31 באוגוסט 2009
30 באוגוסט 2009
29 באוגוסט 2009
26 באוגוסט 2009
#jogging. 7.5Km. 55m
25 באוגוסט 2009
Total Eclipse of the Heart, flowchart style
Does this 80s hit confuse you with its cunning lyrical twists? Luckily, there’s a handy flowchart for that.
24 באוגוסט 2009
How to Create Totally Secure Cookies
24 August 2009
How to Create Totally Secure Cookies
-->
0
Securing cookies and sessions is vital to keeping an application secure. Many tutorials have been written on the subject, but as the internet (and browsers loading it) evolve so do the methods you can use to keep your application secure.
In this article we’re going to break down the various components of a cookie and what they mean for security. This will include limiting the cookie to certain domains and paths on those domains, choosing what information to store, and protecting the cookie from cross site scripting exploits. In a second article we will go into more depth in how to protect everyone’s favorite cookie, the session ID.
How Cookies Work
Cookies are simply key/value pairs that let us get around HTTP being a stateless protocol. When a developer has data they wish to last for more than one connection they can use cookies to store that data on the client side. While this tends to get handled by the programming language being used it is accomplished using HTTP headers.
When the server wants to set a cookie it passes back a header named “Set-Cookie” with the key-value pair and some options.
On subsequent requests the client will send along its own header to let the server know the name and value of its stored cookies. The server will not continue to send back the cookies, it will only send them if there is a change.
You can see all the headers for yourself using the LiveHeaders plugin for Firefox.
The Problem
This data is completely in control of the client- it is trivial to change the values of a cookie. That means that, just like post and get data, all cookie data must be validated in some way. At the same time you’ll want to avoid storing sensitive information, such as passwords, as cookies are stored in cleartext and anyone with access to the computer later can easily pick those up (I know of at least one security forum that was hacked in this way). It is also important to note that HTTP does not encrypt the headers in any way. If the connection isn’t over SSL then it will not be protected from snooping eyes.
Session cookies are no different than any other cookie- their value is just a simple ID. Those IDs are susceptible to all of the same limitations as other cookies. The real power behind sessions happens server side, where the ID is used to pull out data stored on the server. This has many benefits over storing data directly into the cookie itself- data can’t be manipulated by the user, large amount of data can be stored without having to send it back and forth with each request, and you can store data you otherwise wouldn’t want the client to have access to.
Getting Started
The first step towards securing your cookie is to restrict that cookie to only your application. This is especially important in environments that support multiple sites or applications (the type of shared hosting you often see on corporate or university domains). By restricting the cookie to only the applications that need it you reduce the chances of it being sniffed while also keeping the cookie namespaces clear for other applications that use them.
There are three options that can be sent along when creating a cookie that, when used properly, will keep the cookie limited to only your application. Before setting these options you will need to ask yourself a few questions-
- What parts of the website need access to the cookie?
- Will the cookie need to work across sub domains?
- Will the cookie need to persist if the user leaves an SSL portion of the site?
There is also a forth option used by newer browsers to restrict access to cookies by javascript.
As you will see, how exactly to restrict the cookie really does depend on the exact purpose for that cookie. A banking or ecommerce site may restrict their cookies to only SSL, while a blog or news aggregator may want to leave things more open.
Cookie Options
Send The Cookie To Only Your Application
The Path argument specifies what paths on the site to send the cookie. The default value of “/” means every request will get the cookie, while “/forums/” would limit the cookie to just that path. This path is going to be based on the actual URL the browser uses, before any mod_rewrite or other URL mapping.
Don’t Share With Sub Domains
The Domain option allows you to specify whether or not to send the cookie to subdomains. Setting “www.example.com” will mean only the exact domain “www.example.com” will be matched, while “.example.com” will also match again any subdomaim (forums.example.com, blog.example.com).
Require a Secure Connection
Using the Secure option you can tell the browser (or other http clients) to only send the cookie over SSL connections. This means the cookie will not be available to any part of the site that is not secure will not have access to the cookie, but it also makes it much less likely that you’ll accidentally send the cookie across as cleartext.
Protect Against XSS Exploits
This HttpOnly flag is used to tell the browser that it should not allow javascript to access the contents of the cookie. This is primarily a defense against cross site scripting, as it will prevent hackers from being able to retrieve and use the session through such an attack.
The HttpOnly option is not by any means full proof. As a client-side defense mechanism it relies on browser support to work, but is only supported by a few browsers (Firefox 3+ and IE 7+, with partial support from Opera 9.5, IE6 and Chrome).
