Zotonic
Zotonic
zotonic@conference.zotonic.com
Tuesday, 26 February 2013< ^ >
arjan has set the subject to: Zotonic - the Erlang Content Management Framework
Room Configuration

GMT+1
[01:06:44] Maas leaves the room
[07:02:52] arcusfelis joins the room
[07:03:20] <Marc Worrell> @Arjan - that is a security consideration - it prevents a session-fixing attack.
[07:27:57] Arjan joins the room
[08:43:06] Arjan leaves the room
[08:53:20] Arjan joins the room
[08:53:48] <Arjan> ok
[08:54:13] <Arjan> so is there a way to do logons without the page having to hard-reload?
[08:54:17] <Arjan> I'd like that
[09:02:56] Maas joins the room
[09:05:50] <Marc Worrell> Yes, you can do a post to a frame
[09:05:57] <Marc Worrell> iframe, for example.
[09:06:33] <Marc Worrell> We do exactly that when we post a file as part of a postback
[09:13:16] <Marc Worrell> I think I added something for exactly this purpose - let me check.
[09:13:43] <Arjan> cool
[09:14:07] <Arjan> I can log in now with a regular postback but the consequent postbacks still think I am not logged in
[09:14:10] <Arjan> only after reload
[09:14:45] <Marc Worrell> // logon_form and .setcookie forms are always posted, as they will set cookies.
if ( z_ws
&& z_ws.readyState == 1
&& triggerID != "logon_form"
&& (triggerID == '' || !$('#'+triggerID).hasClass("setcookie")))
{
z_ws.send(params);
}
[09:14:57] <Marc Worrell> else
{
z_ajax(triggerID, params);
}
[09:15:19] <Marc Worrell> Can your browser set cookies using xhr?
[09:15:20] <Arjan> ah!
[09:15:30] <Marc Worrell> so, add class 'setcookie' :p
[09:15:57] <Marc Worrell> that condition looks a bit like a hack - maybe clean it up?
[09:18:23] <Arjan> hm
[09:18:30] <Arjan> still,
[09:18:40] <Arjan> the rest of the page thinks I am not logged in
[09:18:48] <Arjan> although the form now uses a post
[09:19:29] <Arjan> I see the setcookie in the XHR response
[09:20:27] <Arjan> the "resources" tab shows that the cookie changed
[09:20:30] <Arjan> z_sid
[09:20:50] <Marc Worrell> http://stackoverflow.com/questions/10977058/xmlhttprequest-and-set-cookie-cookie
[09:22:23] <Arjan> ill first try to make it work over XHR, disabling WS
[09:22:25] <Arjan> WS is hard to debug
[09:22:34] <Marc Worrell> http://stackoverflow.com/questions/2289002/can-headers-be-sent-in-an-ajax-request
[09:22:50] <Marc Worrell> In WS it won't work - you really need XHR
[09:23:24] <Marc Worrell> maybe, after setting the cookie, you need to restart the ws connection
[09:23:40] <Marc Worrell> that one has state on the server, and that state is now incorrect
[09:23:49] <Maas> chrome now shows the ws frames... it doesn't update though.
[09:23:56] <Arjan> ah, indeed
[09:24:01] <Arjan> with plain XHR it works
[09:24:32] <Marc Worrell> maybe we need to signal any ws connection that the session data has been changed, so that it can update the used context with the new state.
[09:25:20] <Marc Worrell> when you log on - didn't we send a reload to all open tabs? Or only when you log off?
[09:25:34] <Arjan> also on logon
[09:25:38] <Arjan> but not for the current tab
[09:25:45] <Marc Worrell> Then your page should reload
[09:25:54] <Marc Worrell> and get the new cookie / ws connection
[09:26:00] <Arjan> I dont wanna reload
[09:26:07] <Marc Worrell> :p
[09:26:13] <Arjan> it is in the middle of a UI flow
[09:26:22] <Arjan> opening a dialog to do a certain action
[09:26:26] <Marc Worrell> then you just might to re-establish the ws connection
[09:26:34] <Arjan> yep thats what Im trying now :)
[09:27:11] <Marc Worrell> sorry about the security measures - they are really needed when using public terminals
[09:27:55] <Marc Worrell> instead of a reload we can also signal that the user has been changed, the tabs can then decide to reload or to fetch the new session cookie
[09:28:31] <Marc Worrell> which they only can when they are running in the same browser - which is perfectly fine :-)
[09:29:23] <Marc Worrell> I was thinking to extend the notifier to the browser - so that the browser can be an inherent part of some notifications
[09:29:34] <Marc Worrell> (not all - that is too insecure)
[09:30:03] <Marc Worrell> maybe something like "ua_observe_xxxxxx"
[09:32:25] <Marc Worrell> and then we can have observe/notify on the ua and the server - all working in the same way
[09:32:47] <Arjan> restarting the stream works
[09:32:59] <Marc Worrell> (also thinking of distributed pubsub in Zynamo - I have some ideas, will write them down for you all to shoot holes)
[09:33:05] <Marc Worrell> @Arjan: yeah!
