ssid);
+        if (ssid_is_in_whitelist == -1) {
+            // no whitelist match, but lets see if the remoteAddress is allowed
+            checkSSIDIPWhitelist(socket.ssid, false);
+        }
+    }
+
+    // now check blacklist
+    if (socket.ssid && minisrv_config.config.ssid_block_list) {
+        var ssid_is_in_blacklist = minisrv_config.config.ssid_block_list.findIndex(element => element == socket.ssid);
+        if (ssid_is_in_blacklist != -1) {
+            // blacklist match, but lets see if the remoteAddress is allowed
+            checkSSIDIPWhitelist(socket.ssid, true);
+        }
+    }
+
+    // Passed Security
+    return out;
+}
+
 function isUnencryptedString(string, verbose = false) {
     // a generic "isAscii" check is not sufficient, as the test will see the binary 
     // compressed / encrypted data as ASCII. This function checks for characters expected 
@@ -930,11 +815,6 @@ function isUnencryptedString(string, verbose = false) {
     return /^([A-Za-z0-9\+\/\=\-\.\,\ \"\;\:\?\&\r\n\(\)\%\<\>\_\~\*\@\#\\]{8,})$/.test(string);
 }
 
-function filterSSID(ssid) {
-    var WTVCSD = new WTVClientSessionData(null,minisrv_config.config.hide_ssid_in_logs);
-    return WTVCSD.filterSSID(ssid);
-}
-
 async function processRequest(socket, data_hex, skipSecure = false, encryptedRequest = false) {
 
     // This function sucks and needs to be rewritten
@@ -1002,10 +882,10 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
             if (!headers) return;
 
             if (headers["wtv-client-serial-number"] != null && socket.ssid == null) {
-                socket.ssid = makeSafeSSID(headers["wtv-client-serial-number"]);
+                socket.ssid = wtvshared.makeSafeSSID(headers["wtv-client-serial-number"]);
                 if (socket.ssid != null) {
                     if (!ssid_sessions[socket.ssid]) {
-                        ssid_sessions[socket.ssid] = new WTVClientSessionData(socket.ssid,minisrv_config.config.hide_ssid_in_logs);
+                        ssid_sessions[socket.ssid] = new WTVClientSessionData(minisrv_config, socket.ssid);
                         ssid_sessions[socket.ssid].SaveIfRegistered();
                     }
                     if (!ssid_sessions[socket.ssid].data_store.sockets) ssid_sessions[socket.ssid].data_store.sockets = new Set();
@@ -1014,96 +894,21 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
                 }
             }
 
-            var ip2long = function (ip) {
-                var components;
-
-                if (components = ip.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/)) {
-                    var iplong = 0;
-                    var power = 1;
-                    for (var i = 4; i >= 1; i -= 1) {
-                        iplong += power * parseInt(components[i]);
-                        power *= 256;
-                    }
-                    return iplong;
-                }
-                else return -1;
-            };
-
-            var isInSubnet = function (ip, subnet) {
-                var mask, base_ip, long_ip = ip2long(ip);
-                if ((mask = subnet.match(/^(.*?)\/(\d{1,2})$/)) && ((base_ip = ip2long(mask[1])) >= 0)) {
-                    var freedom = Math.pow(2, 32 - parseInt(mask[2]));
-                    return (long_ip > base_ip) && (long_ip < base_ip + freedom - 1);
-                }
-                else return false;
-            };
-
-            var rejectSSIDConnection = function (ssid, blacklist) {
-                if (blacklist) console.log(" * Request from SSID", filterSSID(ssid), "(" + socket.remoteAddr + "), but that SSID is in the blacklist, rejecting.");
-                else console.log(" * Request from SSID", filterSSID(socket.ssid), "(" + socket.remoteAddress + "), but that SSID is not in the whitelist, rejecting.");
-
-                var errpage = doErrorPage(401, "Access to this service is denied.");
-                headers = errpage[0];
-                data = errpage[1];
+            var failed_security = checkSecurity(socket);
+            if (failed_security) {
                 socket_sessions[socket.id].close_me = true;
+                headers = failed_security[0];
+                data = failed_security[1];
             }
 
-            var checkSSIDIPWhitelist = function (ssid, blacklist) {
-                var ssid_access_list_ip_override = false;
-                if (minisrv_config.config.ssid_ip_allow_list) {
-                    if (minisrv_config.config.ssid_ip_allow_list[socket.ssid]) {
-                        Object.keys(minisrv_config.config.ssid_ip_allow_list[socket.ssid]).forEach(function (k) {
