What’s that close paren doing after my video embed in WordPress?

Posted on March 12, 2014 by room34

Working on a new client site that has a lot of YouTube video embeds, I was alarmed this morning to find a stray close paren ) character in all of the posts right after the videos.

Knowing I had recently been tampering with the embed_handler_html and embed_oembed_html filters in the site theme, I figured it was something I had created. So I set about debugging my code but couldn’t get anywhere.

So, I decided to see if it was in fact a new problem in WordPress itself, by setting up a test post on this site with a YouTube video embed (this, of course). Sure enough, even on my unadulterated theme, the stray close paren appears.

I mean, just look at it!!!

Anyway, I hope/assume this will get fixed in the WordPress core soon, but in the meantime if you are running into this problem and want a quick fix, and you’re not afraid of editing the functions.php file in your theme, have a go at this little addition that will strip out the offending punctuation:

function embed_fix_stray_parens($content) {
return str_replace('</iframe>)','</iframe>',$content);
}
add_filter('the_content','embed_fix_stray_parens');

Last, This, Next

Posted on January 30, 2014 by room34

As I was folding a week’s subset of my embarrassingly large collection of printed t-shirts, I reflected momentarily on the history of my pixelated Minnesota t-shirt. I bought that t-shirt last summer and wore it each time I went to the Minnesota State Fair last year, as my symbol of “Minnesota pride”.

Then I started thinking about sharing this story, and about referring to the Minnesota State Fair that took place in 2013 as the “last” Minnesota State Fair, and how the one that will take place “this” year, in 2014, is “this” State Fair, and so on.

Frequently conversations between SLP and me have resulted in confusion based on the different possible interpretations of “last”, “this” and “next” when referring to days, weeks, months, years or events. I tend to use “this” when I’m referring to any unit of time that occurs within the same larger unit of time, whether before or after the current one, although I may be likely to omit “this”.

For example, today is Thursday. The Super Bowl (or, if you prefer, the Suberb Owl) is happening in 3 days. It’s happening “this Sunday”. But what if today was (or is it “were”? I never get that right, either) already “Superb Owl Sunday” and I was (“were”?) talking about the 5K race I’m running in 7 days later? “This” Saturday seems a bit far off in that case. But “next” Saturday doesn’t feel right to me either. Or does it? Is it better for “next” Saturday to refer to a day that’s 6 days away, or 13?

As for my confusion with SLP, the fact that she lived her life on the September-to-June academic calendar for much longer than I did only exacerbated the situation. I’ve always been a stickler (to the point of ridiculousness) for precision in dates. The first day out of school isn’t the beginning of summer; the solstice is. The first day back in school isn’t the beginning of fall; the equinox is. And the first day back in school in late August or early September most definitely is not the beginning of the new year. (Although yes, Rosh Hashanah usually does occur in September so depending on the calendar you use, there’s an argument to be made.)

Ironically, it was only after SLP stopped organizing her life around the academic year that I embraced calling any of the days in early-to-mid June when our kids are out of school (but which are still technically in spring) “summer”, but I will never give up the idea that “this year” refers to the 4-digit number starting with a “2″ that comes at the end of the current date. “This year,” to me, means January 1 to December 31. Period.

But what do I mean when I say “this winter”? Sure, winter technically only starts about 10 days before the new year, so it’s almost entirely in 2014. But let’s be honest. In Minnesota, “winter” usually starts in early December, or sometimes as early as October. By my logic, “winter” in Minnesota begins on whatever day snow falls and doesn’t melt away. We had a few light snows in November, but “this winter” began on December 2, 2013.

My point is: language is fuzzy. Assigning vague labels like “last”, “this” and “next” to our days and events relies on a great deal of tacit agreement between ourselves over meaning. This particular quirk of our language has been causing me trouble since I was a kid. Back then I had a lot of time, sitting around bored in school (which I didn’t even realize was the case until much later in life), to ponder and obsess over and get annoyed by things like this. I was trying to create in my mind a world of precision and clarity that didn’t, and couldn’t, exist. Our minds don’t work that way, the world doesn’t work that way, and language, a product of our minds used to help us understand and communicate with each other about the world, necessarily can’t work that way.

