Thu, 30 May 2013
GPS Tracking Systems
I use my smartphone in addition to the cyclocomputer in order to be able to record my speed, and later compare the speeds at the same place amongst various conditions. The problem is what to use for tracking and what for reviewing and comparing the recorded tracks?
So far I record the tracks using Move! Bike Computer on my Android phone. It is far from ideal, but at least it stores tracks as a GPX files which are accessible directly from the flash. It uses 1-second intervals, and as a bonus, it can display the track using Google maps. The drawback is that it sometimes does not switch the GPS on, so it needs to be switched on manually from the Android top bar menu. The other drawback is that while it can send the GPX files by e-mail to the desktop computer, it does not remember the prefered export format (GPX instead of KML for me) and the prefered export method (e-mail using K-9 mail to a predefined address). So sending tracks from my phone for further archivation is not so easy. But at least it can be done. Another problem is the start and end of the track: I usually start this app before leaving home, and stop it some minutes or hours after reaching the destination. The recorded tracks then cannot be easily compared, because their durations vary in the order of tens of percent, even though the real time of activity is roughly the same. The auto start/stop feature of the cyclo computer is much more precise - the GPS always report at least some movement because of its imprecision and noise.
As for the viewer, the situation is even worse. So far the best I have found is Endomondo, (and "the best" here does not imply "good" at all). Endomondo can import the tracks in the GPX format, and display them on top of Google map, can generate the speed and height profile, etc. On the other hand, it is way too skewed to training and fitness (computing calories, etc.), and has way too much useless social features. It also has its own proprietary Android App, which makes sending data to Endomondo easier, but with this app it is impossible to get your own data back in an open format. Moreover, when importing GPX data with 1 second granularity, Endomondo rescales it to something more coarse (tens of seconds to even minutes), so it makes comparing the speed at a given place pretty meaningless.
What do you use for your sports tracking, and how does it meet your data accessibility and openness requirements?
0 replies for this story:
Reply to this story:
Wed, 29 May 2013
E-shop Reviews
Apparently at Mall.cz they think that they sell only perfect goods, and don't want people to write negative reviews to some of the goods, even though the description contains plain lies. As an example, we take this 9V rechargable battery. In the description, they say:
The rechargable NiMH battery from GP Batteries lasts up to 5 times longer than alkaline batteries [...]
There has to be some serious magic used by either Mall.CZ or GP Batteries, which causes that the battery rated at 8.4 V with 200 mAh capacity lasts five times longer than an ordinary 9V primary alkaline cell. Apparently the later according to Wikipedia has 565 mAh capacity, and thus stores three times more energy than the rechargable batery from GP Batteries.
I have written a comment along these lines to the Mall.CZ system on May 7th, but it is still not published as of now. So beware of any e-shop which doesn't allow negative comments, such as Mall.CZ. It is interesting that some bigger shops like DX are perfectly OK with people writing negative reviews to some of their goods.
1 replies for this story:
Vašek Stodůlka wrote:
It is possible in some use cases to "last 5 times longer". When you put alkaline cells to camera, they can last as low as 50 shots, but NiMh batteries about 250. Alkaline batteries cannot produce high current very quickly - so technically your comment may be considered as not true. And there is "up to", which can also 0,5x. :-) But if this is a 9V battery, which you put to some kitchen scale, it will last about few months and alkaline can be there for years. But it is still "up to 5x", so they are right. :-)
Reply to this story:
Fri, 24 May 2013
File Manager
The last file manager I have used was Norton Commander back in the DOS era. Many years after that, during the flame wars between proponents of spatial and single-windowed Nautilus, I have only laughed at them, thinking that the command line was much better. Why would anybody need a GUI file manager? I feel slightly ashamed now, but I have to admit that for the last two weeks, I have also been using a GUI file manager.
