Author Archives: lornajane

01 May
2009

Auth Mechanisms for Web Services

Having been involved in quite a few service-related activities in the last year or so, I’ve been having a few thoughts about what I’ve learned from this and what decisions I make when designing a service. Hopefully there will be a few of these posts – but to start with, I’m considering the options for authorising users.

Quite a lot of services don’t require any authentication at all, similar to quite a lot of the web. In either setting, the information is there for users to consume when they want. However the difference comes when services start doing more than making data available. If changes can be effected by the service, then we need to identify who is requesting the change.

Traditional websites use a username and password, and we can do exactly the same thing here. Services work on a series of discrete requests and its common to require that the username and password be supplied with every request. However for high-load services or where a particularly fast response time is needed, we can use something similar to sessions, where the user first has to authenticate and is given a token. On subsequent requests they supply the token and we wave them through without requiring their credentials again.

There are a number of considerations involved in deciding whether this setup can work for a particular application:

  • Does it take time to authenticate? For example is there an external system to wait for or lots of user information to retrieve?
  • How guessable is the token? Any kind of reasonable length hashing will help you here. I tend to use salted md5 tokens*.
  • How long will the token be valid for? If interaction with the service is likely to be a burst of related requests, you might allow validity for 30 minutes for example.
  • Will you require other identifying information as well as the token? For example you might require that the user also supply their username, which would have to match the token. I’ve also seen systems which only accept tokens from the same user ip address as the user’s original authentication call came from.

Also think about storing these tokens. They can go in their own table along with the information you want to use frequently – this is the same idea as storing information about a user in a session, for example. So user id, maybe display name plus the token itself, some information about when it was created or when it expires, and anything else that will be needed to check the token’s validity. With this information being independent and just used to verify the user, there is also the option of storing this in an alternative, faster, mechanism such as memcache.

This isn’t by any means everything there is to think of, but just some ideas of things to consider when designing a service.

* I blogged about salting md5s in PHP recently, if you are interested

26 Apr
2009

Replacement Love-Knot Wrap

A few years ago, when my little sister turned 21, I made her a crochet love-knot wrap. She’s used it (as a warm scarf) since then but recently lost it moving between multiple different places in the French Alps while working as a nanny for a hotel chain. So I made her a new one:
Caitlin Modelling her Scarf
Its the same design as before, using a “love knot” or “Solomon’s knot” stitch to create an airy web of a wrap that can be worn either over the shoulders or bundled into a scarf as shown. I used a cotton tape yarn since she’s just about to leave again to go and work in Portugal so woolly wouldn’t be a good choice, this yarn used to be a cardigan I bought but it had daft sleeves so I unravelled them but never did anything better.

The scarf laid out and a closeup of the beads:
Scarf Scarf Closeup
Here’s hoping she hangs onto this one at least as long as she managed for the last – safe travels, little one!

21 Apr
2009

Quiet Diff

I recently saw a problem that we were having difficulty replicating, despite assurances that both the code base we were replicating on and the one that exhibited the error were identical. They are large codebases and when I got copies of them both I tried to check for differences:

diff -ur dirA dirB

The result was large and messy and included a lot of .svn files (long story). So to get an idea of how many files had differences I ran diff with -q for Quiet. This just outputs one line per changed file and also a line for if a file only exists in one or other directory. I then used grep to ignore any lines with .svn in them, and finally passed the whole lot to wc (for Word Count) to tell me how many lines there are.

diff -urq dirA dirB | grep -v .svn | wc -l

If you get a number greater than zero, your codebases are not identical and you have discovered why your fault is “intermittent”.

18 Apr
2009

Curious Combination of Craft and Code

I’m a software developer, so I like to make things. The fact that some of these things involve yarn, fabric, or wood rather than code doesn’t make any difference to how I feel about building things. For the most part my programmer friends think I’m strange for making woollen things, and my craft friends think I’m strange for working with computers!

Since spending more time online and getting to “meet” (in a virtual sense) more people, both crafters and coders, its becoming clear that I’m not alone on this one. First I saw a this thread about crafts on the phpwomen forum and then I also noticed that on ravelry (a social network for knitters. Yes, really) there’s a group for PHP knitters.

Are you a geek who also makes non-code things? Let me know :)

14 Apr
2009

How To Use Salts and md5 in PHP

The MD5 hashing algorithm gets bad press because “its insecure”. This post is not about that; MD5 is a hashing algorithm and is a good way of generating a representation of something, without actually needing the thing itself. I was asked about its use the other day so I thought I’d blog it.