I didn’t understand that then, and I only barely do now. Each of us carries around an entire universe in our mind. It’s built on a foundation laid by our genes and constructed around our experiences — and our interpretations of those experiences. Our language can only achieve an approximation of a fraction of that universe, and we have to rely on the assumption that our own version of the language we use is a close enough approximation of the same things in our own mental universe as the language, and the mental universe it represents, of the others around us.

It’s a wonder we can communicate at all.

A few thoughts on the holiday/winter ads by Apple and Samsung

Posted on December 23, 2013 by room34

I’ve been tweeting a bit today about Apple’s iPhone ad that is getting some attention this holiday season, along with a new one from Samsung. But I have some comments that are a bit more than 140 characters long, that I’d like to share here.

I first heard about the Samsung ad via Daring Fireball‘s link to it on YouTube. Check it out below.

I’ll admit to finding the hapless iPhone owner on the chairlift a bit funny. I’m a sucker for cheap laughs like a guy dropping his expensive phone (and later his skis too) from a chairlift. But almost immediately the “Geared up” Samsung owner is creepy. Stalker creepy. He’s supposed to come off like he’s got “the moves” or something (which is creepy enough anyway), but he doesn’t seem suave so much as dripping with white privilege. He can just make the woman next to him on the chairlift give him her phone number because… why not?

The next scene is what really bothers me: he takes a bunch of photos and video of her on the ski slope, without her permission or knowledge. Because… why not? And when he goes up to her at the bottom of the hill to show off his efforts, she’s not creeped out (or is she… maybe… just a little?) because… he’s a handsome white dude who’s all “Geared up” so of course it’s OK.

Of course it’s really not OK. In so many ways, it’s not OK. If this guy were a real person, I’d have plenty more to say about him, but he’s not. He’s an actor, playing a role, attempting to sell a product made by Samsung. So let’s talk about Samsung’s advertising efforts and how sexist they are. Fortunately for me Anjin Anhut already did (in more general terms, but this Samsung ad certainly fits the bill) in a great blog post on Saturday that I encourage you to read.

Let’s contrast the Samsung ad with Apple’s ad, entitled “Misunderstood”:

I have seen this ad at least 5 times now and every time I tear up. Do I feel that my emotions have been manipulated? Of course. This is a commercial. That a commercial would make me tear up… of course my emotions are being manipulated. But that doesn’t necessarily make it a bad thing.

Apple’s ad connects on an emotional level, because that’s where we are with this technology today. Both Apple’s and Samsung’s devices can do so many of the same things, and fill the same needs and desires in their users’ lives, that it’s really down to how we as the users of these products connect with them on an emotional level. That’s really what Samsung’s ad is trying to do, I think. It shows off more specific technologies than Apple’s ad does, but ultimately it’s connecting with its audience on an emotional level as well. But the audience, and the emotions, couldn’t be more different.

There is nothing sexist or creepy about Apple’s ad. It delivers an image we’re all used to seeing these days: the tech-loving teenager, apparently tuning out the people around them and the meaningful experiences they should be engaging in. But the teenager is misunderstood—he’s not tuning out. He’s capturing fleeting, magical moments in his family’s life and he’s creating… putting those moments together into an artifact the family members will be able to connect with long after the holidays end. It’s a commercial that can resonate with just about anyone. It surprises and delights, and it shows us how using an Apple product can help enrich the experiences that matter to us. (It is an ad, after all.)

The Samsung ad? Well, first of all, the ad is targeted at a very specific demographic. It’s an ad for dudes. Want to impress and seduce that hottie next to you on the chairlift? Samsung has just the tech to help you make that happen. Frankly I’m surprised they didn’t license Daft Punk’s “Get Lucky” just to underscore the message.

On one hand I find it kind of surprising that any company would think they could get away with running an ad like this today, but the fact is, it’s not surprising at all. This kind of advertising obviously works. It may alienate a huge potential audience but as Anjin Anhut’s blog post describes, it has identified a target audience and is more effective within that audience.

The problem with that strategy though is that the more you target an audience, the smaller it becomes. It may be a subset of the population that is far more likely to buy your product than the average, but you become increasingly confined to that narrow slice of the pie. Unless of course you run different and contradictory campaigns simultaneously (which happens all the time). But still, ultimately, you’re eventually going to reach a saturation point with that target market. Then what? You can retreat to a broader message, but how much damage have you done (not just to your business, but to the community) by that point? And was it really necessary in the first place?