Configuring the Cookie
In PHP, setting the arguments for cookies is done through some optional arguments on the “setcookie” function:
setcookie( name, value, expire, path, domain, secure, httponly); // Open setcookie( 'UserName', 'Bob', 0, '/', '.example', false, false); // Locked Down setcookie( 'UserName', 'Bob', 0, '/forums', 'www.example.com', isset($_SERVER["HTTPS"]), true);To change the cookie values for the session cookie requires the “session_set_cookie_params” function, which needs to be called before the session is started.
session_set_cookie_params($expire, $path, $domain, $secure, true); // Open session_set_cookie_params(0, '/', '.example', false, false); // Locked Down session_set_cookie_params('o, /forums', 'www.example.com', isset($_SERVER["HTTPS"]), true)Summary
Cookies remain the basic method of identify tracking on most websites and keeping them secure is a vital part to keeping applications as a whole locked down and secure. In this article we went over four methods for protecting cookies on a general level.
When using cookies its important to remember to:
- Limit the amount of sensitive information stored in the cookie.
- Limit the subdomains and paths to prevent interception by another application.
- Enforce SSL so the cookie isn’t sent in cleartext.
- Make the cookie HttpOnly so its not accessible to javascript.
Please check out the second half of this series, where we’re going to take the next step with an in depth guide to securing sessions.
Enjoy this article?
If you liked this article, feel free to re-tweet it to let others know. Thanks, we appreciate it :)
This post was written by
Robert Hafner
Robert is the cofounder of SolunaNet, a web development firm in Massachusetts. His most recent projects include application and server development for Malwarebytes and the open source project Mortar. You can follow him on Twitter at @tedivm.
Related Articles
We love .net Magazine
We're big fans of .net so they've hooked us up with a rad deal: Save 50 percent on your subscription.
A Black Day for the English Language as U.K. Officially Bans common Phrases
Dozens of public organizations in the U.K. have imposed bans on common words and phrases used by their workers and in their correspondence in an effort to be more politically correct.
Rather than write a scathing opinion piece on how appallingly stupid we think it is to ban such phrases, and how overly sensitive governments and people have become, we’ll just list a few of those banned phrases with the reasoning behind why they were banned and let you decide for yourselves.
Whiter than white - A phrase used to describe someone who would never do something bad, has been banned because it is believed to be racial and infer that black is bad or criminal.
Black Day - Used to describe a time of disappointment or shame in a situation, has been dropped from publically funded agency language because it is believed to have racial undertones.
Ethnic Minority - Because in that context the word minority implies that ethnicity may be looked upon as small, unimportand or insignificant.
Gentleman’s Agreement - Because it can be construed as sexist and exclusive of women.
Black sheep of the family - Since it implies an outcast or an unappreciated person, and uses the word black in a negative way.
And here’s my all time favourite…
Master Bedroom - Because it implies subservience of women and dominance of males in relationships!
You be the judge, dear readers.
The article with more information is at the Times Online site here.
The word “Cracker,” or the term “Typical Male,” do not seem to be on the list, despite their obvious stereotypical meanings.
22 באוגוסט 2009
Wow, so that is how memes happen – #songsincode
I am quite amazed just how much the #songsincode thing is mushrooming right now on twitter. Some months ago I had posted this one:
{ 'name':'Lola', 'occupation':'showgirl', 'fashion':['music','passion'], 'location':[-22.970834, -43.191665] }To me this retweet by Adam Hepton kicked the thing off but other people have disputed that. It would be interesting to see if mine was really the first and if Adam was the first to use the hashtag.
In any case, this is more geeky fun than I had ever imagined and it is interesting to see just how many people are utterly confused by it. It is also sad to see how spammers work Twitter hard.