I work on various things with respect to cabling, electricity, a new datacenter, and so on in the new building of Faculty of Informatics. The problem with the building specifications, projects, and so on is, that they are stored in the deep structure of directories, with names containing whitespace and even non-ASCII characters (in different character sets), and each directory contains many files or subdirectories with common prefixes shared by a set of files. So the usual tab-completion does not help - it is necessary to actually look at the completion prefix in order to know what character to add next. Here is an example of such a file name, starting from my automount point:
stavba_cerit_dok/01_ZADAVACI_DOK/02_zadavaci_projektova_dokumentace/\ FIMU_GD_SOD_příloha č. 1/!!!_02_FIMU_GD_SoD_Priloha_1_II.A_PD_DVD_PROJEKTOVA_DOK_1.etapa!!!/\ FI_F.3_03_PS 03 SUPERPOCITAC, DATOVE CENTRUM_DVD/\ F.3_03_5 SLABOPROUDE ROZVODY_DVD/F.3_03_5.2.01_PUDORYS 5NP - SLABOPROUD.pdf
In order to be able to quickly navigate inside such directory tree, I have started to use a GUI file manager. So far I use Thunar, the default file manager in XFCE. It can easily switch to any directory along the current path, and it has bookmarks for fast access to frequently-used directories. I use this feature a lot, because of the main drawback of GUI file managers: It is not possible to descend into a directory, which is an automount point (and which, from the VFS point of view, does not exist yet).
Do you use a GUI file manager?
3 replies for this story:
Milan Zamazal wrote:
I use Dired in Emacs. Powerful, text based, utilizing common Emacs features (e.g. bookmarks) and excellently integrated with the whole Emacs environment. I don't know how it compares to current file managers but it used to be much more powerful than anything I've seen in the last century. Considering my recent experience with some popular e-mail clients and discovering how primitive they are I've got some reasons to believe there are still not many file managers comparable to Dired. But does it make sense to use Dired without using Emacs generally? Probably not as environment integration is an important part of file manager usage. For instance, it's impractical to have different sets of bookmarks in a file manager and in other applications or it would be annoying if you renamed a file in a file manager and the corresponding change didn't happen in your editor having the file open for editing at the same time.
Yenya wrote: Re: Emacs
Well, the feature with rename probably does not work when the file in question is renamed by something else (possibly over a network FS), altough it can be partially solved with inotify. Apart from that, I don't want to boot another OS just to use a file manager.
thanh wrote:
I use tc (Total Commander) on windows, and mc (Midnight Commander) on linux/mac, both are very similar to nc. Another plus is that it's not required to have emacs (or vim) to use it ;)
Reply to this story:
Tue, 21 May 2013
Cell Phone Operators
Few weeks ago I have moved my cell phone number to a different phone operator (don't ask :-). Today, I've got an interesting call:
Caller: "Hello, I am a representative of $my_new_operator, do you have a minute or two?"
Me (thinking about possible problem with $my_new_operator, with payments, or whatever): "Well, only a minute."
Caller: "OK, then. We have a great offer for customers of $my_old_operator. If you move to $my_new_operator, you can save much money."
Apparently the $my_new_operator's representative does not know that I am already their customer.
2 replies for this story:
Bobby wrote: 360
It is called 360° customer view. They can see everything about you in any of their applications :-)
Bulik wrote:
I had similar experience two years ago (and - I guess - with different operator)
Reply to this story:
Fri, 03 May 2013
Laptop Upgrade?
I've got my laptop, ASUS F3E, in September 2008. So maybe it's time for a new laptop. Last year I have briefly considered buying a new one, but I have found that after upgrading F3E to 4 GB of RAM, 9-cell battery, and a fast solid-state disk (OCZ Vertex 2), then-current models provided no significant improvement compared to my F3E. Is this year's offer better?
There are several problems with my F3E:
- Glossy display (no explanation needed, I think)
- Plastic chassis, which is already broken in two corners
- Slightly slower CPU than needed (I had problems playing full-HD video without frame dropping once or twice, but I am not sure whether mplayer can use both CPU cores)
- The WiFi interface supports 2.4 GHz band, not 5 GHz one
What parameters should my hypothetical new laptop have? Of course, it would need to be better than my upgraded F3E in every aspect, and meet the following criteria:
- Size: less than 16", preferably not smaller than 14"
- OS: sold without Windows (I don't want to pay the Microsoft tax)
- Display: matte, at least 1280x800, possibly with touch input
- RAM: at least 4 GB
- Graphics: supported in Linux using open source drivers, including 3D acceleration (so most probably I don't want nVidia)
- HDD: preferably SSD, but I can reuse the SSD from F3E
- CD/DVD/...: preferably none
- Battery: at least 4 hours with moderate usage
- Keyboard: with long backspace, double-height enter, inverse-T arrow keys, and preferably without separate numeric keypad; backlit if possible
- Chassis: aluminium or similar, definitely not plastic
Does such a laptop exist, my dear lazyweb? Or shall I stay with my upgraded ASUS F3E for another year?
