Zotonic
Zotonic
zotonic@conference.zotonic.com
Thursday, 7 February 2013< ^ >
arjan has set the subject to: Zotonic - the Erlang Content Management Framework
Room Configuration

GMT+1
[05:39:35] Protagores joins the room
[07:53:14] Protagores leaves the room
[08:21:01] Arjan joins the room
[09:00:48] maas.maarten.zeeman joins the room
[09:09:52] basvanrijen joins the room
[09:40:53] Arjan leaves the room
[09:40:55] Arjan joins the room
[09:47:00] Arjan leaves the room
[09:47:22] Arjan joins the room
[09:50:09] Arjan leaves the room
[09:50:29] Arjan joins the room
[09:52:14] Arjan leaves the room
[09:53:29] Arjan joins the room
[09:54:09] Arjan leaves the room
[09:54:16] Arjan joins the room
[09:54:24] Arjan leaves the room
[09:54:30] Arjan joins the room
[10:10:10] Arjan leaves the room
[10:10:26] Arjan joins the room
[11:23:40] <maas.maarten.zeeman> Here is how they do that at twitter.
[11:31:45] Arjan leaves the room
[11:57:06] Andreas Stenius joins the room
[12:22:06] maas.maarten.zeeman21530 joins the room
[12:22:06] maas.maarten.zeeman21530 is now known as maas.maarten.zeeman22862
[12:22:06] maas.maarten.zeeman22862 leaves the room
[12:22:06] maas.maarten.zeeman22862 joins the room
[12:22:06] maas.maarten.zeeman22862 is now known as maas.maarten.zeeman65123
[12:22:06] maas.maarten.zeeman65123 leaves the room
[12:22:06] maas.maarten.zeeman65123 joins the room
[12:26:28] <maas.maarten.zeeman65123> http://engineering.twitter.com/2013/01/braindump.html
[12:37:50] basvanrijen leaves the room
[13:18:12] maas.maarten.zeeman65123 leaves the room
[13:47:31] basvanrijen joins the room
[14:45:32] maas.maarten.zeeman leaves the room
[14:45:38] maas.maarten.zeeman joins the room
[15:51:25] Jeff Bell leaves the room
[15:51:52] Jeff Bell joins the room
[16:08:18] Andreas Stenius leaves the room
[16:30:03] basvanrijen leaves the room
[16:51:59] Andreas Stenius joins the room
[19:00:47] <Andreas Stenius> Why do I get a new session for each request?...!?
[19:03:21] <Andreas Stenius> Hmm... seems like z_auth:logon/2 results in a new z_sid cookie... ? *digging*
[19:05:00] <Andreas Stenius> aha... z_session_manager:rename_session/1 is a suspect...
[19:08:35] <Andreas Stenius> aahhaaa!!!
[19:09:22] <Andreas Stenius> I logon from a websocket context, and that is not the way it use to go, right ? Usually done from a standard browser request socket...
[19:09:32] <Andreas Stenius> got to go..
[20:03:58] <maas.maarten.zeeman> There is something in the js to prevent logons to travel as postback over websocket.
[20:05:20] <maas.maarten.zeeman> maybe that doesn't work as advertized...
[20:05:25] <Andreas Stenius> well, I managed to go around that
[20:05:33] <Andreas Stenius> unknowingly
[20:05:40] <maas.maarten.zeeman> zotonic-1.0.js line 264
[20:05:54] Andreas Stenius looking it up.. :)
[20:06:01] <maas.maarten.zeeman> Otherwise you will not get a cookie.
[20:06:24] <maas.maarten.zeeman> The id has to be "logon_form"
[20:06:39] <Andreas Stenius> yeah, that's the thing. I don't get the new cookie, so the next request uses the old one, which results in a new session being created
[20:07:27] <maas.maarten.zeeman> Hmmm, didn't we have a problem with chrome not remembering username and password...
[20:07:31] <maas.maarten.zeeman> I wonder...
[20:07:33] <Andreas Stenius> but it seems a bit limiting that we can't logon from a websocket connection... and in my case, the fix would be real easy, just set the set_session_id in the session instead of the context props
[20:07:45] <Andreas Stenius> yeah, but this is not it
[20:07:59] <Andreas Stenius> I logon using persona, not usernam/pw ;)
[20:08:25] <maas.maarten.zeeman> aha... a lot of stuff breaks if you slightly change the context...
[20:08:43] <Andreas Stenius> all is well, apart from that the logon renames my session so the next page request gets a new, not logged on, session.
