Journaling on estrip is easy and free. sign up here

Zobar's Journal

zobar
My Podcast Link

10/26/2007 16:21 #41821

something more interesting
Category: blagosphere
"Winter in Blogville" by Jennifer ("14221") Wutz-Lopes (Buffalo Spree, Nov 2007, p26)

Someone ( everyone!) over at Estrip.org has their panties in a bunch about something to do with the fact that they are not taken seriously as bloggers. Take a number and get in line, I say.



But estrip is by far the most colorful screenshot in the bunch.

- Z
dragonlady7 - 10/27/07 07:31
I think (e:strip)'s panties were more in a bunch about being treated like a bunch of chumps in that all the other bloggers seem to think that because they live in the suburbs and offer opinions on things, they're Important, but we don't actually deserve to be told if an event is cancelled or not, because we use the Internet for social networking.

It's possible she's trying to start a flamewar because our blogs get more pageviews than hers...
mrmike - 10/26/07 17:01
My panties were fine before, but now they chafe.

Go Josh!
joshua - 10/26/07 16:51
You have to be fucking kidding me. Who the hell is Jennifer Wutz-Lopes, anyway? Maybe I should rush out to a Starbucks in the 'burbs to meet her and find out if I care!

Nobody reads Buffalo Spree anyway. Its trite and self-aggrandizing, much like Jenny's own blog. God knows this is too laughable to pontificate about. If there wasn't a tinge of doubt in my head about the nature of (e:strip) and how much she actually knows about it, it would be my absolute pleasure to rip her a new ass for saying something so foolish.

10/26/2007 15:09 #41820

code
Because I know everyone's been holding their breath for this, here's the HTTP auth Javascript server-side script and database layout

Notes:
- does not require any hooks in your HTML code; just make sure your form has fields named 'username' and 'password' and import the Javascript
- can be attached to any form with an access-restricted target; script will pre-authenticate and, if successful, send the rest of the form as usual.
- You're not going to be able to use the server script as-is because it's kind of dependent on other parts of the project. You're not going to be able to read the server script as-is because it's Python. [Also in the full version you can change your authentication realm, and users in the special '_administrator' realm can log in to anyone's site.]
- no backwards Internet Explorer compatibility code in the Javascript
- on successful authentication, 'validate' returns 204 No Content. on unsuccessful authentication, server returns 400 Bad Request.

- Z
dragonlady7 - 10/27/07 07:34
Jesus you're hot when you geek out.
  • fans self*

10/26/2007 00:42 #41808

picking a scab
You know, I just can't fucking leave well enough alone. This morning (e:paul) mailed me a short Surebert script to do logins, which works, yet I'm still hacking this HTTP auth problem. Stay The Course, right?

But I got it solved. 1: Never send 401 Unauthorized without a WWW-Authenticate header. It's not allowed, and you'll get what you deserve. RFC 2617 briefly mentions using 400 Bad Request to report miscellaneous failures to the browser, and sure enough, that resets Safari. 2: If the script detects a failure, send another request to the same URL using a bogus username. This will of course fail, resetting Firefox in the process [thanks (e:kookcity2000)]. I think that's a gruesome hack, but if it works it works.

Why do I care about HTTP authentication? Most importantly, I want to support authenticated, noninteractive web services [specifically an authenticated RSS feed]. Since this code will have to live in my server somewhere, I might as well get some mileage out of it. HTTP Digest is often overlooked but it's a nice middle ground between static hashes [which are plaintext-equivalent] and full-blown encryption [CPU load].

Source code available upon request.

- Z

news - 10/26/07 09:34
You could easily implement that with my javascript method. It is using javascript to md5 the data before sending. If you sent some salt from the server you could easily mix that in too and have a total custom blend.

Are you getting Leopard jitters yet!!
zobar - 10/26/07 08:29
The problem with cleartext and Basic is well-known: you can recover the password. md5 is better because you can't recover the original password. But the server never asks for the original password. It asks for md5(password), which is passed around in cleartext on the wire.

With HTTP Digest, the server sends a random session nonce to the client. The client adds its own random request nonce and sends back (r-nonce, md5(password, s-nonce, r-nonce)). The effect is that the hash that's sent to the server is different for every request. There's actually more that goes into it that also prevents someone from using an old hash.

Will clean up code & post this afternoon.

- Z
news - 10/26/07 00:49
HTTP digest is essentially md5 encryption. :::link:::

Can you post the source so we can see it or send it to me.

10/24/2007 22:18 #41787

dorky geek question
Don't bother reading unless you give at least a quarter of a shit about XMLHttpRequest and HTTP authentication.

