Quoderat

Life without cookies (or URL rewriting)

Posted on October 13, 2005 by David Megginson

Is it possible (for webapps, that is)? Is it desirable? Current practice is to set up a session on the server side, then use the cookie (or a GET parameter or URL substring) as a key to associate individual HTTP requests with sessions.

There are some alternatives to cookies and URL rewriting — and even to server-side sessions themselves — that will work under many conditions:

With HTTP authentication, the browser will resend credentials for each page, at the cost of a bit of extra HTTP overhead (the first time a page is viewed, there will be an extra exchange with the server, at least for Firefox). The user id can make an effective session key, and, in the case of authentication alone, can eliminate the need for sessions altogether.
For multi-stage, choreographed processes, using a separate URL for each stage — in the best spirit of REST — eliminates the need to track the user’s progress as part of the session information, and also makes it easier for the user to bookmark a step halfway through the process and return to it later.
It is also possible to stash temporary information in POST parameters: though some toolkits might balk, it is possible to have both GET and POST parameters to the same POST request, where the POST parameters won’t mess up the URL (though they will cause browser complaints with page reloading).

None of these is a perfect substitute for sessions, but I wonder if we haven’t used sessions and session variables a bit too much, just because toolkits have made them so easy to use. There’s also the philosophical problem that using any extra-URL technique (cookies, HTTP authentication, etc.) to customize a page violates the REST principle that n requests with the same URL should return the same object.

Who reading this has implemented a reasonably-complex webapp without using cookies or URL rewriting? What about a webapp that doesn’t use sessions at all?

Tagged programming, web | 11 Comments

Oracle vs MySQL AB

Posted on October 11, 2005 by David Megginson

Tim O’Reilly reprinted a note from Andy Oram about Oracle’s recent purchase of InnoDB, the company that produces the best of the MySQL backends.

Assuming that Oracle knows what they’re doing (generally a safe assumption), the purchase is not an attempt to attack MySQL as an Open Source product, and it certainly shows no weakness in the Open Source model or the choice to use Open Source in the enterprise. Oracle’s lawyers are smart enough to understand that since InnoDB was released under the GPL, they cannot prevent others from forking the code and continuing development. Anyone — from private users to LAMP websites to large enterprises — can continue to use MySQL with the InnoDB backend under the GPL no matter what Oracle says or does.

What Oracle can now prevent, however, is dual licensing of InnoDB itself and any future forked version. Unless Oracle gives permission, InnoDB can be licensed only under the GPL, which means that it can be used as the backend only for a GPL-licensed database. MySQL AB, the company that produces MySQL, earns a chunk of its revenue from dual licensing, and when their contract with InnoDB runs out in a year and a half, they will no longer be able to distribute a non-GPL version of MySQL that uses InnoDB. So here are Oracle’s next two likely moves:

Oracle continues to develop and improve InnoDB, releasing its changes under the GPL, winning kudos from the Open Source community, and encouraging even more users to switch MySQL and InnoDB.
Oracle does not allow MySQL AB to renew its contract for dual-licensing InnoDB, weaking a potential competitor even while it helps an Open Source product.

In other words, MySQL extends its lead as the predominant Open Source database, but MySQL AB loses its dual-licensing revenue source and becomes a less effective commercial competitor to Oracle. Nice move. Looking over the pieces on the board, I can see two ways for MySQL to respond to this threat:

create a new backend to replace InnoDB in the 1+ year remaining of MySQL AB’s InnoDB contract; or
forget about dual-licensing, make MySQL exclusively Open Source, and concentrate on support revenue.

The first move isn’t as good an idea, since Oracle will be able to use its own code and expertise to keep improving InnoDB to be faster, more conformant, etc., giving it effective control of the game while MySQL AB is constantly reacting. Heck, Oracle can even fork its own version of MySQL, as long as it stays GPL. The second move, on the other hand, will give MySQL AB back the initiative by allowing it to benefit from any work Oracle puts into InnoDB — the better Oracle (or anyone else) makes InnoDB, the more revenue MySQL AB can pull in for supporting a pure-Open Source MySQL.