If you don’t get it: songsincode tries to display either a title of a song or part of its lyrics (as some songs are more known by the refrain than their title – for example there is no such thing as “all the lonely people” by The Beatles) in code. This could be PHP, JavaScript or any other language. For this,
sad geeksclever people use code constructs like if statements and loops to describe conditions and repetition. If you don’t get it, don’t feel left behind, it is hard core geek.Here are some more #songsincode from me:
Bob Marley: I shot the sheriff:
var i = {shot:{sheriff:true,deputy:false}}The Ramones: Sheena is a punk rocker
while(Sheena.type=='punk rocker'){Riff.repeat();}Reel2Reel: I like to move it
x=0;while(x<100){it.style.left=x+'px';x++};i.likeTo=true;Procol Harum: A whiter shade of Pale
for(i in dance){if(i=='light fandango'){continue;}};cartwheels.turn({floor);me.feeling='seasick';crowd.call('more');Queen: Bohemian Rhapsody
if(man.silhouetto.size=='small'){scaramouche.do(fandango);if(thunderbolt&&lightning){me.frightened=true}}Sisters of Mercy: If you don’t see me
if(!u.see('me')||u.loc!=me.loc){me.exist=false;you.makeBelieve=1;}if(eye.see==0){heart.break=0};if(you.leave){me.disappear()}Blood Hound Gang: The bad touch
do{if(!(you+me) >= mammals){ doit('like they do on the discovery channel') }while(theTouch == 'bad')}Leonard Cohen: Everybody Knows
{'everybodyKnows':true,'facts':{'boat':'sinking','captain':'lied'},'co':'hen'}Simon and Garfunkel: Sound of Silence
oldfriend='#000';talk++;while(vision<100){vision++;};sleep.seed();brain.vision=vision;r.mains='still;volume=0; #songsincodeAnd of course the rick roll:
if(we!=strangersToLove){u.knowRules=1;i.knowRules=1;me.think{committment:'full'};otherGuy:{type:'any',delivery:'false'};}Keep them coming!
This entry was posted on Friday, August 21st, 2009 at 10:11 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
A story from calcalist has been sent to you
| אבנר קשתן 20.08.09, 15:00 |
למרות הרעש התקשורתי סביב האייפון וחנות האפסטור, רוב חברות הסטארט-אפ הנהנות ממימון של קרנות הון סיכון מעדיפות לפתח יישומים לכמה מערכות הפעלה סלולריות, ואינן מסתפקות בתמיכה באייפון בלבד. כך מתברר מסקר שהביא אתר חדשות הטכנולוגיה cnet.
מהסקר, שערכה חברת המחקר Chubby Brain, עולה ש-67% מבתי התוכנה מפתחים יישומים לשתי פלטפורמות או יותר, ו-76% מהם תומכים בכל שש מערכות ההפעלה הסלולריות הנפוצות - סימביאן של נוקיה, בלקברי של RIM, אנדרואיד של גוגל, WebOS של פאלם, Windows Mobile והאייפון של אפל.
מיעוט החברות מפתחות גרסאות נפרדות של האפליקציות שלהן לכל פלטפורמה בנפרד. מהנתון עולה כי אין אף פלטפורמה ששולטת בצורה מוחלטת בשוק, והמשקיעים מעדיפים שלא להשקיע בחברות השמפתחות יישומים שנתמכים במערכת הפעלה אחת, כדי לא לחסום חלק ניכר מהמשתמשים הפוטנציאליים.
עם זאת, בקרב 33% מהמפתחים שבחרו להתמקד בפלטפורמה אחת בלבד, האייפון מוביל עם 49% מהחברות שנסקרו, וזאת למרות התלונות הרבות מצד מפתחים רבים על יחסה של אפל ועל מדיניות התמחור של האפסטור, המקשים על אפשרויות הרווח מהפלטפורמה. הנתון מרשים במיוחד לאור כך שאפל מחזיקה רק ב-13% משוק הסמארטפונים.
הולכים על בטוח
במקום השני עם 20% מהחברות עומדת פלטפורמת הבלקברי של RIM, אשר מצליחה מאוד בשוק העסקי הרווחי, שם לקוחות מוכנים לשלם יותר מאשר 99 סנט לאפליקציה כפי שנהוג באפסטור. במקום השלישי, למרות קצב העדכונים האיטי ואובדן נתח השוק, עומדת פלטפורמת Windows Mobile הוותיקה של מיקרוסופט עם 15% מהחברות אשר מפתחות אליו. נתוני המכירות החלשים של ה-Palm Pre הולידו חוסר עניין בפלטפורמה. רק 3% מהחברות שנבדקו מפתחות אפליקציות המיועדות למערכת הפעלה ה-WebOS של פאלם, פחות אפילו מאשר לאנדרואיד של גוגל, אשר לו מפתחות 5% מהחברות.
פלטפורמת סימביאן של נוקיה - המחזיקה ב-45% משוק הסלולר - מפתיעה לרעה: רק 8% מהחברות מפתחות אפילקציות בלעדיות לסימביאן. אחוז נמוך זה מוסבר בכך שהמחקר התמקד בחברות אמריקאיות ולא אירופיות, שם לסימביאן הצלחה גדולה יותר.