[09:33:06] <Marc Worrell> :)
[09:33:11] <Arjan> :D
[09:33:29] <Marc Worrell> I want to replace the services in Zynamo with pubsub
[09:33:41] <Marc Worrell> so we will have pubsub over a consistent hash ring :p
[09:33:56] <Marc Worrell> (how is that for some keywords)
[09:33:57] <Maas> have you seen poldercast paper?
[09:34:08] <Marc Worrell> I have to find it again
[09:34:17] <Marc Worrell> You had a link, didn't you?
[09:34:24] <Maas> yeah wait...
[09:34:25] <Arjan> https://www.google.nl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.cs.vu.nl%2F~spyros%2Fpapers%2FPolderCast.pdf&ei=fXMsUbb9CaHU0QW39IHoCg&usg=AFQjCNFxNwsCO_kmXzGMqfRIqQWiNOAnoA&sig2=D6N-bWsT9nOgPKSW5kZc_w&bvm=bv.42965579,d.d2k
[09:34:33] <Marc Worrell> http://www.cs.vu.nl/~spyros/papers/PolderCast.pdf
[09:34:33] <Arjan> http://www.cs.vu.nl/~spyros/papers/PolderCast.pdf
[09:34:34] <Arjan> I mean
[09:34:37] <Marc Worrell> :p
[09:34:37] <Maas> that is the one
[09:35:00] <Maas> they mention another one which is also interesting...
[09:35:05] <Marc Worrell> Google's search is better in finding stuff than the ACM digital library search….
[09:35:17] <Maas> http://soda.swedish-ict.se/4145/1/Vitis.pdf
[09:35:25] <Maas> From sweden so it must be good
[09:35:39] <Marc Worrell> Like their horse-meat-balls! Yummy!
[09:36:07] <Arjan> I added a z_stream_restart() function to zotonic-1.0.js
[09:36:20] <Arjan> it only restarts it for WS
[09:36:39] <Marc Worrell> Are you sure it isn't this poldercast? http://www.youtube.com/watch?v=Gd-t7rJURCU
[09:36:42] <Arjan> I save the current stream host in (yet another) global variable
[09:37:02] <Arjan> +var z_stream_host = undefined;
[09:37:04] <Marc Worrell> (what a terrible youtube movie)
[09:37:10] <Arjan> function z_stream_start(host)
{
+ z_stream_host = host;
if (!z_ws && !z_comet_is_running)
[09:37:17] <Marc Worrell> @Arjan - is good
[09:37:20] <Arjan> +function z_websocket_restart()
+{
+ if (z_ws) {
+ console.log('restarting stream');
+
+ z_ws.close();
+ z_ws_opened = false;
+ setTimeout(function() { z_websocket_start(z_stream_host); }, 100);
+ }
+}
+
+
[09:37:34] <Arjan> without the log of course :p
[09:37:42] <Marc Worrell> (and remove console.log - I think IE doesn't like that one :p)
[09:38:16] <Marc Worrell> yep - those ws stuff etc needs some cleanup
[09:38:24] <Arjan> :)
[09:38:29] <Arjan> the whole of zotonic-1.0.js
[09:38:31] <Marc Worrell> an ua-pubsub should be great
[09:38:32] <Arjan> is in need of a 2.0 ;)
[09:38:34] <Arjan> :P
[09:38:36] <Marc Worrell> :p
[09:38:43] <Maas> have one in z_bus
[09:38:48] <Maas> branch...