If there’s any lesson in this, it’s that the dual-licensing business model has some serious flaws. Stick with selling support and professional services.

Posted in General | 5 Comments

A good Zachman question

Posted on September 13, 2005 by David Megginson

The Zachman Framework (link to a full Wikipedia article) has been around for almost two decades now. It is an approach to enterprise system architecture that involves asking a series of questions (who, what, when, where, why, and how) for stage/aspect of a project. Because the framework is usually displayed as a table with the questions along the top and the stages/aspects down the left side, the Zachman-heads generally refer to the project stages/aspects as rows:

scope;
business model;
system model;
technology model;
components; and
working system.

An enterprise system architect will toss around the phrase “that’s a row-four question” just as easily as a network specialist will toss around the phrase “that’s a layer-four protocol”. The framework requires asking 6 questions 6 times to 5 stakeholder groups, for a total of 180 questions.

Not very agile, and maybe anglo-centric

This mountain of paperwork is pretty-much the antithesis of the agile software design that many of us are now practicing with great success — as the current version of the Wikipedia article linked at the top of this posting wrying notes, Zachman “is popular within IT architecture departments but has little hold of either the developer or user communities.” In other words, we tend not to use the stuff even if someone shoves it in our faces. I’m not going to bother rehashing the standard agile arguments against this kind of heavily formalized design, because most of you already know them (and those who do not can follow the link to the Wikipedia article at the start of this paragraph).

Today, I stumbled upon a different kind of criticism of Zachman: Graeme Simsion, writing from inside the system architecture community, notes that language bias has likely severely restricted the framework’s usefulness. He points out that, while who, what, when, where, why, and how are the six common single-word interrogative English pronouns, a French speaker would almost certainly have added “combien”. There are two common translations of combien — “how much?” and “how many?”. Obviously, these are critical questions to ask about any project. “How much will it cost?” “How many users will it support?” “How much bandwidth will it need?” “How many services will it offer?” Why are these questions missing from Zachman? Simsion suggests that Zachman left them out because they require two words in English, making them seem less natural, and because they’re missing from Kipling’s little poem:

I keep six honest serving-men
  (They taught me all I knew)
Their names are What and Why and When
  And How and Where and Who

He goes on to write, half tongue-in-cheek, that if Zachman had been Zachhomme, the framework would have had eight columns rather than six. Nice catch!

Tagged programming | 3 Comments

Six Degrees of Wikipedia

Posted on September 11, 2005 by David Megginson

[Update: automated search: see below] My kids have independently come up with something very similar to the old Six Degrees of Kevin Bacon game — they choose two arbitrary Wikipedia topics (say, feces and Paris Hilton) and then figure out the shortest link path between the two articles — they can generally manage in four hops or fewer, by using hub articles for countries, musical genres, etc. I’m sure that there’s a more elaborate version of this somewhere on the web, with formal rules.

Update: Tim has left a comment pointing to Six Degrees of Wikipedia, a simple web app that looks for the shortest path between two articles.

Tagged web | 3 Comments

How SSL/TLS is broken, socially

Posted on August 20, 2005 by David Megginson

SSL/TLS works pretty well on the technical side, but on the social side, it’s broken, because so many sites (especially small ones) don’t use it, requiring users to send passwords and other private information in the clear. The problem is trying to do two things at once with a single standard:

authentication of the server’s (and sometimes the client’s) identity; and
encryption of communications.

There is no question that these are both important goals, but combining them into an all-or-nothing package in browser support for HTTPS has arguably made the web less secure. Generating a local server key for encryption is easy; getting a certificate from a certificate authority is a major hassle (both in time and money) for a questionable benefit (how much verification do CAs really do for ~$100? not much).

If we had separate standards for encryption and authentication, even the smallest sites could encrypt their sensitive browser-server communications as a matter of course, making the web much safer,. especially in the era of public WiFi networks.

