December 2008

HttpOnly Session Cookies using ActiveRecordStore in Rails 2.2

If you’re using CookieStore to manage sessions in your Ruby on Rails application, Rails 2.2 provides the great feature that you’re now able to use HTTPOnly cookies. These are a great benefit because, for compatible web browsers, they dramatically reduce the risk of a Cross Site Scripting (XSS) attack being able to be used to hijack your users’ sessions, which is particularly important on sites displaying user-generated content. You simply have to adjust your environment.rb file with something like:

config.action_controller.session = {
:session_key => ‘_session_id’,
:session_http_only => true,
:secret => ‘your-secret’
}
config.action_controller.session_store = :cookie_store

Unfortunately, the Rails developers didn’t see fit to extend HTTPOnly cookies to those of us using ActiveRecordStore, where the XSS risk is still just as real. To fill this gap, I’ve produced a very simple and only slightly-hackish plugin which overrides the functionality of Rails’ CGI::Cookie to force all cookies produced by Rails to be HTTPOnly, regardless of the session store being used.

To use it, download this file and extract it into your application’s vendor/plugins directory, and restart your application server. You can test that it’s working using Tamper Data, FireCookie, or whatever your favourite cookie sniffing tool is.

The Fife Diet from Kamikaze Cookery

I’ve been following Kamikaze Cookery (three geeks doing cookery… with science!) for a while now, and it’s got some real potential, but what really sold me on it was their recent series on the Fife diet (yeah, I know, it’s been out for ages, but I’ve been busy so my RSS reader’s been brim-full and I only just got around to watching it).

If you haven’t come across Kamikaze Cookery before, The Fife Diet videos are a great place to start.

Kissing At Midnight

In a fleeting thought, as I passed the greengrocer hanging our mistletoe outside his shop this morning, I found myself thinking about the unusual situation I’m in, in that I’ll this year be spending New Year’s Eve with both of mygirlfriends.

Who do I kiss at midnight?

Thankfully, the solution is clear – this year at least – thanks to the fact that midnight will happen twice this year (there’s a leap second). With some careful orochestration of who kisses whom when, they can have a midnight each, and use each of their other midnight’s to kiss their respective other partners.

Like I said: a fleeting thought – I don’t lie awake worrying about this kind of thing. That would just be weird.

‘Nena’ – Christmas Comes Early For Dan

I thought I’d say a little bit about my new home desktop computer, because it occurs to me that I hadn’t said anything about it yet.

Dualitoo, my PC of the last few years, kicked the bucket on Friday a few weeks back, at a most inopportune time – I was due to write heaps of code over the weekend as part of a dangerously-close-to-overrunning project. But, as Rory said, ’tis the season of hardware failure, and with Ruth‘s laptop dying a death and Paul‘s overheating problems, I should have expected that maybe my turn would be next.

It’s probably no coincidence that it died the very next day after the storage heaters in The Cottage came on for the winter, one of which was directly behind the poor box. When it failed to turn on (fans spun, but no keyboard lights, monitor output, or even beep-codes), I started swapping out components for spares (many of them not “spares” so much as “parts of Claire‘s PC”). Power supply was the first thing to try, because in always-on boxes in a dusty environment, they’re usually the first thing to go. After it turned out that the PSU was fine, it was on to the expansion cards, then the RAM, and so on (I’d already disconnected all the IDE/SATA devices just to free up room in the case in which to wave my huge hands around).

Sadly, it turned out that malfunction was in pretty much the worst place it could be: either the processor or the motherboard, and – not having a spare of either that would be compatible with the other, I had to write off both. This left me with a defective computer requiring significant repair right before what was supposed to be a busy weekend of code.

On Saturday morning, I resolved to fix the problem – I couldn’t afford the downtime not to! – and so, not wishing to lose further time waiting for delivery of mail-order components, I decided to see what Aberystwyth could supply me with “over the counter.”