Say what you will about Apple’s advertising, but I don’t think I’ve ever seen anything sexist, racist, or otherwise exclusionary—except of Windows users.

Top 5 Albums of 2013

Posted on December 19, 2013 by room34

I’ve given it a lot of thought. OK, I’ve given it some thought. OK, I’m actually just making it up as I go. Whatever the case, here are my picks for the best, or at least my favorite, albums of 2013.

5. Phoenix — Bankrupt!
I really got into Phoenix right after Wolfgang Amadeus Phoenix came out in 2009 and had thoroughly explored their back catalog while eagerly waiting… And waiting… And waaaaaaaaiiiiiting for the follow-up. Was it worth it? Absolutely. I wouldn’t say the album is a masterpiece; it leaves me wanting something. But it’s still fantastic, with some truly amazing musical moments and some compelling lyrics that reflect on the band’s struggles with its newfound fame… you know, when they got so big that even people like me knew about them.

4. Midlake — Antiphon
Remember what I said about a band being big enough that even I known about them? That probably goes double for Midlake, a band I just learned about last weekend, when the title track of this album played on The Current as I was driving to IKEA to buy a couch. (I wish I were making this up.) Two things immediately drew me in about Midlake: the incessantly burbling drums, and the amazing harmonic detours in the second half of the song.

As soon as I parked the car I went on iTunes on my phone and bought the whole album, which I then listened to twice through while assembling the couch. It’s all great, with several sections (especially those with acoustic guitar and flute) reminding me of Trespass-era Genesis. Except without the preposterous lyrics about anthropomorphized wolves. I’d probably rate this album higher, but I haven’t known it long enough to see how well it holds up.

3. Lusine — The Waiting Room
If the ranking criteria on this list were solely based on how many times I’ve listened to an album, this would undoubtedly take the top spot. I’ve had it on heavy rotation while I work over the past few months, because its low-key grooves are just right to keep me going without being too distracting. Which is not to say it’s background music. I’d describe it as a more listenable (i.e. less weird) Boards of Canada.

2. The Darcys — Warring
There’s only been one album this year that I’ve anticipated more than Phoenix’s Bankrupt! and that’s Warring by The Darcys. The Darcys are one of the few bands that I’ve ever heard that I think might make it big that I’ve known about and gotten into before that happened. I hope it happens for them, in the right way, because they’re really great.

Or to put it another way, they’re my second favorite Canadian band of all time.

I first learned about The Darcys because their second album, last year’s AJA, was something that could have come off as a cheesy stunt. Does that name sound familiar? That’s because it’s also the title of what is arguably Steely Dan’s best album, from 1977. The stunt? This is Steely Dan’s 1977 album, reinterpreted in its entirety in Darcys style. Which is to say, much darker. There is a bleak beauty in The Darcys’ vision that in some ways better suits the desperation in the album’s lyrics than Steely Dan’s original too-smooth-for-its-own-good style. (And I say that as a huge, unabashed Steely Dan fan.)

Anyway… The Darcys released both their self-titled debut and AJA for free on their website, which definitely helped build their audience and the anticipation for Warring, which is all original material, and is utterly fantastic. Unlike Midlake’s album, it didn’t blow me away on first listen, but it only took two or three repeats before the brilliance of the album unfolded and revealed itself. You really need to hear the album in its entirety, but if you only have the patience to check out one song, I’d recommend “Horses Fell.”

1. Nine Inch Nails — Hesitation Marks
There was some criticism for Trent Reznor’s decision to work with a major label for Hesitation Marks and even more for his blunt response to anyone who might complain about it. But that can’t change the fact that it’s a pretty brilliant album.

I was never much of a Nine Inch Nails fan in the earlier, noisier days. There was just too much adolescent angst in the lyrics, and, well, just too much noise. But that all changed for me when Year Zero was released, and I have since been absolutely blown away by the genius soundtrack work Reznor and Atticus Ross did for The Social Network and The Girl with the Dragon Tattoo, enough so that I actually pre-ordered this album on CD as soon as I knew it was coming.