[09:38:55] <Maas> very simple thingy
[09:39:14] <Maas> allows you to broadcast things on the page
[09:39:18] <Marc Worrell> yeah - we need to check that - I want to make it similar to the normal notifier
[09:39:23] <Marc Worrell> so that we can have similar actions
[09:39:38] <Marc Worrell> but as it is stuff from "outside" and untrusted it should be different channels
[09:39:46] <Maas> not finished or anything... needs work.. have
[09:40:28] <Maas> working on it for channel 2.0
[09:43:20] <Arjan> does #dispatch_rewrite have access to the request hostname?
[09:43:29] <Marc Worrell> Maas/Andreas - sent you an invite to my dropbox paper collection
[09:43:38] <Arjan> not the hostname of the site, but the hostname in the request (when redirect = false)
[09:43:58] <Marc Worrell> Didn't #dispatch_rewrite have access to the whole request? Then there is also the Host header in there
[09:45:45] <Arjan> ah yes of course
[09:45:47] <Arjan> :p
[09:47:50] <Marc Worrell> Just a crazy idea: we know that Zotonic is very fast on simple hardware - in fact fast enough for most web sites. And zynamo is mainly for failure handling, making the thing more robust. Maybe we could make elastic more abstract and make it really a global P2P PubSub system….
[09:51:28] <Arjan> hmm in dispatch_rewrite, wm_reqdata is still undefined
[09:52:02] <Marc Worrell> maybe add the Req data? is quite interesting for a rewrite
[09:52:11] <Marc Worrell> and it is called inline anyway - no data copying
[09:52:39] <Arjan> does not have access it seems
[09:52:46] <Arjan> I can add the host, though
[09:52:54] <Marc Worrell> then do that
[09:52:58] <Arjan> wm_dispatch(Protocol, HostAsString, Host, PathAsString, DispatchList) ->
Context = z_context:new(Host),
Path = string:tokens(PathAsString, [?SEPARATOR]),
IsDir = lists:last(PathAsString) == ?SEPARATOR,
lager:warning("HostAsString: ~p", [HostAsString]),
{Path1, Bindings} = z_notifier:foldl(#dispatch_rewrite{is_dir=IsDir, path=PathAsString}, {Path, []}, Context),
try_path_binding(Protocol, HostAsString, Host, DispatchList, Path1, Bindings, extra_depth(Path1, IsDir), Context).
[09:53:01] <Arjan> thats how it is now
[09:53:07] <Arjan> I will ad host=HostAsString
[09:53:17] <Marc Worrell> yeah - good
[09:53:43] <Marc Worrell> will be a nice exercise when we switch to binaries for all headers and qs vals
[09:55:12] <Maas> @marc your crazy idea is not so crazy... had the same thought yesterday.
[09:56:46] <Marc Worrell> :-) it might be very handy
[09:56:50] <Maas> There are already a couple of those systems...
[09:57:00] <Maas> apache hedwig
[09:57:01] <Marc Worrell> and then have a copy of all (or certain class of) data from one machine to another
[09:57:38] <Maas> have been looking around for something like that... it is an integral part of yahoo's pnuts paper, but not documented anywhere.
[09:58:04] <Arjan> woot
[09:58:10] <Arjan> domain-based language selection
[09:58:10] <Arjan> https://github.com/zotonic/zotonic/issues/523#issuecomment-14101698
[09:58:28] <Marc Worrell> Cool
[09:58:46] <Marc Worrell> I have a customer request to use domains for certain content items.
[09:58:54] <Maas> nice :-)
[09:59:11] <Marc Worrell> like in maxclass - a domain for a certain class - and switch domain when switching class
[09:59:50] Andreas Stenius joins the room
[09:59:57] <Arjan> yep; how did you do that?
[10:00:06] <Arjan> not with dispatch rewrite I guess?
[10:00:11] <Andreas Stenius> Hey, arjan, I saw your stream restart fix..
[10:00:18] <Arjan> :)
[10:00:44] <Andreas Stenius> did you see this one: https://github.com/zotonic/zotonic/pull/519 ?
[10:01:12] <Andreas Stenius> I didn't quite get your fix, btw... ;)
[10:01:17] <Andreas Stenius> how does it work?
[10:01:52] <Arjan> hmm
[10:02:06] <Arjan> well, the issue is, that a logon request does send a new session cookie
[10:02:19] <Arjan> step 1 - you need to do the logon postback over XHR, not over the socket
[10:02:24] <Arjan> that requires class="setcookie" on the form
[10:02:28] <Arjan> (weird but hey)
[10:02:35] <Andreas Stenius> yeah, but my fix prevents the new cookie, as we already have one
[10:02:52] <Arjan> yes but might that be a security risk?