I dropped into Crosswood Computers, on Chalybeate Street, first, and stated my unusual requirements. I needed, as economically as possible:

An ATX motherboard and a processor at least as powerful as that which had died (Intel Core 2 Duo, 2.4GHz) – I didn’t want to feel like I was paying for a downgrade
With two IDE ports: my old board had four IDE devices attached to it, as well as one SATA hard drive – unless I was to ditch some of these I’d need two IDE ports on the motherboard, which is getting hard to find in this age of SATA
And a stack of features that are commonplace: 4 DDR2 slots, PCI-E (don’t require SLI or CrossFire-compatability, I guess: I never got round to using the SLI on my old board so I probably wouldn’t on my new one), onboard LAN, etc. – I still had perfectly good RAM, an aging-but-still-workable graphics card and so on that I’d like to still be able to use!

Crosswood were able to find me one – yes, just one – board and processor that fit the bill: that dual-IDE request is hard to meet. It’d have cost me about £140, which is more than I was comfortable paying for the hardware in question, which was – in the end – pretty much identical to that which had broken. I wouldn’t mind paying that kind of money if I felt like I was getting an upgrade, but to pay that just to “get running again” (plus, of course, all the hassle of un-mounting and re-mounting a motherboard, moving around all those stupid little brass screws, etc.) felt like a bad move.

Before having to rethink things, I thought I’d try what is Aberystwyth’s just-about-only-other computer shop, Daton (can’t link to their actual domain name because they’ve let it expire and it’s now an ad farm). I’ve always had mixed experiences with Daton – they’ve surprised me with bargain computer bits before, but they’ve also managed to unimpress me: for example, with the network cabling they half-heartedly lay at my old workplace. My conversation there on this day could be summarised thusly:

Dan: Hi, I wonder if you can help me. I’m looking to buy a motherboard and a processor for it: ATX form factor… either Intel or AMD – I’m architecture-agnostic these days… but crucially, it must have two IDE ports.

Daton Woman: Uh. Hang on. /goes into back and repeats everything I’ve said to Daton Man, then returns/ You’ll probably have to bring your computer in.

Dan: No, there’s really no need. I just need to buy a motherboard and processor from you. What do you have in stock?

Daton Woman: Well, we’d really need to be able to see your PC to know what’s wrong with it…

Dan: I don’t need you to tell me what’s wrong with it. I know what’s wrong with it. That’s why I’m asking for a motherboard and processor. Now can you sell me some, or should I shop elsewhere?

Daton Woman: …and we’ll have to order the parts in to repair it.

Dan: /sighs and leaves/

I trekked back to Crosswood, and on the way, I spoke to my mum on the phone – it’s come to that time of year when I call her up to hunt for tips on what my sisters are “into” these days, so I have a clue as to what they might like for Christmas. While talking to her, I mentioned the fun and games I was having with my computer problems. “Would you like some computer parts as an early Christmas present?” she asked. Suddenly my options were expanded.

By the end of Saturday, I’d built Nena, my new desktop PC. She carries on the hard drives from Dualitoo, alongside the RAM and – of course – the peripherals, but the rest is all new. She’s running an amazingly cool-running Intel Core 2 Quad Q6660 (2.4GHz quad-core) on an Intel-chipset motherboard from ECS. I got myself a new graphics card (a sexy-as-fuck Nvidia GeForce 9800 GT), too, replaced my two IDE optical drives with a shiny new high-speed SATA dual-layer DVD rewriter, and gave myself an extra 750GB of hard drive space (taking me up to 1.25TB – plenty for films and games and whatnot) with an extra hard drive. She makes light work of Far Cry 2, Left 4 Dead, Fallout 3 and Call of Duty: World at War, which is nice, because I might find time for more than a half-hour game of one of these ace games someday when I’m less busy… although by that time, my system’ll probably be out of date again.

Nena, of course, fits in with my current home computer naming scheme of “female one-hit wonders,” joining Tiffany in our living room.