[20:09:46] Andreas Stenius leaves the room
[20:09:51] andreas.stenius joins the room
[20:10:04] <andreas.stenius> ok, but set_session_id is only used by rename_session, so it should be safe to move it, I think (have to try it)
[20:10:54] <maas.maarten.zeeman> It can probably be done over a websocket if you send a js set cookie script maybe. But I don't think you can make a session cookie out of it.
[20:11:28] <andreas.stenius> I already have the cookie, I just need to NOT rename the session
[20:11:45] <maas.maarten.zeeman> K sorry I misunderstood.
[20:11:54] <andreas.stenius> :)
[20:12:24] <andreas.stenius> I appreciate having someone to bounce ideas with :)
[20:13:57] <maas.maarten.zeeman> Have to check the rename code though. It did some other things as well.
[20:18:39] andreas.stenius leaves the room
[20:18:44] andreas.stenius joins the room
[20:18:46] <maas.maarten.zeeman> Maybe you can skip the logon and just set auth_user_id and auth timestamp
[20:19:24] <maas.maarten.zeeman> z_auth:logon then you skip the rename...
[20:19:27] <andreas.stenius> nah, I moved the set_session_id flag to the session's props instead, and now it works!! :)
[20:19:37] <andreas.stenius> just need to check that standard logins work too.. ;)
[20:19:44] <maas.maarten.zeeman> hehe
[20:20:17] <maas.maarten.zeeman> You can make your own logon.. did that for a custom module which logs on users with a secret url.
[20:20:52] <andreas.stenius> bugger, I can't logout (nyi :p )
[20:21:39] <andreas.stenius> well, I get autologged on using my persona id (browserid.org)
[20:22:53] <maas.maarten.zeeman> Then make sure the logon is posted via a normal post too, just like logons
[20:23:01] <maas.maarten.zeeman> the persona logon
[20:23:31] <maas.maarten.zeeman> Then you will get a cookie and stuff
[20:23:37] <andreas.stenius> ah, that would work too...
[20:23:38] <maas.maarten.zeeman> and rename works
[20:23:42] <andreas.stenius> but I don't need a cookie
[20:23:48] <andreas.stenius> already have one
[20:24:31] maas.maarten.zeeman leaves the room
[20:24:36] maas.maarten.zeeman joins the room
[20:24:37] <andreas.stenius> I doesn't rename the session if a cookie has already been sent, and it has been sent, it's just that it wasn't sent in the same context as the websocket one..
[20:25:45] <andreas.stenius> and it doesn't need renaming as long as the requests go to the same session as the websocket session, which it does, so I don't see an issue with logon over websocket (ok, the standard one might, since there's the rememberme cookie, but I don't have that)
[20:26:39] <andreas.stenius> I'll make a PR for that change, see what Marc and Arjan think of it too.. ;)
[20:27:01] <maas.maarten.zeeman> Logons are tricky
[20:27:26] <andreas.stenius> the persona stuff makes it real easy, actually :)
[20:27:46] <maas.maarten.zeeman> A single sign on solution
[20:27:51] <andreas.stenius> indeed
[20:28:06] <andreas.stenius> and you keep your password in on place only
[20:28:31] <andreas.stenius> and can logon to any number of sites that support it without they having any sensitive data about your login creds
[20:29:21] <andreas.stenius> and, being opensource, you can keep your own server with the sensitive stuff, if you're being paranoid enough to set it up ;)
[20:29:38] <maas.maarten.zeeman> Sigh, i just don't like single signon solutions.
[20:30:46] <andreas.stenius> This one feels slimmer than oauth or what it is facebook et al are using where you have to grant each site permission to use your account for authentication
[20:30:49] <maas.maarten.zeeman> The whole signing on is nonsense anyway. But that is for another chatroom :-p
[20:30:58] <andreas.stenius> heh :)
[20:31:32] <andreas.stenius> yeah, I'd like to not need them, but I have a positive feeling for this one.
[20:31:57] <maas.maarten.zeeman> Former job... after rolling out a big certificate program inside a big company....
[20:32:05] <maas.maarten.zeeman> Now we know who somebody is....
[20:32:14] <maas.maarten.zeeman> but not what that person is allowed to do.
[20:32:47] <maas.maarten.zeeman> They couldn't do anything with it. The hard problem was still there.
[20:33:21] <maas.maarten.zeeman> Authorization...... instead of authentication....
[20:33:40] <maas.maarten.zeeman> Wrong problem solved.
[20:34:21] <andreas.stenius> lol...