[10:02:55] <Arjan> maybe marc knows
[10:03:16] <Arjan> step 2 - the WS stream needs to be restarted after the logon to push the new cookie
[10:04:08] <Andreas Stenius> I get that restarting the stream fixes the cookie issue... but I don't see how the stream /is/ restarted on login from you commit..
[10:04:28] <Andreas Stenius> unless you call restart_stream explicitly...
[10:05:06] <Andreas Stenius> I don't think it's a risk with keeping the existing cookie, it's communicated the same way as the new cookie...
[10:05:47] <Arjan> I do call it explicitly, yes
[10:05:49] <Andreas Stenius> and, as you're anonymous before logging in, the cookie was just created for you along with your session
[10:06:00] <Arjan> Marc Worrell: ^---
[10:06:29] <Andreas Stenius> so, my fix needs no explicit action on the client end, causes no disruption on the ws connection, and... well, let's see what Marc thinks :)
[10:09:45] <Arjan> I agree that that might be a better way to fix this
[10:11:05] <Andreas Stenius> I did have some other issues with the ws connection while developing the mod_persona stuff, though...
[10:11:17] <Andreas Stenius> about page reloads and navigation
[10:11:22] <Arjan> oh?
[10:11:34] <Andreas Stenius> lets see if I can recall..
[10:11:53] <Andreas Stenius> uh, best dig in the chatlogs, I had a conversation with Maas about it..
[10:11:59] <Arjan> pushing the "host" field in the dispatch_rewrite notification
[10:12:02] <Arjan> + docs
[10:12:58] <Andreas Stenius> nice, was thinking it would be good to document that nifty trick you came up with :p
[10:13:36] <Arjan> just did that :)
[10:13:38] <Andreas Stenius> as I commented, I can see this taken a step further and made generic so it can be turned on/off by some config option
[10:13:45] <Andreas Stenius> I noticed :)
[10:13:56] <Arjan> :P
[10:14:09] <Arjan> I agree with making it more generic
[10:14:11] <Andreas Stenius> that was the "was" part, as in, no longer (as it was already done) :p
[10:14:19] <Arjan> maybe {hostalias, {"domain.nl", nl}}
[10:14:21] <Arjan> :P
[10:14:42] <Andreas Stenius> exactly
[10:15:19] <Andreas Stenius> or, for that particular case, {hostalias, "domain.nl"} should do it (defaulting to nl)
[10:16:06] <Andreas Stenius> should only need to verbose mode for top level domains that doesn't match the desired lang, such as: {hostalias, "example.eu", de} or some such..
[10:16:38] <Andreas Stenius> bah,or: {hostalias, {"example.eu", de}} as you wrote..
[10:17:38] <Andreas Stenius> or, if we want to make hostalias really flexible (with regard to future ideas): {hostalias, [{domain, "example.com"}, {lang, en}, ...]}
[10:17:49] <Andreas Stenius> while still supporting the current form of course..
[10:18:11] <Arjan> yah
[10:18:21] <Andreas Stenius> which acutally is the same format as we use when interacting with templates...
[10:18:22] <Arjan> http://zotonic.com/docs/0.9/manuals/dispatch.html#domain-dependent-language-selection
[10:18:47] <Arjan> for now this seems OK
[10:19:00] <Andreas Stenius> indeed, it is a workable solution :)
[10:19:01] <Arjan> lets improve it when it is requested more
[10:24:10] <Andreas Stenius> Ah, here it was: http://zotonic.com/chatlogs/2013/02/08.html
[10:24:38] <Maas> moving from page to page are you? :p
[10:24:46] <Andreas Stenius> it was when I logoff and all /other/ session are meant to be reloaded, but it also causes the current page to reload
[10:24:57] <Andreas Stenius> effectively leaving the logoff page, even when it shouldn't..
[10:25:24] <Andreas Stenius> hehe, multithreading.. :p
[10:25:29] <Maas> navigation from page to page is totally messed up.. :)
[10:26:09] <Andreas Stenius> well ,that's messed up. that it is messed up. is messed up, that is. bah :p
[10:27:12] <Maas> I remember when I found out that session meant the entire browser, and not just the viewing window.... so a new window is not a new session.