I saw Nine Inch Nails in concert for the first time this fall on the opening night of their current tour. It was definitely the most intense concert I have ever experienced, and quite possibly the best. The music translated amazingly well to a live setting, and the light show and energy in the performance were like nothing I could even have imagined.

For the concert experience, as much as the music itself, I have to give this album my top ranking for the year. It’s definitely left the biggest impression on me of anything I’ve encountered in the past twelve months.

And while we’re at it…

Although I would never elect any of it to my top 5 list, I actually recorded a ridiculous amount of original music this year, beginning with the January release of 8-Bit Time Machine, my semi-autobiographical sci-fi rock opera. (Yes, seriously.) That one was actually recorded in late 2012, but I followed it up with The Picture of Dorian Mode, composed and recorded entirely on my iPad over a single weekend in February. Then in April, when winter refused to go away, I recorded an EP called Soundtrack for an Endless Winter. In July I finally upgraded to Logic Pro and learned the ropes by recording another EP, cleverly (or maybe not) titled Amateur Logic. I followed that with the year’s biggest project, Falling, in September. For three weeks I sketched out at least one new song idea every day, and when I had nearly two dozen sketches, I refined the best of them into what I think may be my best work to date. (And this doesn’t even touch on the monthly “Figures” EPs I cranked out for the first half of the year.)

Top 5 Albums of 2013: The Contenders

Posted on December 17, 2013 by room34

Yeah, I’m still doing this. So let’s go!

Here are the new albums I’ve added to my collection in 2013, and are therefore contenders for this year’s list…

another cultural landslide — last days last days
Atoms for Peace — Amok
Boards of Canada — Tomorrow’s Harvest
Caroline Smith — Half About Being a Woman
The Darcys — Warring
David Bowie — The Next Day
Disappears — Era
Joe Satriani — Unstoppable Momentum
Justin Timberlake — The 20/20 Experience (1 and 2)
Lusine — The Waiting Room
MGMT — MGMT
Midlake — Antiphon
Nine Inch Nails — Hesitation Marks
Nitemoves — Themes
Phoenix — Bankrupt!
Steven Wilson — The Raven That Refused to Sing (And Other Stories)
Toro y Moi — Anything in Return
Washed Out — Paracosm

Honestly… I’ve heard some really great new music this year, although my range of styles has narrowed in considerably on “chillwave” electronic music and surrounding genres. And while not completely homogenous, almost all of the artists are men, and almost all of them are white. I regret this, but it is what it is. And what it is, is, the music I listened to a lot this year, which is a reflection of me.

My heart isn’t quite in this whole process as much as it has been in years past. (Also, I just don’t have time.) So let’s cut to the chase. My top 5 albums are in bold above. But in what order? That will come in the next post.

How to install Windows 8 on a MacBook Air

Posted on October 26, 2013 by room34

No longwinded backstory in this post. I’m just posting this here so I can remember it if I ever have to install again, since I seem to keep forgetting.

If you’re trying to install Windows 8 (or Windows 7) on a MacBook Air, and you boot to the Windows CD (from a SuperDrive, of course), you may find that when you try to select the BOOTCAMP partition, you get an error stating that Windows can’t be installed on this drive, because it’s in GPT format, and you need to have an NTFS partition.

Well, it doesn’t matter if you have that partition formatted as NTFS or not. The error is happening because of the way you booted up!

Quit the installer, and restart, holding down the Option key. Then when the disk selection comes up, don’t select the Windows installer, select EFI Boot instead. That’s it!

WordPress tip: A simple way to search all post types

Posted on September 28, 2013 by room34

I love WordPress, but its huge designer/developer community and extensible structure have made it possible to over-engineer a solution to just about every problem. And then under-document that solution.

Case in point: today I needed to add the ability to search across custom post types, along with pages. But by default search only searches posts. (That is, the “post” post type. Are you with me?)

This isn’t a new problem, even to me, although very few of the sites I build have (or need) internal search. It’s just not that useful on a site that doesn’t have hundreds of pages or posts, and most of the sites I build don’t.

In the few times in the past when I needed to be able to search across other post types, or other content like taxonomy data, I’ve relied on the Search Everything plugin. And judging by the fact that (as of today) it’s been downloaded 555,309 times, clearly I am not alone.