[20:34:32] andreas.stenius is working on mod_rbac too ;)
[20:35:38] <maas.maarten.zeeman> Rbac is nice yes. I sort of like persona too btw, but single signon.. donno. It is build on the browser id extension
[20:36:01] <maas.maarten.zeeman> The really hard part is letting the end users understand what they are doing.
[20:36:29] <maas.maarten.zeeman> They just hand over passwords when they go on holiday and stuff.
[20:37:08] <maas.maarten.zeeman> Somehow they should be able to give away temp access in an easy understandable way.
[20:37:16] <andreas.stenius> well, single sign on... you still need to press "login" for each site, choosing which of your id's to use..
[20:37:50] <maas.maarten.zeeman> K, i'll have to try it. And see if my wife understands ;-)
[20:37:51] <andreas.stenius> and if you logout from one site, doesn't log you out from all
[20:38:01] <andreas.stenius> that's a good test, I guess ;)
[20:38:16] <maas.maarten.zeeman> Nobody understands the ssl lock
[20:38:35] <maas.maarten.zeeman> Well yeah, the lock closes.... so I'm safe...
[20:38:37] <andreas.stenius> what's not to understand with that?
[20:39:11] <maas.maarten.zeeman> It is just a secure pipe.. you also have to check what is on the other end.
[20:39:35] <maas.maarten.zeeman> man in the middle is really easy.
[20:40:16] <maas.maarten.zeeman> You will get a closed lock in your browser, the site looks exactly the same, but you are not talking to your bank
[20:40:29] <andreas.stenius> well, yes. It's just so you only have to worry about who you're talking to, and not everybody in between..
[20:42:16] <maas.maarten.zeeman> MITM is done in practice btw.
[20:42:25] <maas.maarten.zeeman> By inhouse firewalls and such.
[20:42:48] <maas.maarten.zeeman> site has ssl to firewall and then from firewall to browser...
[20:43:13] <maas.maarten.zeeman> you will get a closed lock from your firewall for sure... :-)
[20:43:35] <maas.maarten.zeeman> Wrong layer to apply the security on.
[20:45:02] <maas.maarten.zeeman> Chrome is also getting more strict with mixed content... a lot of sites are removing it.
[20:45:46] <maas.maarten.zeeman> Afther logon to flickr you now have a http connection. That used to be https.
[20:48:27] <andreas.stenius> do you know why flickr has dropped https? seems less secure even with the weaknesses in ssl..
[20:48:59] <maas.maarten.zeeman> Otherwise chrome will stop displaying the insecure content... no images
[20:49:28] <maas.maarten.zeeman> So main page https = everything should be https
[20:50:24] <maas.maarten.zeeman> FF and IE are more relaxed here.
[20:50:25] <andreas.stenius> oh.. and they don't want to serve the images over https, then? (why not?)
[20:51:21] <maas.maarten.zeeman> If all you have is the transport layer to secure stuff you have to do a lot of real time processing... no caching and stuff.
[20:54:03] <andreas.stenius> ah, I get it.
[20:54:11] <maas.maarten.zeeman> All the images are served from farms... even from different hostnames I think
[20:54:59] <maas.maarten.zeeman> But now I can make a webshot of my walled garden content. :-)
[20:56:44] <maas.maarten.zeeman> Hmm, not posting the link here. via a PM..
[20:57:48] <andreas.stenius> about to go watch person of interest with my wife in two minutes..
[20:57:56] <maas.maarten.zeeman> :-)
[20:58:11] <maas.maarten.zeeman> Better do that :-) I go tinker on the stats.
[20:58:22] <andreas.stenius> nice :)
[20:58:50] <maas.maarten.zeeman> I'll save the webshot for later... the link will only work for one hour.
[20:59:04] <andreas.stenius> k
[21:58:08] Jeff Bell leaves the room
[21:58:09] <maas.maarten.zeeman> > statman_counter:get_all().
[{{out,zotonic_status,webzmachine},0},
{{requests,channelwww,core},1986},
{{requests,zotonic,db},2474},
{{requests,zotonic,core},2050},
{{out,channelwww,webzmachine},24876636},
{{requests,channelwww,db},2474},
{{requests,zotonic_status,core},64},
{{out,zotonic,webzmachine},24876636}]
[21:58:12] <maas.maarten.zeeman> hehe
[21:58:43] <maas.maarten.zeeman> statman_histogram:summary(statman_histogram:get_data({duration, zotonic, webzmachine})).