-                            if (minisrv_config.config.ssid_ip_allow_list[socket.ssid][k].indexOf('/') > 0) {
-                                if (isInSubnet(socket.remoteAddress, minisrv_config.config.ssid_ip_allow_list[socket.ssid][k])) {
-                                    // remoteAddr is in allowed subnet
-                                    ssid_access_list_ip_override = true;
-                                }
-                            } else {
-                                if (socket.remoteAddress == minisrv_config.config.ssid_ip_allow_list[socket.ssid][k]) {
-                                    // remoteAddr directly matches IP
-                                    ssid_access_list_ip_override = true;
-                                }
-                            }
-                        });
-                        if (!ssid_access_list_ip_override) rejectSSIDConnection(socket.ssid, blacklist);
-                    } else {
-                        rejectSSIDConnection(socket.ssid, blacklist);
-                    }
-                } else {
-                    rejectSSIDConnection(socket.ssid, blacklist);
-                }
-                if (ssid_access_list_ip_override && zdebug) console.log(" * Request from disallowed SSID", filterSSID(ssid), "was allowed due to IP address whitelist");
-            }
-
-            // process whitelist first
-            if (socket.ssid && minisrv_config.config.ssid_allow_list) {
-                var ssid_is_in_whitelist = minisrv_config.config.ssid_allow_list.findIndex(element => element == socket.ssid);
-                if (ssid_is_in_whitelist == -1) {
-                    // no whitelist match, but lets see if the remoteAddress is allowed
-                    checkSSIDIPWhitelist(socket.ssid, false);
-                }
-            }
-
-            // now check blacklist
-            if (socket.ssid && minisrv_config.config.ssid_block_list) {
-                var ssid_is_in_blacklist = minisrv_config.config.ssid_block_list.findIndex(element => element == socket.ssid);
-                if (ssid_is_in_blacklist != -1) {
-                    // blacklist match, but lets see if the remoteAddress is allowed
-                    checkSSIDIPWhitelist(socket.ssid, true);
-                }
-            }
-
-            // Passed Security
-
             if (headers["wtv-capability-flags"] != null) {
                 if (!ssid_sessions[socket.ssid]) {
-                    ssid_sessions[socket.ssid] = new WTVClientSessionData(socket.ssid,minisrv_config.config.hide_ssid_in_logs);
+                    ssid_sessions[socket.ssid] = new WTVClientSessionData(minisrv_config, socket.ssid);
                     ssid_sessions[socket.ssid].SaveIfRegistered();
                 }
                 if (!ssid_sessions[socket.ssid].capabilities) ssid_sessions[socket.ssid].capabilities = new WTVClientCapabilities(headers["wtv-capability-flags"]);
             }
 
-
             // log all client wtv- headers to the SessionData for that SSID
             // this way we can pull up client info such as wtv-client-rom-type or wtv-system-sysconfig
             if (socket.ssid) {
@@ -1165,46 +970,37 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
                     }
                     var enc_data = CryptoJS.enc.Hex.parse(data_hex.substring(header_length * 2));
                     if (enc_data.sigBytes > 0) {
-                        if (isUnencryptedString(enc_data.toString(CryptoJS.enc.Latin1), (!skipSecure && !encryptedRequest))) {
-                            // some builds (like our targeted 3833), send SECURE ON but then unencrypted headers
-                            if (zdebug) console.log(" # Psuedo-encrypted Request (SECURE ON)", "on", socket.id);
-                            // don't actually encrypt output
-                            headers.psuedo_encryption = true;
-                            ssid_sessions[socket.ssid].set("box-does-psuedo-encryption", true);
-                            socket_sessions[socket.id].secure = false;
-                            var secure_headers = await processRequest(socket, enc_data.toString(CryptoJS.enc.Hex), true, true);
-                        } else {
-                            // SECURE ON and detected encrypted data
-                            ssid_sessions[socket.ssid].set("box-does-psuedo-encryption", false);
-                            var dec_data = CryptoJS.lib.WordArray.create(socket_sessions[socket.id].wtvsec.Decrypt(0, enc_data))
-                            if (!socket_sessions[socket.id].secure_buffer) socket_sessions[socket.id].secure_buffer = "";