Here's a stupid geek trick. The correct login information for this is user="user", password="password". Give it the wrong password [it will say something like 401 Unauthorized, user="user", password="bogus"]. Then give it the right password and try again - it will keep sending the wrong password. This happens in both Firefox and IE; Safari has a slightly different bug.

Here's the sitch: I have an XMLHttpRequest going out to a password-protected resource. The credentials are supplied by the user and thus they are likely to be wrong some of the time. The script is designed to gracefully handle authentication failure - specifically, I want to avoid the crappy infinite HTTP authentication dialog box loop. I'd think that this issue would come up from time to time, but I guess it doesn't because this is really hairy:

XMLHttpRequest states "If authentication fails, user agents SHOULD prompt the users for credentials."

To work around this, Paul James suggests returning 401 Unauthorized without the mandatory WWW-Authenticate header. In theory, this tells the browser to stop trying and forget the password. The browser does, in fact, stop trying, but it also goes into a weird undefined state where it continues to issue the old [incorrect] password despite instruction to the contrary. [Safari instead puts up the dialog on the next request, even if credentials are provided.]

HTTP/1.1 states "If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information." - ie, reissue the same challenge to indicate to the browser that it should give up. As near as I can tell, not a single browser has ever done that.

HTTP/1.1 also gives us 403 Forbidden: "Authorization will not help and the request SHOULD NOT be repeated." This response has the same bizarre effects as 401 without WWW-Authenticate.

I'm actually kind of an AJAX newb, so ... does anyone have any recommendations?

- Z

paul - 10/25/07 00:12
I sent you an example of a surebert based ajax login that sues md5 to send the password and has color based feedback red=bad, green=good.

Hope it helps.
zobar - 10/24/07 22:56
Oh, the server-side source code is at :::link:::

- Z
james - 10/24/07 22:47
I recommend whiskey.
kookcity2000 - 10/24/07 22:26
in FF reloading the page doesn't help but changing the username ( to say, 'dude') and then back works

10/17/2007 13:00 #41688

more halloween fun
Category: fun
OK I admit it, I'm too cool for school. I don't like getting dressed up for Halloween. I think costume parties are lame. One year we sat at home with all the lights out so nobody would try to trickortreat us. And secretly I always thought that people who professed to like Halloween better than Christmas were just trying to fit in with the kids who don't fit in.

But this year it seems like there's a lot of fun stuff happening. Consider this, first off, a bump for "Nosferatu," below.

At the other end of the film spectrum, Regal Transit is going to be screening The Nightmare Before Christmas in 3-D this year. [I was initially surprised that they'd taken the expense of shooting in 3-D if they weren't going to distribute as 3-D ... but alas, this is yet another film digitally altered by ILM. Thank you George Lucas!]

::Download Flash Video::


[Woah, rerecompression. I hear Flash 9 is going to have native support for H.264?]

Is everyone familiar with fundamentalist Christian haunted houses? Alleyway Theatre bought a copy of the 'official' script and is presenting "Hell House Buffalo" upstairs of the costume store/bike shop at 745 Main. Todd Warfield (Reefer Madness), director: "I've changed very, very little of it. The challenge for us is to perform it sincerely." I've always been sort of morbidly curious of the spectacle, and now that I know the money is going to a good cause and I won't get evangelized at too much, I think we're going to go check it out. With local celebrities as Guest Satans, how can you go wrong?



- Z

jenks - 10/17/07 18:22
wow... I want to do all of those! nosferatu, nightmare, rollerderby... hell house maybe except that it will really piss me off... and costumes not so much.
drew - 10/17/07 17:46
One of the quotes was from Landover Baptist church, a satirical website (and a hilarious one at that). I hope they realized that, but the truth is that there is enough bad real stuff out there that they don't need to fake it.
janelle - 10/17/07 15:35
(e:DragonLady7), where am I going to buy my roller derby tickets now that New World Records is on Hertel? Does somewhere else on Elmwood sell them?
joshua - 10/17/07 15:30
Whats this?
dragonlady7 - 10/17/07 15:28
Hey man don't forget the rollergirls' goth prom on the 27th at Rainbow Rink. !!!!!
There will be hot girls in stupid revealing slut costumes and also rollerskating. HOW CAN YOU GO WRONG YOU CAN NOT GO WRONG.
janelle - 10/17/07 14:36
I will so be at the Hell Haunted House. I've heard it too and I'm a little curious. Although I'm not sure if I should support an interpretation of my faith that I thoroughly disagree with.
joshua - 10/17/07 14:28
Thats ok man. At the halloween party I don't plan on dressing up. I think my saudi prince idea is cool though.

Written After

Written Before