CakePHP Auth component, Flash and Internet Explorer… a deadly combination

OK, it’s not really deadly at all… other than that it will kill your CakePHP session and log you out.

My CakePHP-based CMS uses YUI Uploader, a Flash-based file uploader utility. It’s much better than the default HTML file uploader, because it supports a fully CSS-customizable progress bar and multiple file uploads.

It’s pretty slick, even though I did tear some hair out earlier in the year trying to get it integrated into the CMS. All went well for several months, until one particular client, using Windows Vista and Internet Explorer 8, discovered a showstopper of a problem: whenever you uploaded a file, all would seem well until you went to save your changes and you’d get kicked back to the login screen, without the changes being saved. Bad news!

I did some diagnostics and determined that, yes indeed, the CakePHP session was in fact being dropped as soon as the Flash process finished queuing the file uploads (an AJAX-based process), before you actually click the “Save” button… but since there’s nothing else happening dynamically on the page, it wasn’t obvious that the session had been killed in the background.

Anyway, some research led me to a perfect explanation of the problem, and an equally perfect solution: Flash is sending a different user agent string, which was resetting the CakePHP session. I’m still not sure why it was only affecting Internet Explorer, but at any rate, a simple change to the app/config/core.php file solved the problem in a snap. The critical line:

Configure::write('Session.checkAgent', false);

I suppose by removing this line, the application is ever-so-slightly less secure, but there should be enough other precautions in place that removing the user agent check as part of the process of validating a session should not pose a significant security risk.

In defense of WordPress

WordPressThere’s a lot of negative talk circulating regarding the security attacks currently underway against outdated versions of WordPress. One of the most outspoken critics, not without cause, is one of my favorite bloggers: John Gruber of Daring Fireball.

That Gruber is loyal to Movable Type perhaps influences (despite his claims to the contrary) the tone of his assessment of the situation. And, I’m sure, my loyalty to WordPress influences my assessment of it as well. WordPress is not Apple, but I hold both in perhaps unduly high esteem.

That said, there are easy (or, at least, prudent) steps one can take to keep WordPress secure against this attack. Also, security is not the only (nor, dare I say, anywhere near the most important) factor in selecting a blogging platform. I’ve worked a fair bit with Movable Type, and while I can’t speak to the relative security of the two applications, I definitely can speak to their relative ease of use, and in that regard, I see no comparison: WordPress is surprisingly consistent and intuitive, given its open source nature and the large size of its developer community, whereas Movable Type seems to live in its own world where up is down, left is right, files are assets, and you need to rebuild the site every time you change anything. (Caching, if it’s even necessary, should be invisible to the user.) And then there’s the proprietary markup language.

It is unfortunate, and a weakness of the system, that WordPress has come under attack in this fashion. I’m glad that the latest version, at least, is immune to this exploit. But to dismiss WordPress because of this seems to grossly miss the point. And, debate this if you like, I do believe that if you’re not prepared to keep your installation updated, you shouldn’t be hosting the site yourself anyway. Use WordPress.com — it’s free, and it’s always up-to-date. The biggest victims here, I fear, are site owners who have relied upon an apathetic hosting provider to manage their system, and whose sites have been left vulnerable through no fault of their own.

All of the room34.com sites are running 2.8.4, and none has fallen victim to these attacks. But this incident did inspire me to take an action I had been neglecting — last night I dug into my httpd.conf file, shuffled a bunch of directories around on the server, and consolidated all five of the WordPress sites I’m running down onto a single installation of the software, so from now on I’ll only need to update once instead of five times. I probably could have migrated to WordPress MU, but it was an interesting experiment to take the approach I did, and it allowed me to avoid having to merge databases.

Network Solutions: You’ve spoken. We’ve listened. We’re just idiots.

OK OK, Network Solutions. Don’t get your nsUndies* in a bunch. (*You’ll get that joke in a minute.) I’m still a diehard Network Solutions supporter, recommending all of my clients go with you instead of the sleazy likes of GoDaddy, despite your considerably higher prices. (My argument is, if you’re willing to spend thousands of dollars on a website project, why not spend an extra $25 on a better domain registrar?)

Anyway… just because I recommend you, doesn’t mean I will refrain from criticizing this: today I logged into my Network Solutions account to make some changes to my own DNS configuration, and I was confronted with the following ghastly announcement…

Network Solutions has listened, apparently.

What? Someone actually told you “I don’t understand what ‘Web Site’ means. Can you please call it something more obvious? Like, maybe, ‘nsBusinessSpace’? Yeah, that would be great.” Well, OK, maybe someone like Bill Lumbergh would think that. But he’s not really human.

I’ve seen something like this before, though. In fact, I’ve blogged about it before. But with Microsoft, it almost, just barely, managed to seem like they were in on the joke.

Two reasons I love having Al Franken as our U.S. Senator

#1: He knows what he’s talking about. This video by local political blogger Dusty Trice, from Franken’s booth at the Minnesota State Fair, has made it to the top of the front page of YouTube and been featured on The Rachel Maddow Show. (I wonder what food-on-a-stick he has stuck in his teeth at 6:45, but that’s beside the point.)

#2: He can do this… SLP tipped me off to this lighthearted moment, posted by MPR.

Does Minnesota really need two crazies in the House of Representatives?

We’re all used to Michele Bachmann’s paranoid/delusional rhetoric by now, but is it not enough to have one raving nutcase represent our fine state in the House of Representatives?

Apparently not, since Rep. John Kline is afraid President Obama is going to brainwash schoolkids to embrace socialism when he gives a back-to-school address to kids next week.

Give. Me. A. Break.

He’s the president, folks. You may not agree with his policies, but he’s the freaking president. I think Dave Thul (yes, a conservative) gets it right:

In the midst of the recession, a war in Afghanistan, fears over terrorism and H1N1, isn’t it at least possible that Obama may inspire kids to study hard and stay in school, and above all to keep dreaming about what they might be or do someday? If the president uses the speech as a political tool, asking kids to help him pass health care reform or save the earth by passing cap and trade, then yes, we will have a right to be upset. But give Obama the chance to speak before you decide to take offense to his words.

I personally would not be upset if he discussed those things, but I can understand why someone who disagreed would. But I think we can reasonably assume that our president is going to eschew the hot political topics of the day and focus on promoting the value of education, hard work and ambition. Then again, maybe those values are part of a liberal/socialist agenda, too. Are they?

Update: Moments after I posted this, a link to this media resources page appeared on the White House Facebook feed. Coincidence? You be the judge. (Answer: yes.)