It’s a pretty good plugin, as plugins go. But it can be overkill, especially if all you need is the ability to search other post types.

And that’s where we run into the real, multifaceted problem with WordPress for developers: 1) there’s a plugin (no, make that dozens of plugins) for just about every obscure task, and 2) there are also several ways to go about building your own custom solution, especially if you’re building your own theme, but 3) the documentation is all over the place, and none of it is comprehensive.

Granted, by offering a targeted solution to a very specific problem in this blog post, I’m contributing to that documentation fragmentation, but whaddayagonnado.

There’s a fourth (and probably even more important) facet as well: plugins are developed independently by countless individuals (of varying degrees of skill), and it’s impossible for anyone to test them all for interoperability. The more plugins you install — especially if they’re excessively complex for the problem you’re intending to solve — the greater the chance you’ll introduce an incompatibility that will break your site. So it’s in your best interest to try to keep things as simple as possible. (And to err on the side of installing fewer plugins.)

tl;dr

If I understand correctly, every parameter in WP_Query can be passed in the query string, which means you can add corresponding input fields into searchform.php in your theme to modify the search functionality.

OK, now that was too simple (and abstract). Give me an example I can work with.

Here’s a one-line solution to get WordPress to search all of your post types (even custom post types), not just “post”-type posts. Add this into the form in searchform.php:

<input type="hidden" name="post_type" value="any" />

Guess what… you can also specify multiple specific types of posts using PHP’s method of using square brackets in your input name to pass in data as an array, like this:

<input type="hidden" name="post_type[]" value="foo" />
<input type="hidden" name="post_type[]" value="bar" />
<input type="hidden" name="post_type[]" value="baz" />

A caveat: I tried the above with page as one of the values and it didn’t work; it showed my custom post types, but not “page”-type posts. I suspect it’s because that’s one of the predefined type parameters that make the query behave slightly differently. So this solution isn’t perfect, but using any as the value will work: it gets “post”, “page” and your custom post types.

My goal was to have a simple search form that would just search all post types, so I made this a hidden field, but you could make it radio buttons, checkboxes or a select menu if you wanted to let the user pick, and this just scratches the surface of what you can do to customize your search form to leverage the capabilities of WP_Query.

Nintendo: 2 Darn Stubborn?

Posted on August 28, 2013 by room34

Since the newly announced Nintendo 2DS (yes, you read that correctly) is obviously targeted at a young audience, I censored the title of this post. Kotaku already won the battle for best title anyway.

My first reaction, upon hearing the name “2DS” was “What the hell?” My second reaction, upon seeing a picture of it, was “No, seriously… what the hell?”

I have been a Nintendo defender for a long time. I love Nintendo. My kids and I waited in line outside the Richfield Best Buy last fall to get a Wii U at midnight when it was being released.

Now, a few fun games aside, all of us think the Wii U itself is kind of a P.O.S., but that’s not even the point. Except, it kind of is.

Nintendo used to be the king of the video game world. They dominated the late ’80s and early ’90s. After faltering a bit, they roared back in the mid-2000s with the original Wii. But then the world changed on them. The iPhone happened. And suddenly Nintendo was Wile E. Coyote running off a cliff. Except when they looked down, they didn’t suddenly realize the ground beneath them was gone. They just kept right on running… into a strange world where all known laws of physics no longer apply.

The Wii U is a bit of a muddled mess, but its main failing is the poor user experience of its horribly designed system software. But it was indicative of the larger problem Nintendo currently has… it has become dangerously (to its own future) out-of-touch with how people are using not just video games, but technology devices in general. The 2DS seems like perhaps they have crossed a point of no return.

I “get” the 2DS. It’s designed to address a few very specific problems, all revolving around the fact that Nintendo’s core audience, especially for handhelds, tends to be young… single-digit young. The 3DS, Nintendo’s current flagship handheld system, has three problems with that audience:

1. It’s fragile.
2. It’s (kind of) expensive.
3. Its 3D effects can be harmful to young eyes.

Little kids break things. The delicate plastic hinges on the traditional clamshell DS designs are a perfect example. Parents don’t want to spend $150-$200 on a device their young child will break easily. And for ocular health, Nintendo themselves discourage use of the 3D effect on the 3DS for those under 7 years old. Parents can disable the 3D effect entirely, but it’s a cumbersome process.