Tagged web | 6 Comments

SSL/TLS RSS Challenge

Posted on August 20, 2005 by David Megginson

[Update: more results]

[Update: some results left as comments; and more.]

Thanks to everyone who posted comments on my Password-Protected RSS challenge three weeks ago. It turned out that the vast majority of feed readers can handle HTTP basic authentication for feeds.

Of course, if a feed holds important, confidential information, basic authentication over HTTP won’t be enough — you need to be able to use HTTPS to encrypt your password and data in transit. I do not have an SSL/TLS certificate for megginson.com, so I moved my test over to a different site, newmatica.com. Here’s the URL for the same RSS file, this time over HTTPS (the user id and password are still “guest”):

https://www.newmatica.com/test/blog.rss

Will your feed reader allow you to subscribe to a password-protected RSS 2.0 feed when SSL/TLS is involved? Here’s what I’ve tested:

Liferea: Prompts for a username and password, and stores the password on disk as clear text.
Bloglines: Reports no feed found. However, will read the RSS file if the username and password are encoded in the URL, i.e. http://guest:guest@www.megginson.com/test/blog.rss
Straw: Fails: HTTPS not yet supported.
FeedValidator: Reports a 401 HTTP error (authorization required). Strips the username and password from the URL if they are provided.

Once again, I’ll be grateful for comments about other RSS readers.

Update: reports from readers

Once again, thanks to readers who have left reports in comments. Here are the results so far:

Sage: John Cowan and Tim Howland report success.
NewsFire: Peter Lacey reports success.
NetNewsWire: Brent Simmons reports success.
RSS Bandit: Dare Obasanjo reports success.
Opera (8.0.2): Tony Coates reports success.
KDE Akregator: Douglas reports success.
FeedDemon: Brian R. Barker reports success.
Safari: Silas Hundt reports success, with username and password saved to the keychain.

Tagged blogging, web | 14 Comments

Patents and screwdrivers

Posted on August 8, 2005 by David Megginson

A Robertson screw

The Wikipedia article on the Robertson screwdriver gives an excellent example of how clumsy use of a patent hurts innovation. The Robertson screw (square hole, slightly tapered) is the best general-purpose screw drive ever designed, and accounts for about 85% of all screws sold in Canada — if you’ve ever worked with a Robertson screw, you immediately feel the urge to kick anyone who tries to make you use anything else, especially the Phillips screw with its easy-to-strip head.

Henry Ford realized that Robertson screws would save him considerable time and expense on the assembly line, but unfortunately, after a bad experience in the U.K., P.L. Robertson was so fierce about protecting his intellectual property rights that he wouldn’t sell Ford a license to make them. Ford was too smart to bet his company on a single monopoly supplier — even if the product was vastly superior to its competitors — and to this day, more than 40 years after the last patent expired in 1964, Robertson screws are barely used at all outside of Canada. By being too inflexible about his IP, Robertson ended with up only one tiny market (Canada) and missed his chance to change to world.

Posted in General | 10 Comments

Something for nothing

Posted on July 31, 2005 by David Megginson

I’ve noticed that Slashdot has started to include text ads in their RSS feed much more frequently, and I’m considering unsubscribing. I have no moral or ethical objection to text ads in RSS feeds, but this is the first time I’ve run up against that many text ads all in a row, and I find them ugly and rather annoying (on web pages, there’s more going on, and text ads don’t get in the way so much).

So, am I one of those people, often flamed in Slashdot comments, who expects something for nothing? How is Slashdot supposed to make money from providing an RSS feed to freeloaders like me? There are two reasonable answers to these challenges:

Slashdot strips links from their RSS feed, so if I want to follow a source or read comments, I have to visit the Slashdot site (and see their ads) anyway; and
in business, it’s OK to be selfish — I look for what I want, the other side looks for what they want, and if we cannot find any common ground we just wish each other luck and walk away. If I want an RSS feed without text ads, it’s OK for me to go looking for one; if Slashdot wants to put ads in their feed, it’s OK for them to do so. If there’s no common ground, then I simply stop reading Slashdot.