-                            socket_sessions[socket.id].secure_buffer += dec_data.toString(CryptoJS.enc.Hex);
-                            var secure_headers = null;
-                            if (headers['request']) {
-                                if (headers['request'] == "GET") {
-                                    if (socket_sessions[socket.id].secure_buffer.indexOf("0d0a0d0a") || socket_sessions[socket.id].secure_buffer.indexOf("0a0a")) {
-                                        secure_headers = await processRequest(socket, socket_sessions[socket.id].secure_buffer, true, true);
-                                    }
-                                } else {
-                                     secure_headers = await processRequest(socket, socket_sessions[socket.id].secure_buffer, true, true);
+
+                        // SECURE ON and detected encrypted data
+                        var dec_data = CryptoJS.lib.WordArray.create(socket_sessions[socket.id].wtvsec.Decrypt(0, enc_data))
+                        if (!socket_sessions[socket.id].secure_buffer) socket_sessions[socket.id].secure_buffer = "";
+                        socket_sessions[socket.id].secure_buffer += dec_data.toString(CryptoJS.enc.Hex);
+                        var secure_headers = null;
+                        if (headers['request']) {
+                            if (headers['request'] == "GET") {
+                                if (socket_sessions[socket.id].secure_buffer.indexOf("0d0a0d0a") || socket_sessions[socket.id].secure_buffer.indexOf("0a0a")) {
+                                    secure_headers = await processRequest(socket, socket_sessions[socket.id].secure_buffer, true, true);
                                 }
                             } else {
-                                 secure_headers = await processRequest(socket, socket_sessions[socket.id].secure_buffer, true, true);
-                            }                            
-                            if (!secure_headers) return;
-
-                            delete socket_sessions[socket.id].secure_buffer;
-                            if (zdebug) console.log(" # Encrypted Request (SECURE ON)", "on", socket.id);
-                            if (zshowheaders) console.log(secure_headers);
-                            if (!secure_headers.request) {
-                                socket_sessions[socket.id].secure = false;
-                                var errpage = doErrorPage(400);
-                                headers = errpage[0];
-                                data = errpage[1];
-                                sendToClient(socket, headers, data);
-                                return;
+                                secure_headers = await processRequest(socket, socket_sessions[socket.id].secure_buffer, true, true);
                             }
+                        } else {
+                            secure_headers = await processRequest(socket, socket_sessions[socket.id].secure_buffer, true, true);
                         }
+                        if (!secure_headers) return;
+
+                        delete socket_sessions[socket.id].secure_buffer;
+                        if (zdebug) console.log(" # Encrypted Request (SECURE ON)", "on", socket.id);
+                        if (zshowheaders) console.log(secure_headers);
+                        if (!secure_headers.request) {
+                            socket_sessions[socket.id].secure = false;
+                            var errpage = doErrorPage(400);
+                            headers = errpage[0];
+                            data = errpage[1];
+                            sendToClient(socket, headers, data);
+                            return;
+                        }
+
                         // Merge new headers into existing headers object
                         Object.keys(secure_headers).forEach(function (k) {
                             headers[k] = secure_headers[k];
@@ -1231,8 +1027,9 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
             }
 
             // handle POST
-            if (headers['request']) {
+            if (headers['request'] && !socket_sessions[socket.id].expecting_post_data) {
                 if (headers['request'].substring(0, 4) == "POST") {
+                    socket.setTimeout(minisrv_config.config.post_data_socket_timeout * 1000);
                     if (typeof socket_sessions[socket.id].post_data == "undefined") {
                         if (socket_sessions[socket.id].post_data_percents_shown) delete socket_sessions[socket.id].post_data_percents_shown;