Enter the 2DS: No hinge. Comparatively cheap at $129. And no 3D. Problem(s) solved, right? Except… targeting those specific issues has led to this monstrosity. Something that could only be created by a combination of focus group feedback and head-in-the-sand corporate executives, deliberately ignoring everything that’s happening in the world around them, denying the true source of the rot eating away at their company’s business model.

Set aside the Playstation Vita for a minute (since everyone pretty much has, amirite?)… there is one primary competitor to the Nintendo DS family for young portable video game enthusiasts: the iPod touch. There are plenty of reasons a parent might choose to get their kid an iPod touch, besides the obvious fact that the kid really wants one. But perhaps the most compelling factor is that the parents themselves already own iPhones. The iPod touch, after all, is pretty much just an iPhone without the phone. (And GPS, and a few other features, but you get my point.)

iOS is already familiar to these parents, so they can relate to their child’s experience. And more importantly, these parents understand the App Store, which is really the single reason why I believe Nintendo as it currently functions is doomed.

Let’s look at three more potential problem factors for the Nintendo DS family:

1. Its games are expensive ($30-$40 each).
2. Its game media can get lost.
3. Its games can only be used on a single device at a time.

True, the iPod touch starts at $229, a full $100 more than the 2DS. But buy just three games for the 2DS and you’re up to the price of an iPod touch. Granted, Nintendo has created an equivalent to the App Store for the DS line, but its selection of games is pitifully small compared to the iOS App Store, and many of those games are iOS ports! Even the best, deepest, biggest-budget iOS games rarely break the $20 barrier, and most are priced somewhere between free and $3.

Every subsequent generation of Nintendo handheld has seen its game media shrink in size, from the fairly large cartridges of the original Game Boy to the tiny SD-like cards of the DS line. They’re more portable, but in some ways smaller is worse… as any parent whose kids bring their DS on car trips will tell you, the games are incredibly easy to misplace, and at up to $40 each that’s an expensive scenario. And, of course, a physical game can only be played on one device at a time. Even Nintendo’s eShop is built around a ridiculous model where you can’t transfer purchases between devices.

Contrast that with the iOS App Store. There are no physical media to keep track of, anyone on the same App Store account can download (and re- download) apps to their device without re-purchasing, and you’re not limited to the single device you originally bought the app on.

So while Apple (and Android) reinvented the world of mobile gaming, what did Nintendo do? They continued to drift into this strange territory of weird proprietary hardware, trying to create a unique experience by building devices, and games around them, that would be impossible anywhere else. That’s great, I guess… if any of it really made any sense. And never has it been clearer just how little sense it all makes than with the 2DS.

What is Nintendo’s greatest asset? Not its “unique” game hardware. It’s the intellectual property of great franchises like Mario, Zelda, Metroid and Pokémon. For decades now, Nintendo has sustained a (more or less) thriving business by making these must-have games and then selling the only hardware anyone can play them on.

But times have changed. The video game landscape is so different now, that I don’t think these legendary franchises are enough to carry Nintendo’s increasingly absurd hardware business any longer. I’ve been saying for years that Nintendo needs to do what Sega did… get out of the hardware business and start putting their games on other companies’ devices. This will mean a leaner, smaller Nintendo, but I bet they could wring just as much or more profit from selling their games on other systems as from building and selling their own.

Put Mario, Link, Samus or (God help me) Pikachu on my iPhone, and I will buy it in a second. But this crazy new hardware Nintendo keeps dreaming up? I’m not buying it anymore. And, for the first time, neither are my kids.

What’s so Neue about Helvetica?

Posted on July 31, 2013 by room34

So, I was just reading Rani Molla’s post on GigaOM called What’s all the fuss about Apple and Helvetica Neue? and I felt compelled (as I so often do, about so many things) to comment on the issue here.