המסקנה מהמחקר היא שהאפסטור של אפל, על 1.5 מיליארד ההורדות ממנו, עדיין נתפס כערוץ השקעה רווחי, אך הקרנות לא מסתכנות בהשלכת יהבם על פלטפורמה אחת בלבד. רוב החברות משקיעות את מרצן באפליקציות מבוססות דפדפן אשר לא מוגבלות לפלטפורמה אחת בלבד - וגם לא לסמארטפונים בלבד.
21 באוגוסט 2009
20 באוגוסט 2009
Just got my KOZO3 la
Entertainer Dudu Topaz commits suicide
Veteran TV personality, held while undergoing trial for multiple charges of conspiracy to commit a crime, hangs himself in detention cell; pronounced dead at the scene. IPS, police launch investigations
Didn't thought he will do it. Was sure he loved himself too much.
19 באוגוסט 2009
Case Study: Can You Launch a New Site With Twitter Alone?
Just over a week ago I launched a new site, I thought I would tell you how I did it and what the results were so you could learn from my experience. The small twist with this launch was I planned to use only Twitter …
Day after launch
After a week
As you can see, after I week the site had received 8,000 page views, from nearly 5,000 visitors. In fact, the reason why I didn’t post this case study earlier is that it is still getting visits and I didn’t want to draw conclusions too early. As well as visits, it also gained over 200 email sign ups, and was retweeted over 300 times.
Of course I have launched lots of new sites over the years. My friend Gareth and I launched a Fantasy Formula 1 site using Twitter earlier, but that was just a bit of fun. I wanted to see what would happen if I gave it a little more of a push.
The site I was launching is Social Media Work book – the site is for a forthcoming product I am working on, with a view right now to gain feedback about what people want to know about social media. This launch was purely to put it on the map, get some visibility and links. A secondary goal was to gain some opt-ins, but because it was not a priority I worked a plan that involved more of a viral element than to drive opt-ins.
So what did I do?
- First I built the site in WordPress using the DIYThemes Thesis Theme and the openhook plugin and sent small trickles of traffic to it to test response. In the lead up to the launch I achieved over a 50% opt-in conversion rate on the home page, which was higher than my expectations so I did not spend any more time on it, hence it is not the most elegant of designs but it works! Once the launch was under way and people were sent to my content page, opt-ins dropped to 6% at best, and 4.5% on average, but this is not surprising when you think the landing page people were sent to was not focused on gaining subscribers but on delivering content.
Conversion Rates in Testing
- As mentioned above, the goal of the site right now is to get people to submit social media questions in return for free goodies. There is a kind of catch-22 there as I need to know what people are struggling with before I can create the goodies, but I can’t get people to submit questions without that ethical bribe. Thankfully enough people submitted questions through the test phase that I had a challenge I knew I could answer right away.
- Consistently people were saying they struggled with issues around content, visibility, traffic, and getting clicks. I knew in my Authority Blogger Course materials I had a nice little report that I could repurpose quickly, and the launch was on.
- I grabbed my 102 Proven Headline Formulas report and created an e-cover graphic for it, slapped up a page.
102 Proven Social Media Headline Formulas
- As my goal was a viral effect leading to visibility and links, I added the TweetMeme and Tell-a-friend WordPress plugins. TweetMeme worked very well, the tell a friend not so much. The benefit of a Tell-a-friend script though is that you can see what people are saying about your content, which is a very valuable insight!
- All what was left was to seed out into Twitter and ask people to retweet … which thankfully my followers did, over 300 times
Traffic Sources
I have to confess that while the experiment was to use Twitter, and Twitter did drive the majority of the results, other traffic sources did naturally come into play!
Traffic Sources
Had I got onto the Digg front page the traffic would have been far higher, but I wanted to see how Twitter would work out and that is what I focused on. You can see that Twitter was the main traffic driver, we can say that the majority of the “Direct” traffic was desktop Twitter application users as few to no people knew of the domain before launch, and Ow.ly is the Hootsuite URL shortener.
Limiting myself to Twitter did constrain how much I could do, and a multiple channel approach is always better, but it does allow me to hone my approach for future campaigns. I am a testing freak
Search traffic
Recall one of the aims was to get links to prime the site for search? With essentially this one free report I had met that goal already, which I did not fully expect to happen so quickly.
At the time of writing the site has gained around 80 links with around 5o to the report landing page. Not bad going so far.
Of course now I need to keep following up so that I do not lose the momentum, and I need to work towards creating and launching my product which is the whole point of the exercise!