                         socket_sessions[socket.id].post_data_length = headers['Content-length'] || headers['Content-Length'] || 0;
@@ -1252,14 +1049,23 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
                     if (socket_sessions[socket.id].post_data.length == (socket_sessions[socket.id].post_data_length * 2)) {
                         // got all expected data
                         if (socket_sessions[socket.id].expecting_post_data) delete socket_sessions[socket.id].expecting_post_data;
-                        console.log(" * Incoming", post_string, "request on", socket.id, "from", filterSSID(socket.ssid), "to", headers['request_url'], "(got all expected", socket_sessions[socket.id].post_data_length, "bytes of data from client already)");
+                        console.log(" * Incoming", post_string, "request on", socket.id, "from", wtvshared.filterSSID(socket.ssid), "to", headers['request_url'], "(got all expected", socket_sessions[socket.id].post_data_length, "bytes of data from client already)");
                         headers.post_data = CryptoJS.enc.Hex.parse(socket_sessions[socket.id].post_data);
                         if (socket_sessions[socket.id].headers) delete socket_sessions[socket.id].headers;
                         processURL(socket, headers);
                     } else {
                         // expecting more data (see below)
                         socket_sessions[socket.id].expecting_post_data = true;
-                        console.log(" * Incoming", post_string, "request on", socket.id, "from", filterSSID(socket.ssid), "to", headers['request_url'], "(expecting", socket_sessions[socket.id].post_data_length, "bytes of data from client...)");
+                        if (!socket_sessions[socket.id].post_data) socket_sessions[socket.id].post_data = '';
+                        if (socket_sessions[socket.id].secure) {
+                            // decrypt if encrypted
+                            socket_sessions[socket.id].post_data = CryptoJS.lib.WordArray.create(socket_sessions[socket.id].wtvsec.Decrypt(0, CryptoJS.enc.Hex.parse(socket_sessions[socket.id].post_data))).toString(CryptoJS.enc.Hex);
+                        } else {
+                            // just pass it over
+                            socket_sessions[socket.id].post_data = socket_sessions[socket.id].post_data;
+                        }
+                        socket_sessions[socket.id].post_data += CryptoJS.enc.Hex.parse(socket_sessions[socket.id].post_data);
+                        console.log(" * Incoming", post_string, "request on", socket.id, "from", wtvshared.filterSSID(socket.ssid), "to", headers['request_url'], "(expecting", socket_sessions[socket.id].post_data_length, "bytes of data from client...)");
                     }
                     if (socket_sessions[socket.id].post_data.length > (socket_sessions[socket.id].post_data_length * 2)) {
                         // got too much data ? ... should not ever reach this code
@@ -1313,7 +1119,7 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
                             if (minisrv_config.config.post_percentages.includes(postPercent)) {
                                 if (!socket_sessions[socket.id].post_data_percents_shown) socket_sessions[socket.id].post_data_percents_shown = new Array();
                                 if (!socket_sessions[socket.id].post_data_percents_shown[postPercent]) {
-                                    console.log(" * Received", postPercent, "% of", socket_sessions[socket.id].post_data_length, "bytes on", socket.id, "from", filterSSID(socket.ssid));
+                                    console.log(" * Received", postPercent, "% of", socket_sessions[socket.id].post_data_length, "bytes on", socket.id, "from", wtvshared.filterSSID(socket.ssid));
                                     socket_sessions[socket.id].post_data_percents_shown[postPercent] = true;
                                 }
                                 if (postPercent == 100) delete socket_sessions[socket.id].post_data_percents_shown;
@@ -1324,6 +1130,7 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
                 if (socket_sessions[socket.id].post_data.length == (socket_sessions[socket.id].post_data_length * 2)) {
                     // got all expected data
                     if (socket_sessions[socket.id].expecting_post_data) delete socket_sessions[socket.id].expecting_post_data;
+                    socket.setTimeout(minisrv_config.config.socket_timeout * 1000);