Contrary to how the GigaOM article seems to frame it, the controversy — the, if you will, fontroversy (I regret it already) — when Apple demoed iOS 7 at WWDC last month was not that they were switching to Helvetica Neue as the iOS 7 system font. It’s that they were switching to Helvetica Neue Ultra Light, a particularly delicate weight of the general Helvetica Neue font family. (I’ve read some things that suggest they’re reversing course on that decision based on developer feedback, but the GigaOM post doesn’t even touch that.)

The fact is, Helvetica Neue has been the iOS system font ever since the introduction of the iPhone 4. When the iPhone was first introduced, it used plain old Helvetica as the system font. But with the introduction of the Retina Display, Apple switched to the slightly more refined Helvetica Neue.

So the concern with iOS 7 is not Helvetica Neue itself — that’s been working out just fine. It’s this extra thin weight of the font, which becomes difficult to read at smaller sizes.

Personally I like Helvetica Neue Ultra Light. I think it continues the trend towards refinement Apple began with the switch to Helvetica Neue itself, and is demonstrated effectively in Cabel Sasser’s animated GIF featured in the GigaOM article. The version using Helvetica Neue Regular feels heavier and clunkier to me. That said, I do understand and appreciate the legibility concerns with Ultra Light at very small sizes.

I’m not sure how this will work itself out. I doubt Apple will switch to a different typeface, though they may increase the weight of the font in the final version of iOS 7. But part of the reason Apple went with Helvetica in the first place is that it’s neutral (at least in principle). It gets out of the way and isn’t distracting. It doesn’t convey any particular personality. It’s a “blank canvas” of a font, which makes it a perfect fit for iOS devices, where the device itself disappears and becomes the app you’re using. Developers don’t have to use the system font in their apps, but a lot of them do, and by keeping the system font as neutral as possible, Apple avoids predisposing apps to a certain personality or style.

This is exactly the opposite of the opinions expressed in the closing of the GigaOM article, and is I think the opposite of Apple’s intentions with the iOS experience. Using a custom font that “reinforces a more distinctive brand voice” would be the equivalent of sticking a big Apple logo on the front of the iPhone. Apple’s branding goes on the back (where it can be an effective marketing tool). It’s never a part of the user experience.

Maintaining session between SSL and non-SSL pages in CakePHP

Posted on July 31, 2013 by room34

It’s funny, in a way, that cms34 has been around for nearly five years now, and it’s only just become a real issue that we were not maintaining sessions between SSL and non-SSL pages. This is somewhat understandable: practically speaking, the only time it really matters to carry over the session between the two is when a user is logged in. (This might not be the case with all web applications, but for us, at least, there’s rarely enough happening in the session when a user is not logged in for it to matter.)

As it happens, not that many cms34 sites use SSL; not that many cms34 sites use the user login capability on the front end. And very few use both. But we’ve had a couple of new sites come online lately that do use both, and it’s become a bit of an issue.

The issue was exacerbated by the fact that I recently modified the Users controller to require SSL on the login page, if the site has an SSL certificate. Consequently there were issues with trying to access login-restricted, but non-SSL pages… redirect loops and other such fun.

What’s the problem?

The problem is simple: for obvious security reasons, sessions and cookies cannot be shared directly between two different domains. It’s possible (although less secure) to share them between both SSL and non-SSL on the same domain, and it’s also relatively easy to set them up to work between different subdomains. But if your SSL pages use a different domain name than the non-SSL pages, even if they’re on the same server, there’s no way to get them to automatically use the same session.

The solution (though still not ideal, as it can introduce the risk of session hijacking), as you’ll find in lots of places, is to pass the session ID as a query string variable. Then you can use that to restore the same session ID, even if it’s on another domain — as long as it’s on the same physical server.

Some improvements

There are two key improvements I made to the basic “pass the session ID in the query string” scenario.

First, when the session is created I am writing the user’s IP address (using $_SERVER['REMOTE_ADDR']) as a session variable. Then, when I am attempting to restore the session with the ID passed as a query string variable, I read the session file on the server first, and make sure the IP address in the file matches still matches the user’s current IP address. Only then do I restore the session.

Second, and this is an aesthetic issue almost as much as a security one, once the session has been re-established, and before any response has been sent, I strip the session ID out of the requested URL and redirect to that new URL. It’s all invisible to the user, and the session ID never actually appears in the browser’s address bar.