What have I learned from the whole experience? Well, I’ve learned that:

It’s perfectly possible to get hold of all kinds of great computer components at short notice, even in Aberystwyth, and doing so only cost me about 3% more than I’d have expected to have paid online, and got me the goods instantly.
However, amazingly, nowhere in town could supply me with a case, so I had to loot one from my employer, SmartData, who had a spare (I couldn’t be bothered stripping down Dualitoo‘s case only to have to spend the next half hour removing and moving all those annoying brass screws: plus; her power button was dodgy).
I should have ditched my aging IDE optical devices long ago.
There’s a huge difference between an Nvidia 7-series and an Nvidia 9-series, and it blows your socks off.
Daton Computers don’t trust their customers enough to sell them what they’re asking for.
Crosswood Computers provide sound, helpful advice, and – if you’re friendly and buy enough stuff from them – are more than happy to “throw in” cables and adapters as freebies (I realised that I’d need SATA power adapters and data cables, one of those PSU 6-pin adapters you need for powered graphics cards if your PSU doesn’t already have one, and so on), which the chap at Crosswood was happy to just give me without charge, even though I didn’t buy the PSU from him in the first case.
The quad-core Intel processors actually seem to run colder than the dual-core ones.
My mum is ace.

SmartData’s Christmas Message

In case anybody’s interested, SmartData‘s animated Christmas card (with a little help from JibJab) is now online. Watch it here.

SmartData Merry Christmas 2008

SmartData want to wish you a merry Christmas and happy software!

Also available on YouTube.

The Christmas Tree Is Up

Click for a bigger picture.

OMG Child Pr0n (or is it?)

What a mess this is turning into! I am of course referring to the UK-wide internet censorship of a Wikipedia page (the one about the Scorpions album, Virgin Killer – if that last link doesn’t work, you’re among those affected).

The thinking is, according to the Internet Watch Foundation, that the cover of the 1976 album constitues child pornography and therefore we all need to be protected from it. It’s all a little controversial, though, because they’re not suggesting that Amazon US be blocked, for example.

But the worst of it is the amount of news exposure it’s generating is actually drawing traffic to the banned content. I wouldn’t ever have seen the album cover if it weren’t for the ban, for example, after which I realised how trivial it is to see the offending Wikipedia page. And that without the offending content appearing in a Wikinews article about the ban!

It’s hard to justify this kind of policing. In accordance with Wikipedia’s own policies, it is not a creator of content so much as a distributor: it takes content that is already “out there” and, in theory at least, legal, and disseminates it in an approachable form.

I’ll be interested to see how this plays out.

Environmental Awareness and Yes, I’m Still Busy

The Technium‘s just hosted a seminar on environmental awareness. Walking past the conference room a few minutes ago, I noticed that the folks running the event had managed to leave running the projector and all of the lights, despite the fact that it had ended some time ago. Ah, the irony.

Went to a céilidh at the Morlan Centre last night with Ruth (as my date and – generally – dancing partner) and Sarah (who had a few words of her own to say about the event), and had a fabulous time: lots of dancing around in complex and silly ways, forgetting which partner I’m supposed to link arms with next at any given time and eating lots of cake. Also, lots of failing to win at the tombola. I can’t remember how to make binomial theorem work, but I’m pretty sure my odds of winning at least one prize when one in five tickets is a winner, if I buy ten tickets, should be reasonable, right? If anybody else can work out the odds and explain it in a way that I’d understand, bearing in mind that I haven’t done any real maths in years, that’d be cool. I could re-learn, but I don’t have time (nor a calculator with a “P” button!).

What else? Matt P, Ele and Helen visited town, which was nice; my main desktop PC, Dualitoo, broke down in a horrible way, which wasn’t so nice; and I built a new desktop PC, Nena. All of this has been responsible for putting me back a few days further in my already cramped schedule of volunteer coding for the next month, but a meeting I had last week has re-filled me with faith that Things Will Get Less Hectic [TM]. That’s my mantra right now: I’m seriously looking forward to having more time in my life for the important stuff like video games and hanging out with people. Someday, someday.