                     headers.post_data = CryptoJS.enc.Hex.parse(socket_sessions[socket.id].post_data);
                     if (socket_sessions[socket.id].secure == true) {
                         if (zdebug) console.log(" # Encrypted POST Content (SECURE ON)", "on", socket.id, "[", headers.post_data.sigBytes, "bytes ]");
@@ -1338,6 +1145,7 @@ async function processRequest(socket, data_hex, skipSecure = false, encryptedReq
                 }
                 if (socket_sessions[socket.id].post_data.length > (socket_sessions[socket.id].post_data_length * 2)) {
                     if (socket_sessions[socket.id].expecting_post_data) delete socket_sessions[socket.id].expecting_post_data;
+                    socket.setTimeout(minisrv_config.config.socket_timeout * 1000);
                     // got too much data ? ... should not ever reach this code
                     var errpage = doErrorPage(400, "Received too much data in POST request<br>Got " + (socket_sessions[socket.id].post_data.length / 2) + ", expected " + socket_sessions[socket.id].post_data_length);
                     headers = errpage[0];
@@ -1433,7 +1241,7 @@ async function cleanupSocket(socket) {
                 // set timeout to check 
                 ssid_sessions[socket.ssid].data_store.socket_check = setTimeout(function (ssid) {
                     if (ssid_sessions[ssid].currentConnections() === 0) {
-                        if (!zquiet) console.log(" * WebTV SSID", filterSSID(ssid), " has not been seen in", (timeout / 1000), "seconds, cleaning up session data for this SSID");
+                        if (!zquiet) console.log(" * WebTV SSID", wtvshared.filterSSID(ssid), " has not been seen in", (timeout / 1000), "seconds, cleaning up session data for this SSID");
                         delete ssid_sessions[ssid];
                     }
                 }, timeout, socket.ssid);
@@ -1452,21 +1260,25 @@ async function handleSocket(socket) {
     socket_sessions[socket.id] = [];
     socket.minisrv_pc_mode = false;
     socket.setEncoding('hex'); //set data encoding (Text: 'ascii', 'utf8' ~ Binary: 'hex', 'base64' (do not trust 'binary' encoding))
-    socket.setTimeout(10800000); // 3 hours
+    socket.setTimeout(minisrv_config.config.socket_timeout * 1000);
     socket.on('data', function (data_hex) {
-        if (!socket_sessions[socket.id].secure && !socket_sessions[socket.id].expecting_post_data) {
-            // buffer unencrypted data until we see the classic double-newline, or get blank
-            if (!socket_sessions[socket.id].header_buffer) socket_sessions[socket.id].header_buffer = "";
-            socket_sessions[socket.id].header_buffer += data_hex;
-            if (socket_sessions[socket.id].header_buffer.indexOf("0d0a0d0a") != -1 || socket_sessions[socket.id].header_buffer.indexOf("0a0a") != -1) {
-                data_hex = socket_sessions[socket.id].header_buffer;
-                delete socket_sessions[socket.id].header_buffer;
+        if (socket_sessions[socket.id]) {
+            if (!socket_sessions[socket.id].secure && !socket_sessions[socket.id].expecting_post_data) {
+                // buffer unencrypted data until we see the classic double-newline, or get blank
+                if (!socket_sessions[socket.id].header_buffer) socket_sessions[socket.id].header_buffer = "";
+                socket_sessions[socket.id].header_buffer += data_hex;
+                if (socket_sessions[socket.id].header_buffer.indexOf("0d0a0d0a") != -1 || socket_sessions[socket.id].header_buffer.indexOf("0a0a") != -1) {
+                    data_hex = socket_sessions[socket.id].header_buffer;
+                    delete socket_sessions[socket.id].header_buffer;
+                    processRequest(this, data_hex);
+                }
+            } else {
+                // stream encrypted requests through the processor
+                if (socket_sessions[socket.id].header_buffer) delete socket_sessions[socket.id].header_buffer;
                 processRequest(this, data_hex);
             }
         } else {
-            // stream encrypted requests through the processor
-            if (socket_sessions[socket.id].header_buffer) delete socket_sessions[socket.id].header_buffer;
-            processRequest(this, data_hex);
+            cleanupSocket(socket);
         }
     });
 
@@ -1701,6 +1513,8 @@ bind_ports.forEach(function (v) {
 initstring = initstring.substring(0, initstring.length - 2);
 
 
+const wtvshared = new WTVShared(minisrv_config);
+const wtvmime = new WTVMime(minisrv_config);
 
 console.log(" * Started server on ports " + initstring + "...")