10 replies for this story:
dan wrote:
Some time ago I bought Lenovo X230 and I'm ok with it. It has (or can have) everything you described above except of the screen size, which is less than 14", and MS tax. I believe it can be equipped with a 3-band antenna which allows 5Ghz wifi, but in this case you wouldn't have the webcam. Check the specs to be sure. Optionally you can have a backlit keyboard or thinklight. I have even managed to squeeze in a 16GB of RAM and an msata SSD, along with a regular HDD. Battery life is about 5-7 hours with 6-cell battery, but I suspect that the power management in my system sucks. In windows it's much better.
dan wrote:
I forgot - you may also check out Lenovo X1 Carbon, it has similar specs to X230, but the screen is larger with higher resolution I think. You can cut your vegetables with it :-).
Peter Kruty wrote:
You are describing mac book air in your criteria :). (If I can take the liberty of ignoring 'preferably not smaller than 14"'.
Yenya wrote: Re: Macbook Air
Is it really supported in Linux with open source drivers, or have you took the liberty of ignoring this requirement as well?
honzah wrote:
@Peter Kruty: How is paying the Apple tax better than Microsoft tax? You can at least fight that one, I bet there is no chance to get your OS money back from Apple. @Yenya: Why do you have so small requirements for the display? Every other _phone_ has better resolution these days.
Peter Kruty wrote: mac book air
@Yenya: Oh, somehow I assumed this is solved problem for Intel graphics (not really watching this closely). So, yes I took the liberty too. In general looks like so called ultrabooks are matching most of your requirements. @honzah: Yenya was mentioning not willing to pay MS tax (nothing about Apple). Regarding Apple Tax: I believe this is different situation Apple HW and SW are designed for each other and from same vendor. I don't blame Apple for that, because it works very well for usability. Variety of generic laptop vendors are locking their hw to windows, while we can hardly talk about same tight integration for a user's benefit (and I mean a generic computer user, not someone like Yenya with very specific requirements).
Yenya wrote: Re: Macbook Air
Well, I didn't know that Apple uses Intel graphics - this is actually well supported under Linux. That said, even though I did not mention it explicitly, Honzah is right that for me, Apple tax is almost the same as Microsoft tax. Why would I buy a hardware from a vendor which explicitly does not want me to use it with Linux?
thingie wrote:
Basically, you can have a generic crap with some disastrous 1366x768 display (it doesn't matter if glossy or matte, it doesn't, it doesn't, it'll have faded vomitty colors anyway), they are all absolutely same. Or you can have something more decent, but then, it's either the macbook, or perhaps some more high-end-ish ultrabook.
Peter Kruty wrote: Dell XPS 13
Quite expensive, but you are paying for your specific requirements :) http://www.zive.cz/bleskovky/dell-xps-13-linuxovy-ultrabook-s-ubuntu-dostane-full-hd-displej/sc-4-a-167668/default.aspx
Yenya wrote: Re: Dell XPS 13
Looks interesting, thanks. The specs (even on the Dell site) are shallow, though. No mention whether it has matte display, and how exactly the keyboard looks like. Also, no SD card reader, but I guess this is the price for being so thin. OTOH, I am ok with the cost. But according to zive.cz, it is not (yet?) sold in CZ.
Reply to this story:
Fri, 26 Apr 2013
Tinyboard: ATtiny universal board
Having learned how to design PCBs, how to solder SMD components, and how to work with Atmel microcontrollers, I wanted to use this knowledge in more projects. I have thought about two or three things which I could do with ATtiny MCUs, but I didn't want to design a single-purpose board for each of them. Let me introduce Tinyboard, a multipurpose 24x50mm printed circuit board for 8-pin ATtiny MCUs (Tiny25/45/85, or Tiny13). The list of features includes:
A Tinyboard with a single step-up converter, MCP1703AT voltage regulator, USBasp programming connector, and unstabilized power input. The MCU itself is on the bottom side.
- Each of the five data pins can be repurposed as digital input, analog input with low-pass filter, output, MOSFET-driven output, etc.
- Up to two Boost (step-up) converters with current feedback measurement can be built on Tinyboard, for example for driving a string of LEDs.
- The board can use on-board voltage regulator, or use externally stabilized power.
- Each ATtiny data pin has its own three-pin header on Tinyboard, with one pin for GND, one pin for Vcc (stabilized or unstabilized), and one pin connected to ATtiny pin.