Of course, from an entrepreneurial point of view, that still leaves a problem: how can people make money directly from fulltext RSS feeds? Indirectly, of course, you can use them to promote yourself or your business, but what if the feeds are your business?

Tagged blogging | 2 Comments

Password-Protected RSS Challenge

Posted on July 29, 2005 by David Megginson

[More updates from comments.]

[Update: many more results, collected from comments. It looks like nearly every feed reader can handle at least HTTP basic authentication, which is good news for people planning to use RSS and Atom in government or enterprise.]

I’ve uploaded a small, static RSS file at http://www.megginson.com/test/blog.rss. The file is valid RSS 2.0 (or 2.01, if you prefer), and is served with the MIME type application/xml.

Here’s the kicker — it’s password-protected, using HTTP basic authentication. The username and password are both “guest”. Can your RSS software or webapp read this feed? Here’s what I’ve tested so far:

Liferea: Prompts for a username and password, and stores the password on disk as clear text.
Bloglines: Reports no feed found. However, will read the RSS file if the username and password are encoded in the URL, i.e. http://guest:guest@www.megginson.com/test/blog.rss
FeedValidator: Reports a 401 HTTP error (authorization required). Strips the username and password from the URL if they are provided.

Here are results gathered by others and left as comments for this posting:

CaRP: Antone Roundy reports success when the configuration line CarpConf(’basicauth’,'guest:guest’); is included. I am not certain if that line would apply to all feeds, or just to this one.
FeedDemon: Bill de hOra reports success both with this sample and with password-protected https feeds at his workplace.
RSSBandit: Dan Sholler reports success.
Sage: Tim Howland and John Cowan both report success, since Sage uses the browser’s built-in authentication support. M. David Peterson points out that anything built on top of Mozilla/Firefox or MSIE should work.
NewsFire: Peter Lacey reports success.
Thunderbird: Christof Hoeke reports success.
NetNewsWire: Ryan King reports success.
SharpReader: Roland Kaufmann reports partial success (with the username and password embedded in the URL).
iTunes: Robert Sharl reports success (though iTunes reports an error due to the lack of an audio enclosure).
Opera: Rijk van Geijtenbeek reports success.
KDE Akregator: Douglas reports success.

Tagged blogging, web | 27 Comments

Aspects

Posted on July 29, 2005 by David Megginson

I’ve decided it’s time to figure out if aspect-oriented programming is worth, well, figuring out.

So far, nearly everything Google can find for me about AOP is positive — glowing, even — and that makes me nervous. Real change is supposed to be painful: even today, when object-oriented programming has become dominant, it is easy to find critics; XML had, and still has, many detractors; and any self-proclaimed guru standing in a Starbucks line can tell you what’s wrong with HTML and the web before the barista has time to finish making a cappuccino.

Does the lack of criticism mean that AOP is practically perfect in every way, or simply that people don’t care enough to pick it apart? After reading some online introductions and studying the AspectJ syntax and tutorials (with their seemingly endless trace and log examples), I can see how the approach might have some benefits, but I’m not convinced that the benefits outweigh the potential code obfuscation.

In fact, one of the few critical pieces I did find, a two-page University of Passau paper entitled AOP considered harmful (the paper later spawned a $250 business research paper), compares AOP with the notorious GOTO statement from early procedural programming languages, attacked by Dijkstra in his classic 1968 letter Go To Statement Considered Harmful. In addition to GOTO, AOP also reminds me a bit of C macros, another cause of confusing, hard-to-maintain code.

I’d be interested in comments from people using AOP (AspectJ or otherwise), as well as pointers to other sources that are not simply hyping the movement. Does AOP work for you? I’m skeptical, but I’m not willing to dismiss it yet.

Tagged programming | 7 Comments