 var listening_ip_string = (minisrv_config.config.bind_ip != "0.0.0.0") ? "IP: " + minisrv_config.config.bind_ip : "all interfaces";
diff --git a/zefie_wtvp_minisrv/config.json b/zefie_wtvp_minisrv/config.json
index 80bd772d..34e80099 100644
--- a/zefie_wtvp_minisrv/config.json
+++ b/zefie_wtvp_minisrv/config.json
@@ -13,6 +13,8 @@
     "hide_ssid_in_logs": true,
     "post_percentages": [ 0, 25, 50, 100 ],
     "verbosity": 2,
+    "socket_timeout": 10800,
+    "post_data_socket_timeout": 30,
     "error_log_file": "errors.log",
     "catchall_file_name": "catchall.js",
     "enable_lzpf_compression": false,
diff --git a/zefie_wtvp_minisrv/package.json b/zefie_wtvp_minisrv/package.json
index f16d9473..53ecd2aa 100644
--- a/zefie_wtvp_minisrv/package.json
+++ b/zefie_wtvp_minisrv/package.json
@@ -1,6 +1,6 @@
 {
   "name": "zefie_wtvp_minisrv",
-  "version": "0.9.16",
+  "version": "0.9.17",
   "description": "WebTV Service (WTVP) Emulation Server",
   "main": "app.js",
   "homepage": "https://github.com/zefie/zefie_wtvp_minisrv",
diff --git a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
index eea66531..7d786788 100644
--- a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
+++ b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
@@ -52,6 +52,15 @@
     <Content Include="ServiceVault\wtv-cookie\reset.js">
       <SubType>Code</SubType>
     </Content>
+    <Content Include="ServiceVault\wtv-disk\uptest.js">
+      <SubType>Code</SubType>
+    </Content>
+    <Content Include="ServiceVault\wtv-disk\userbrowser.js">
+      <SubType>Code</SubType>
+    </Content>
+    <Content Include="ServiceVault\wtv-disk\userstore.js">
+      <SubType>Code</SubType>
+    </Content>
     <Content Include="ServiceVault\wtv-flashrom\content\content-serve.js" />
     <Content Include="ServiceVault\wtv-flashrom\current-noflash.js">
       <SubType>Code</SubType>
@@ -283,6 +292,9 @@
     <Content Include="WTVLzpf.js">
       <SubType>Code</SubType>
     </Content>
+    <Content Include="WTVMime.js">
+      <SubType>Code</SubType>
+    </Content>
     <Content Include="WTVRegister.js">
       <SubType>Code</SubType>
     </Content>
@@ -290,6 +302,9 @@
       <SubType>Code</SubType>
     </Content>
     <Content Include="package.json" />
+    <Content Include="WTVShared.js">
+      <SubType>Code</SubType>
+    </Content>
   </ItemGroup>
   <ItemGroup>
     <Folder Include="ServiceVault\" />