One problem with MD5 is that a given input always generates the same output. Therefore, it is possible to generate a table of all (likely) values and their resulting MD5s, then be able to use it as a lookup to find out what makes that result – these are “rainbow tables”. A bit like choosing a password, having a commonly available piece of data (like an integer) means that there is probably a rainbow table with it in. Salting makes it less likely that a decode is available, and in PHP you would do something like this:

$salt = 'myrandomstring';
$hashed_value = md5($salt.$value);
10 Apr
2009

Speaking at phpGG

Next week I’m passing through the Ibuildings office in Utrecht on business. During the 36 hours or so that I’ll be there, the Dutch PHP User Group, phpGG have kindly extended an invitation to speak at a one-off user group meeting they are arranging. Well, I have a talk that needs some work and it seems like too good an opportunity to miss out on catching up with some Dutch friends that I usually can only virtually “meet”, so I delightedly accepted!

So, I’ll be in Utrecht on Thursday 16th April giving my talk “Linux-Fu for PHP Developers” at Ibuildings’ Utrecht office – let me know if you can be there :)

09 Apr
2009

DPC – Dutch PHP Conference June 2009

I keep getting asked about the Dutch PHP Conference so here’s a quick outline about the event.

The conference is in Amsterdam, on 11th to 13th June 2009. Thursday 11th is the tutorial day, Friday and Saturday are the main conference days. The schedule is entirely in English and it looks excellent to the point that I am wondering how I can clone myself to see multiple sessions. http://www.phpconference.nl/schedule/ – don’t think I’ll be seeing much of the hallway track at this one.

Since this event is organised by my employers, Ibuildings, I get to attend, which I’m very pleased about – and I’ll also get to meet up with all my colleagues which is always great fun. The phpwomen will also be in evidence. The speakers list includes people from all over Europe and also North America which is nice, there will be some crossover between existing geographical communities which is always good for swapping ideas (and conference anecdotes of course). Its a varied linedup of talks but its all pretty advanced, so I’m looking forward to learning a lot even though I’ve already attended quite a few PHP conferences.

I notice the early bird pricing is valid through to 30th April so if you are thinking of coming along then its worth making your plans sooner rather than later – its very easy to get to from pretty much all of Europe so no excuses! Hope to see some of you there, do come and say hi :)

03 Apr
2009

Cardboard Laptop Stand

Today my Cardboard Laptop Stand arrived!! I saw a prototype of this a few months ago, and thought it was cool. Well, the company is run my some friends of mine and they’ve just launched at a time where I’m doing a lot of working from asssorted other places with my laptop – so I decided I definitely need one.

At the moment I have a Kensington laptop stand. Its great, does the trick folds flat and I take it with me if I’m working elsewhere, and use it on my desk when I’m here. But it weighs 688g:

thinkpad on kensington stand kensington stand: 688g

I have a backpack for my laptop (I had a shoulder bag for about a week but I ended up with my whole skeleton mis-aligned), which I use when I’m travelling and in London that means a lot of walking and usually in heels – so weight is a real issue for these trips. I really like my back the way it is – healthy! I weighed the cardboard one for comparison, and tried my laptop on it.

cardboard stand: 83g thinkpad on cardboard stand

No contest, certainly for when I’m on the road :) OK so it will probably go soft or get wet or something, but for £7.50, I think I can probably afford to replace it. All I need now is some decoration … stickers, perhaps?

02 Apr
2009

House Update

I haven’t blogged about the house for a while, and since we had to tidy up at the weekend for my grandparents’ visit, I thought a tidy house was a good time to take a few photos. When we first moved in, I blogged a lot about the house, and frankly it was a bit of a state! Most of the photos were along the lines of:

Its not (such) a disaster now, so I thought I’d share a few more up-to-date pictures.

Firstly: the living room. When I said I painted my living room turquoise, I wasn’t exaggerating!
Living Room Mantlepiece

Dining room: This room hasn’t had a lot done to it but we have bright red curtains and tablecloth, brings warmth to the room. The piano is in here too.
Dining Room Mantlepiece

Our Bedroom. Just realised I’m choosing all the mantlepiece pictures – that’s because in this case I love the original tiles, the mirror, and my fairy lights!
Bedroom Mantlepiece

We also redecorated the spare room (well, actually mum did all the wallpapering, but the preparation took months!)
Spare Room

There’s still a lot to do, although mostly we’ve at least plastered up some of the holes!
Landing

(more pictures on my flickr set if you are interested, I figured this was enough for one post)

Next up: we’ve got plans for a patio :) I think I’m starting to realise that a house project is never really finished …

01 Apr
2009

PHPNW Test Fest Event – May 9th 2009

The PHPNW user group are taking part in this year’s PHP Test Fest. Our event will be on 9th May – you can sign up to attend (limited places so do let us know) on the upcoming page for this event: http://upcoming.yahoo.com/event/2299548/

The idea behind Test Fest is twofold: firstly, to give an approachable way for PHP developers to contribute back to the core – we’ll learn how to write tests on the day and can continue to do so after the event of course! Secondly, PHP itself gets better tests, and the language itself gets better. All in all, I can’t see a reason not to do it!

There are events right around the world so if you can’t be in Manchester then take a look around and see if there is something nearer to you that you could be involved in. Northen people – I’ll see you there :)