[{observations,1989},
{min,370692},
{median,955608},
{mean,1018195.1025641026},
{max,55001792},
{sd,2100892.282188172},
{sum,2025190059},
{sum2,10836570381974663},
{p25,916619},
{p75,989714},
{p95,1053517},
{p99,1117408},
{p999,55001180}]
[22:00:15] Arjan joins the room
[22:02:31] <andreas.stenius> stats +1 :)
[22:06:20] <maas.maarten.zeeman> Immediately pointed out the homepage used the wrong controller/
[22:06:33] <maas.maarten.zeeman> swapped it out for controller template...
[22:06:36] <maas.maarten.zeeman> pfff
[22:08:18] <maas.maarten.zeeman> way to many db hits...
[22:08:47] <maas.maarten.zeeman> This is really nice... :-)
[22:14:50] <maas.maarten.zeeman> Time for something different...
[22:14:58] <maas.maarten.zeeman> Good night.
[22:16:02] <Arjan> trying to build phantomjs on freebsd
[22:16:05] <Arjan> dont ask me why
[22:16:06] <Arjan> :P
[22:16:48] <maas.maarten.zeeman> what is that?
[22:17:19] <Arjan> phantomjs?
[22:17:38] <Arjan> offscreen browser rendering
[22:17:46] <maas.maarten.zeeman> That is cool
[22:18:02] <maas.maarten.zeeman> in a canvas or?
[22:18:24] <Arjan> no in a headless webkit
[22:18:33] <Arjan> it has a shitload of dependencies
[22:18:36] <Arjan> like, x11
[22:18:37] <Arjan> :P
[22:18:56] <maas.maarten.zeeman> ow boy. do you want to make screenshots of something
[22:19:40] <Arjan> creating a PDF from a webpage automatically
[22:20:17] <Arjan> im not sure this is the right approach
[22:20:27] <maas.maarten.zeeman> Is there no html -> pdf lib :-) just get the dom tree strip it of scripts and...
[22:20:52] <Arjan> http://code.google.com/p/wkhtmltopdf/
[22:21:41] <Arjan> maybe that one has less dependencies
[22:21:49] <maas.maarten.zeeman> We wanted to make small thumbnails a while ago. Looked at all that stuff. Costed too much time at that point
[22:22:11] <maas.maarten.zeeman> http://code.google.com/p/dompdf/
[22:22:17] <maas.maarten.zeeman> New for me
[22:22:37] <maas.maarten.zeeman> php for ...
[22:23:29] <maas.maarten.zeeman> Also fun. Compiling chromium from scratch...
[22:23:38] <maas.maarten.zeeman> on a windows machine...
[22:23:44] <maas.maarten.zeeman> :-p
[22:23:48] <Arjan> heheh
[22:23:54] <Arjan> im currently compiling libX11
[22:23:55] <Arjan> :-/
[22:24:44] <maas.maarten.zeeman> X is still pretty cool running single windows on a different screen.
[22:24:59] <maas.maarten.zeeman> Nothing else can do that still
[22:25:12] <maas.maarten.zeeman> and vnc is not the same.
[22:26:51] <maas.maarten.zeeman> We can now make html based screenshot of another persons browser.
[22:28:36] <maas.maarten.zeeman> For helpdesk stuff, phone support... Otherwise these people don't have a clue what the person is seeing and talking about.
[22:33:04] <maas.maarten.zeeman> They get email with texts like thise: Is this vacation also suited for young children. Without a pointer to what the this is.
[22:34:30] <Arjan> nice
[22:34:38] <Arjan> thats a bit what usabilla does
[22:34:49] <Arjan> http://discover.usabilla.com/
[22:34:56] <Arjan> friend of mine wrote that
[22:37:08] <maas.maarten.zeeman> That is pretty cool.
[22:37:34] <maas.maarten.zeeman> Lot of quirks in that area.
[22:38:56] <maas.maarten.zeeman> We do it without making pngs... plain html
[22:44:40] Jeff Bell joins the room
[22:48:46] <maas.maarten.zeeman> They do something very similar to what we do.. Funny to see.
[22:59:21] maas.maarten.zeeman leaves the room
[23:15:36] <andreas.stenius> just tossing in some perhaps completely irrelevant projects before going to bed: https://mozillalabs.com/en-US/pdfjs/ http://jspdf.com/ :p g'night
[23:15:55] andreas.stenius leaves the room
[23:25:31] maas.maarten.zeeman joins the room
[23:31:19] Arjan leaves the room
[23:32:51] maas.maarten.zeeman leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!