If you are interested in what I do next and how that works out, then you need to subscribe now because I will be keeping you updated right here with progress
Related Posts:
Please bookmark or vote!:
Support for Hebrew and Arabic in Google Sites
Google Sites now supports Hebrew and Arabic.Editions included:
Standard, Premier, Education, Team and Partner EditionsLanguages included:
Hebrew and ArabicGet these product update alerts by email
Subscribe to the RSS feed of these updates
18 באוגוסט 2009
Bizarre Hindu Transvestite Cult spreading in India
Traditional religious leaders in India have been left scratching their heads in amazement at new developments in the country.
A cult of sorts is forming in the country, with their beliefs centered around the Godess, Radha. Apparently, men are dressing up and living as women to be more like Radha, the godess lover of Krishna.
One of those men is retired railway worker from New Delhi. V K Saxena, 72, said:
“I can’t put it into words properly but I feel more holy dressed as a woman. The Lord told me he wanted me as his bride.”
When asked what he thought of the new practice of dressing in women’s clothing to be closer to God, Senior priest Mohammad Ahangar replied: “There are many ways to be closer to the Lord without trying to be his girlfriend.”
New media rules! Here's why
If someone needed a solid proof that new media is the king, Econsultancy gathered more statistics about social media services. The fact that facebook is the 4th largest country in the world is already known, but I was blown away from the fact #5:It took radio 38 years to reach 50 million listeners. Terrestrial TV took 13 years to reach 50 million users. The internet took four years to reach 50 million people... In less than nine months, Facebook added 100 million users.
Image via CrunchBase
Just 4 years to reach 50,000,000 users (now there are some 1,200,000,000 global users), and in only 9 months facebook rounded up 100,000,000 new users. Unbelievable numbers!Between those public stats lie some corporate stats as well, that emphasis the importance of new media and the impact it has on businesses, regardless of industry:
80% of companies use, (or are planning to use), LinkedIn as their primary tool to find employees during the course of this year. The site has just celebrated reaching their 45-millionth membership.So yes, if you just landed on Earth, don't waste your time and money buying 50" LCD - get a laptop or netbook and start working the web.Link:
Econsultancy - 20+ more mind-blowing social media statistics
Brian Solis - Everything you never knew about facebookRelated articles by Zemanta
- If Facebook was a country it would be world's fourth largest (financegeek.com)
- Social networking sites lead to disconnect (timesunion.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=d6662561-452f-4429-855c-29f715763c34)
Microsoft to Support IE6 Until 2014
Despite numerous online campaigns calling for the death of IE6, Microsoft has confirmed their commitment to the browser until 8 April 2014. A post on the IEBlog states that upgrades are the responsibility of the user and the company will continue to support the 8 year-old browser:
The engineering point of view on IE6 starts as an operating systems supplier. Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product. We keep our commitments. Many people expect what they originally got with their operating system to keep working whatever release cadence particular subsystems have.
As engineers, we want people to upgrade to the latest version. We make it as easy as possible for them to upgrade. Ultimately, the choice to upgrade belongs to the person responsible for the PC.
Like it or not, Microsoft is doing the right thing. Windows XP extended support will continue until 2014 and IE6 was the browser supplied with that OS. IE6 support and updates will therefore continue for at least another 5 years. They can not and will not force users to upgrade.
There are two primary reasons why Microsoft had to extend XP support:
- Vista was delivered 4 years late and has been slammed by the press and users alike. Many private users and corporations continue to use XP and install the free OS downgrade option on new PCs. Although Vista has improved, there is a general perception that it’s a poor OS and only Windows 7 will offer a viable upgrade path.
- The rise of low-specification netbooks. Most of devices would not run Vista effectively so Microsoft offered XP Home as an alternative.
However, the company is committed to promoting IE8. Several of Microsoft’s own web applications, such as the new versions of online Office, do not provide official IE6 support (although they might still work, especially if they are Silverlight-based).
Does Microsoft’s commitment to IE6 matter? Probably not — it’s up to the web community as a whole to encourage browser upgrades.
Related articles:
- Just When You Thought IE6 Would Die…
- Has Microsoft Killed the Linux Netbook?
- Will Microsoft Implement HTML5 in Internet Explorer?
- The Slow Lingering Death of IE6
Share and Enjoy:
This entry was posted on Tuesday, August 18th, 2009 at 1:03 am, contains 362 words, 7 images, and is filed under News & Trends. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed. The views and opinions in this blog post are those of its author.
I hoped 2012 :(