CakePHP Auth component, Flash and Internet Explorer… a deadly combination

OK, it’s not really deadly at all… other than that it will kill your CakePHP session and log you out.

My CakePHP-based CMS uses YUI Uploader, a Flash-based file uploader utility. It’s much better than the default HTML file uploader, because it supports a fully CSS-customizable progress bar and multiple file uploads.

It’s pretty slick, even though I did tear some hair out earlier in the year trying to get it integrated into the CMS. All went well for several months, until one particular client, using Windows Vista and Internet Explorer 8, discovered a showstopper of a problem: whenever you uploaded a file, all would seem well until you went to save your changes and you’d get kicked back to the login screen, without the changes being saved. Bad news!

I did some diagnostics and determined that, yes indeed, the CakePHP session was in fact being dropped as soon as the Flash process finished queuing the file uploads (an AJAX-based process), before you actually click the “Save” button… but since there’s nothing else happening dynamically on the page, it wasn’t obvious that the session had been killed in the background.

Anyway, some research led me to a perfect explanation of the problem, and an equally perfect solution: Flash is sending a different user agent string, which was resetting the CakePHP session. I’m still not sure why it was only affecting Internet Explorer, but at any rate, a simple change to the app/config/core.php file solved the problem in a snap. The critical line:

Configure::write('Session.checkAgent', false);

I suppose by removing this line, the application is ever-so-slightly less secure, but there should be enough other precautions in place that removing the user agent check as part of the process of validating a session should not pose a significant security risk.

Network Solutions: You’ve spoken. We’ve listened. We’re just idiots.

OK OK, Network Solutions. Don’t get your nsUndies* in a bunch. (*You’ll get that joke in a minute.) I’m still a diehard Network Solutions supporter, recommending all of my clients go with you instead of the sleazy likes of GoDaddy, despite your considerably higher prices. (My argument is, if you’re willing to spend thousands of dollars on a website project, why not spend an extra $25 on a better domain registrar?)

Anyway… just because I recommend you, doesn’t mean I will refrain from criticizing this: today I logged into my Network Solutions account to make some changes to my own DNS configuration, and I was confronted with the following ghastly announcement…

Network Solutions has listened, apparently.

What? Someone actually told you “I don’t understand what ‘Web Site’ means. Can you please call it something more obvious? Like, maybe, ‘nsBusinessSpace’? Yeah, that would be great.” Well, OK, maybe someone like Bill Lumbergh would think that. But he’s not really human.

I’ve seen something like this before, though. In fact, I’ve blogged about it before. But with Microsoft, it almost, just barely, managed to seem like they were in on the joke.

Zeldman on Outlook 2010

Jeffrey ZeldmanI’ll take Jeffrey Zeldman over Jakob Nielsen any day. (Case in point.) And Zeldman’s criticism today of Microsoft’s inexplicable use of the Word HTML rendering engine in Outlook 2010 despite IE8’s genuine efforts to become standards compliant is true to form. A quote worth repeating in its entirety, re-tweeting (if it weren’t over 140 characters), and having tattooed on your favorite body part:

Big companies love these fictions where one part of the company “pays” another, and accountants love this stuff as well, for reasons that make Jesus cry out anew.

How to not bother testing websites in Internet Explorer 8

Or: What Microsoft probably doesn’t really want you to do.

Internet Explorer 8 is supposed to be more standards-compliant. Ya-freakin’-hoo. (No relation to Yahoo!) I don’t especially care, and I’d like to think the best way IE8 could become standards-compliant is to not exist in the first place. But, it’s here, and when Windows 7 arrives later this year, we (the web designers and developers of the world) will have to get used to it.

I do have Windows 7 RC running in a virtual machine on my MacBook, so I can test IE8. But waiting for several minutes for it to log in (for some reason), I came to the decision that maybe it’s not worth testing in: maybe it’s best to just take advantage of its “IE7 Compatibility Mode” to not need to test in it. It’s not like IE8 being standards-compliant (yet, somehow, still not rendering pages like Firefox and Safari) is really going to save me any time, because I’ll still need to test in IE7 (and, God help me, IE6) for years to come. Why add a third Bizarro-world Microsoft browser to the mix?