More details are described in the Tinyboard project page. So far I have built a step-up converter with it, and I am considering using it together with 9V battery (the size is about the same) as a lighting solution for my kids' bikes. The PCB fab allows boards up to 5x5cm size, so I have put two Tinyboards in a single design, receinving a total of 20 tinyboards. So I definitely have spare Tinyboards. If you have a project using 8-pin ATtiny and you are near Brno, let me know.
0 replies for this story:
Reply to this story:
Thu, 25 Apr 2013
Re: The Shared Office Printer
PHD comics is as funny as always. What I consider interesting is the last problem - printing on a special paper (a.k.a. the "Print Sprint"). I solve this problem differently:
Usually, such a print job is single-page only. So the easiest solution is to use the manual feed input. Open the manual input tray, print your job with manual tray specified, return to the printer, and feed your special paper into the manual input tray. People usually don't specify the manual tray as input.
Another alternative is when I don't want to research (again) how to print
using the manual input tray from the command line. I run something like
"sleep 60; lpr myfile", walk to the printer, open the default
tray and manual input tray, wait a moment, and when the print job arrives,
just select the manual tray from the front panel of the printer.
Of course it heps if CUPS together with the printer can cooperate enough to display at least the print job name (including the hostname) or even the job owners' login name, to be sure that it is really my print job. How do you print on a special paper on shared office printers?
0 replies for this story:
Reply to this story:
Tue, 23 Apr 2013
LinkedIn Endorsements Again
A while ago, I wrote about the new feature of LinkedIn - endorsing skills of each other. I have publicly stated that this is a nonsense, and that I didn't want anyone to endorse me, and I would not endorse the skills of my connections. Half a year later, I have to say I was right:
My public profile contains several endorsements for things I barely know they exist, for example for a programming language which I didn't write a single line of code in.
Moreover, I have discovered that I am supposedly "following" several things like "higher education", "computer software", or "Masaryk University". I am not aware that I have willingly decided to "follow" these things, maybe LinkedIn has added them by itself (I have clicked on "unfollow", so I don't follow them anymore). Apparently this is another misfeature designed to make it look that LinkedIn network is big and deeply interconnected.
What do you "follow" on LinkedIn?
1 replies for this story:
contyk wrote:
Pretty much the same here. And I seem to follow "IT", "Computer Software", and "Red Hat". Time to change that...
Reply to this story:
Mon, 11 Mar 2013
Are the Directories Evil?
Jimmac has an interesting blog post about how GNOME users are not satisfied with the current look of GNOME folder icon, explaining the reasons behind its current state. The blog post contains an interesting reasoning, but I wonder whether the fact that an explanation was actually necessary does not invalidate it. For me, however, the most enlightening part of his blog post is this:
Exposing the directory structure is the pre-GNOME 3 world. What we focus on now are the applications.
This is exactly the kind of mentality which leads us to the world of systems with severe usability problems like Android, GNOME 3, or most current MP3 players. Maybe this is a news for some of you, but the concept of directories actually is useful!
I hate it when the audio player Android app cannot present the albums that I have on my SD card neatly sorted into directories (also) as those directories. I hate it when my car stereo cannot use subdirectories with depth greater than 1, and does not have a "shuffle subtree" function, making the whole "shuffle" thing unusable: I have songs, tales for kids, audiobooks, and language courses stored there, and I obviously don't want to shuffle through all of these, intermixing random language lessons with songs and audiobook chapters.
Why do I have to use a domain-specific "directory sorter" (e.g. MP3 or photo tagging application), when the system already has a general purpose means of grouping various files together: the directory tree?
5 replies for this story:
Vašek Stodůlka wrote:
I have mixed impressins on this topic. I really liked Palm way of doing this - you pressed "Documents to Go" and the documents was there (!), without folders and anything, and only documents were listed, the same with other files. It was like a magic. :-) I like Google's "folderless" email, I configured Thunderbird same way. But on the other hand - current audio players are stupid for not having the tree structure, which I sometimes want and sometimes not.
Yenya wrote: Re: Vašek Stodůlka
I am not against tags per se, but I would like my apps to use _also_ the directory tree, because it is possible to put the files into directories by almost any tool, be it command-line or GUI. The problem is that not all albums on my disk have consistent tags (or have tags at all), and I don't want to spend time looking up and possibly retyping the names of tracks.