[10:28:08] <Andreas Stenius> yeah, I think I got that. As there are two kinds of sessions.. user session and page session... and the later is linked to the former..
[10:28:40] <Maas> Also funny.. in incognito mode the ws is shared with the non-incognito frame.
[10:28:42] <Andreas Stenius> or, that's how I think of them, don't think there's anything called user session
[10:28:53] <Arjan> the names are confusing
[10:28:53] <Andreas Stenius> that's not really good, now is it..
[10:29:07] <Arjan> I think of them as the page process and the session process
[10:29:08] <Maas> not very incognito
[10:29:12] <Andreas Stenius> Arjan: did you catch my link and comment few minutes ago?
[10:29:59] <Arjan> the chat log?
[10:30:07] <Andreas Stenius> yeah
[10:30:16] <Andreas Stenius> and: (10:24:46 AM) Andreas Stenius: it was when I logoff and all /other/ session are meant to be reloaded, but it also causes the current page to reload
(10:24:58 AM) Andreas Stenius: effectively leaving the logoff page, even when it shouldn't..
[10:30:49] <Andreas Stenius> is the executive summary for the logs
[10:32:38] <Maas> back to "on the fly" adaption of js...
[11:31:47] <Marc Worrell> and back to maxclass adaptations: groups, roles, e-mails, invite codes....
[11:35:22] Arjan leaves the room
[11:35:50] Arjan joins the room
[12:01:40] <Maas> @marc Have you seen this one? http://faye.jcoglan.com
[12:02:04] <Maas> Others seem to think it is a good idea too.
[12:03:02] <Marc Worrell> :)
[12:03:28] <Maas> just add global and distributed...
[12:03:34] <Maas> :p
[12:03:37] <Marc Worrell> "just" - but indeed
[12:03:56] <Marc Worrell> pubsub is great − really makes your while architecture more robust
[12:04:15] <Maas> It decouples at two levels. Time and space.
[12:04:43] <Marc Worrell> http://www.youtube.com/watch?v=km8o3ickQkM&feature=youtube_gdata_player
[12:05:19] <Maas> ow no
[12:05:23] <Maas> poor kid
[12:05:37] <Andreas Stenius> lol!
[12:05:39] <Maas> those eyes...
[12:38:22] Arjan leaves the room
[12:43:23] Jeff Bell joins the room
[13:01:52] Arjan joins the room
[13:06:36] <Maas> Cool to see that a project I let go is continued to be used and improved upon... http://le-gall.net/sylvain+violaine/blog/index.php?post/2013/02/23/OUnit-2.0-progress
[13:08:18] <Maas> Ocaml....
[16:02:58] Andreas Stenius leaves the room
[16:55:36] Maas leaves the room
[17:17:32] Jeff Bell leaves the room
[17:49:11] Arjan leaves the room
[19:06:44] Arjan joins the room
[19:27:14] simon.smithies joins the room
[19:28:11] <Marc Worrell> hola
[19:28:11] jeff.5nines leaves the room
[19:28:35] <Marc Worrell> anybody here? :p
[19:28:54] <simon.smithies> Hi Marc
[19:29:02] <simon.smithies> I'm only here briefly
[19:30:09] simon.smithies leaves the room
[19:30:52] <Arjan> hi
[19:30:54] <Arjan> wassup
[19:33:32] Jeff Bell joins the room
[19:49:04] Arjan leaves the room
[20:04:07] <Marc Worrell> Just checking :p
[20:04:35] <Marc Worrell> Am jotting down all kinds of notes about the direction of Zotonic - what might be useful from a pragmatic standpoint.
[20:05:21] <Marc Worrell> Was wondering if anyone has hit a performance wall - where more nodes were needed to process the amount of incoming requests.
[20:05:46] <Marc Worrell> And for Arjan: could we do Kroonappels on a single server? (performance wise)
[20:06:40] <Marc Worrell> For our peace of mind it is nice that we have multiple servers :p
[20:25:04] <Marc Worrell> I am wondering, that if we go distributed with Dynamo like storage, what the best strategy is for all tables that are not a rsc/edge. Like mailinglist stuff, data connected to an e-mail address etc etc
[20:25:04] Jeff Bell leaves the room
[20:25:35] <Marc Worrell> And data connected to models, supplied by site builders.
[20:27:22] Jeff Bell joins the room
[20:38:17] arcusfelis leaves the room
[22:35:57] Andreas Stenius joins the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!