IE8, brought to you by people who don't see anything wrong with this image.

Internet Explorer 8, brought to you by people who don't see anything wrong with this image.

So I googled ie8 ie7 compatibility mode and found a helpful, if slightly douchey, blog post from a Microsoft “developer evangelist.” Of course, his blog renders completely f’ed up in Firefox, and even if it didn’t it would probably still be displaying the hideous matted-to-white-transparent-GIF-on-a-dark-background you see here.

Nonetheless, he did still give me the code snippet I need. Stick this in the header of all of your pages (which, hopefully, means editing just one file, riiiight?), cross your fingers, bow your head in the direction of Redmond and, if all goes well, you won’t have to think about IE8 (ever?) again.

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

I’m going to try it out now.

Perhaps I went out on a limb when I referred to this blog post as douchey. Never mind the fact that the guy is a “developer evangelist” for Microsoft, which is enough in itself. The two d-bag moments for me were: 1) the opening couple of sentences: “As you all know, the Internet Explorer team has been working hard to make IE8 the most standards compliant browser around. Unfortunately, not all web sites confirm [sic] to these standards today.” In other words, Microsoft has undertaken a noble effort to build something perfect and wonderful, but all you apathetic and/or malevolent web designers out there are conspiring to destroy it. And 2) “Lastly, for those of you running Apache instead of IIS (shame on you!)…” Yes, shame on you for using the most popular and stable web server software in the world. Actually, yes, shame on you for running Apache on a Windows server. You’re an even bigger douche than he is.

Update: Adding this meta tag to a client site I’m currently working on didn’t seem to have any effect on IE8, but that may be because I had manually clicked the compatibility mode button in a previous session, turning it off. (So, in other words, I am positing that if the user has manually turned off compatibility mode, it will stay off even if the page tries to activate it.) Turning compatibility mode on manually did work — the rendering issues I saw with IE8 in its normal mode went away.

Now, the thing that concerns me about all of this is that my page should be pretty damn well standards-compliant: the doctype is XHTML 1.1, which is very unforgiving, and I’ve validated it. The page looks fine in Firefox and Safari. It’s possible that the source of the problem is my IE-specific CSS file, that is fixing IE7 problems that don’t exist in IE8 (and thereby introducing new problems there). The next step would be modifying the conditional comments so that IE8 doesn’t load the IE-specific CSS, and checking whether that solves the problems. The culprit may also be IE7.js, which I viewed as a lifesaver when I started using it about a year ago, but increasingly seems to be of little to no benefit.

Drug use at Microsoft HQ

OK, I have no evidence of rampant indulgence in illicit substances in Redmond, but it’s hard to find another explanation for this image being standard-issue wallpaper:

windows-7-wallpaper-20090429

!= has more on the potential symbolism (perhaps subconscious) in this image. And also links to a rather fascinating article about microscopic, holographic photos embedded in the Windows Vista installer disc. While it’s truly an impressive achievement, one wonders whether Microsoft’s R&D priorities are really in the right place with this.

Posted in honor of today’s availability of the Windows 7 Release Candidate as a free download. Yes, I am downloading it now. (I just blew Kosh’s mind.)

Update: Yes, this is trivial. I’m petty. But still, first impressions and all. The first few screens of the installation start-up were a lot more aesthetically pleasing than the white-on-blue terminal screen look of the Windows XP installer.

But I have to wonder about this particular screenshot. Could they really not fit that text on one line?

Windows 7 install screen

Also, this window has a more-or-less Vista-style interface. Before this there was a screen where I had to pick my language preferences, and that window looked like the Windows 2000 interface. Which “classic” Windows interface style will the next screen feature? And was this walk through the museum of Microsoft OS antiquities really intentional?

Oh, and I almost forgot… did they really mean to put the red “close window” X there? It glows when I mouse over it. Must… resist… temptation…. I can only assume clicking it would cancel the installation. But would I get a chance to confirm that rash decision? Wouldn’t a smartly labeled “Cancel installation…” button have made more sense?