A look at the code

There’s a lot going on in the cms34 code, much of which is highly specific to this application. But in short the keys to making this work happen in two places:

UsersController::login()

I have a login() action in UsersController that handles all of the special functionality that needs to happen when a user logs in. The actual login itself happens “automagically” via AuthComponent, but Auth doesn’t know everything I need to have happen when a user logs in, so after Auth does its work, my login() action takes it from there.

Honestly not a lot needs to happen here to make this work. Just two things: you have to write the user’s IP address to the session as I noted above, and you have to pass the session ID in a query string variable on the redirect that happens when login is successful. My code looks a little something like this (note that I have an array in the session called Misc that I use for… miscellaneous stuff like this):

class UsersController extends AppController {

  var $name = 'Users'
  // Other controller variables go here, of course.

  function login() {

    // All of this should only run if AuthComponent has already logged the user in.
    // Your session variable names may vary.
    if ($this->Session->read('Auth.User')) {

      // Various session prep stuff happens here.

      // Write IP address to session (used to verify user when restoring session).
      $this->Session->write('Misc.remote_addr(',$_SERVER['REMOTE_ADDR']);

      // Some conditionals for special redirects come here but we'll skip that.

      // Redirect user to home page, with session ID in query string.
      // Make up a query string variable that makes sense for you.
      $this->redirect('/?cms34sid=' . session_id());

    }
  }
}

So far, so good. The rest of the excitement happens in…

AppController::beforeFilter()

Ah yes, the magical beforeFilter() method. There’s a whole lot of stuff going on in AppController::beforeFilter() in cms34, most of which is highly specific to our application. But this is where you will need to put your code to retrieve the session ID from the query string and restore the session… this function runs at the beginning of every page load on your site.

I’ve put this logic almost at the beginning of beforeFilter(), because we really do want that session restored as soon as possible.

Here’s a look…

class AppController extends Controller {

  function beforeFilter() {

    // Additional code specific to your app will likely come before and after this.

    // Only run if session ID query string variable is passed and different from the existing ID.
    // Be sure to replace cms34sid with your actual query string variable name.
    if (!empty($this->params['url']['cms34sid']) && $this->params['url']['cms34sid'] != session_id()) {

      // Verify session file exists.
      // I am using CakeSession; your session files may be elsewhere.
      $session_file = TMP.DS.'sessions'.DS.'sess_'.$this->params['url']['cms34sid'];

      if (file_exists($session_file)) {
        $session_contents = file_get_contents($session_file);

        // Find user's IP address in session file data (to verify identity).
        // The CakePHP session file stores a set of serialized arrays; we're reading raw serialized data.
        // If you used a different session variable name than remote_addr, change it AND the 11 to its string length.
        $session_match = 's:11:"remote_addr";s:'.strlen($_SERVER['REMOTE_ADDR']).':"'.$_SERVER['REMOTE_ADDR'] .'";';

        // User's IP address is in session file; so we can continue.
        if (strpos($session_contents,$session_match) !== false) {

          // Set session ID to restore session
          $this->Session->id($this->params['url']['cms34sid']);

          // Redirect to this same URL without session ID in query string
          $current_url = rtrim(preg_replace('/cms34sid=[^&]+[&]?/','',current_url()),'?&');
          $this->redirect($current_url);
        }
      }
    }
  }
}

A few final thoughts

I didn’t really discuss cookies at all here, but suffice to say there’s a cookie containing the session ID that gets written. If you’re only using cookies for the session ID (which is probably a good idea), then you don’t really need to do anything else with them. But if you’re writing certain cookies when a user logs in (like I do), you’ll need to write additional logic to restore them in AppController::beforeFilter(). In my case, the relevant cookies are all duplicates of session data, but are intended for a few edge cases where I need to access that information through JavaScript or in .htaccess files that are protecting login-restricted downloadable files — in other words, places where I can’t use PHP to look at session data.

You may also notice near the end of the code in the AppController::beforeFilter() example above that I am calling a function called current_url(). This is not a built-in part of PHP or CakePHP; it’s a simple little function I have in my config/functions.php file. Here it is:

function current_url() {
return (!empty($_SERVER['HTTPS']) ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
}

UNDERDOG of PERFECTION

a blog on technology, music and geek culture from room34