I’d like to officially welcome everyone to 2plan Limited. And in case you think you recognise the handsome chap on the homepage (no, not him … not him either, OK, the ugly chap) I have to admit it’s me.
Author: chris
More JavaScript goodness
If you’re one of the few people in the world that liked the look of my Performer JavaScript library but found it didn’t quite do what you want, take a look at these projects from LivePipe.com which include really nifty modal window generators.
And if that’s not enough then the talented Dustin Diaz has a
chainable JavaScript kit built on the Yahoo! UI framework. It’s quite a bit more complicated than using the Performer classes, but it’s a whole lot more powerful.
And if all that is too geeky for you, take a trip down memory lane with PC World’s 50 best tech products of all time. It made interesting reading, and I had fun seeing which of my favourite gadgets made it into the list.
Switching off
It seems like quite a few of my regular blogs reads are closing down. This is a shame, and the fact that these well-respected and very talented writers are hanging up their keyboards, so to speak, because of online abuse (sometimes of an extreme, disgusting and frightening nature) is an indictment on certain sectors of the online community.
Wherever groups of people gather you expect there to be a few idiots. I know, I’ve been an idiot many times. However when the tone of what’s being said turns from mere stupidity to extreme vulgarity and even disturbing threats, a line has been crossed. I wish everyone who has been adversely affected by the goings-on around the web over the last few weeks the very best, and encourage them to not lose touch with the genuine friends they have made here.
I’ll be keeping this blog going, one of the advantages of being a nobody is you’re not set up as a target. However with such a lot on my plate at the moment I doubt I’ll be breaking any writing records.
Website security
A few recent goings-on (going-ons?) have made me think about website security. Firstly was the flurry of interest about Open ID, which is an open, distributed identity system. Basically you set up one Open ID account and use that account to log into websites, applications and services which support it.
It’s not without it’s problems, but in general it seems like a good idea. You just have to remember your open ID address (which, for me, could be the address of my website and then you’re prompted for your Open ID password. Easy, and it’s the same for every Open ID-enabled site you visit.
Secondly we’ve had a whole series of – frankly quite animated – discussions at work about persistent logins for web applications. You know the type of thing: you log in, ticking the “Remember me” button, and next time you visit (a few days later, perhaps) you’re logged in automatically.
Great, but that does intoduce some problems. Mainly that as long as you’re on your computer, under your operating system login, it works great. When you go to someone elses computer, or use another login, or (even worse) you don’t have any logins on your operating system and your computer gets stolen, lost or hacked – anyone can pretend to be you in the web application.
It’s a well-known problem, and most developers get around it by putting a sensible expiry time on the automatic login cookie, something like a week or a month works fine. But some want customers to never have to log in after they’ve done so for the first time. Ouch.
You see, if we think that customer won’t be able to remember a password – even when we provide a “Forgotten your password?” link on the login screen – can we trust them to not load one of these indefinate login cookies on a non-secure system? I don’t think so, and once the cookie is there anyone just going to the right address has access to the data.
We’ll find a solution to this problem soon. We’re good at doing stuff like that; it’s what we do.
In the meantime, I had a thought. How about a browser plugin that handles security? My browser of choice has an entire universe of plugins that do all manner of clever things.
My thinking is like this. The user logs onto their operaing system (say, Windows) and opens a browser with the security plugin installed. Because the browser, and therefore the plugin, is part of the operating system it can get the currently logged in username and send that (via SSL) to the web application, which verifies it against a list of users. Perhaps a token/key could be used to make it even more secure. The web application then logs the user in as themselves.
That way, you log onto one system and the web application uses that login to verify who you say you are. Some websites with integrated Windows authentication use this already, admittedly without a browser plugin, but this way would be cross-platform (both client and server).
As long as you had the plugin (which could be verified regularly) and your operating system login was secure, you’d be laughing. Or chuckling a bit, at least.
Do you see any problems with that idea? Tell me, there’s normally something major I miss.
Unfortunate doubles
Company photos can be unfortunate at the best of times. And when you look like a dubious Internet celebrity you need to rethink your press pack.