Gris wrote:
I couldn't care less about stupid eye candy, but I, too, absolutely loathe all the 'music library' shit. Just because all the various content sellers don't have to care about directory structure doesn't mean that the approach is cool and everyone should use it. Fortunately, there are still alternative applications that allow the user to choose the approach that suits them best. As for Jimmac, I suggest we start a relief fund so that he can go buy a clue.
thingie wrote:
When I think about all that time lost in pointless and retarded sorting of stuff into some directories, which I could, finally, stop doing some short time ago... And everything is much better now. So much better.
Yenya wrote: Re: thingie
Well, if it works for you, it's great, more power to you! But for me it is simply not possible to throw all the tracks newly downloaded from my favourite artist's website, or converted from CD to one heap, because everybody uses different tagging styles, genre name variants, and so on. It would be a bigger mess than creating a new directory with the name and location conforming to my own style, and downloading/converting directly there.
Reply to this story:
Tue, 22 Jan 2013
New GPG Key (please re-sign it!)
My PGP key is almost 16 years old now - it has been created on 1997-03-15. It is a 1024-bit RSA key, which is not so strong by today's standards. So I have generated a new GPG key 4096R/A45477D5. I plan to phase out my other two keys, 1024R/D3498839, and 1024R/F0BEFD45 in the near future, and publish revocation signatures for them. My new GPG public key signed by both old keys is available at the following locations:
https://www.fi.muni.cz/~kas/pgp-A45477D5.txthttp://pks.gpg.cz:11371/pks/lookup?fingerprint=on&op=vindex&search=0xA45477D5http://pgp.mit.edu:11371/pks/lookup?fingerprint=on&op=vindex&search=0xA45477D5http://stinkfoot.org:11371/pks/lookup?op=vindex&search=0xA45477D5
The fingerprint of the new key is: B634 17E5 731B 4F42 69FA 57FF 9453 3581 A454 77D5
I hereby ask everybody who has signed some of my previous keys, or who has any means of verifying the above fingerprint by an independent channel (e.g. over the phone) to sign my new key and send me a signature. It is possible to do this in Linux using the following steps:
1. Obtain my public key
gpg --keyserver pgp.mit.edu --recv-key A45477D5
or use another keyserver instead of pgp.mit.edu, or get the key from our webserver
wget -O - https://www.fi.muni.cz/~kas/pgp-A45477D5.txt | gpg --import
2. Display the fingerprint
gpg --fingerprint A45477D5
Verify the fingerprint (should be the same as above; you can also call me over the phone).
3. Sign the key
gpg --sign-key A45477D5
4. Export the key
gpg --armor --output A45477D5-signed.txt --export A45477D5
Now send the resulting file A45477D5-signed.txt to me. Thanks!
NOTE: The plain-text version of this blog post, signed by my old key
1024R/D3498839, is available here.
0 replies for this story:
Reply to this story:
Thu, 17 Jan 2013
Fedora 18
Fedora 18 has finally been released after being delayed several times. So far my experience is not so bad - upgraded systems mostly work. What are the biggest problems?
Most of them of course are in the rewritten Anaconda/FedUp combo. In my opinion, developers should be explicitly told to not rewrite things from scratch, if there is at least a small possibility of getting to the similar set of features with incremental modifications. The problem is that the previous codebase mostly works, and have lots of working features even for many corner cases. This resembles the infamous gdm-2.20 rewrite. Here is the list of problems I have ran into so far, using F18 on my laptop, on my workstation at work, and on a testing virtual machine:
- Gdm still cannot set the X server command line options, even though the developers promised the feature to be restored more than three years ago.
- FedUp provides no visual feedback about the progress of update. Who the f* wants to see the flashing Fedora logo during the upgrade, instead of some meaningful information? Are we trying to emulate MacOS or what?
- The new Anaconda cannot setup the storage the way user wants it to be set up, even though the old version worked even in this case. The developers response? Use Kickstart.
- Anaconda can select only one desktop environment for the installation. The response is the same as above. WTF?
- On my laptop, there was no way to select the correct time zone using mouse.
- Configuration files are being gradually
replaced with
systemdservices, which communicate over D-Bus, and have their configuration stored elsewhere. Replacing a three-line/etc/sysconfig/clockwith a permanently running daemon which needs its own command-line utility which talks to it over D-Bus seems really questionable for me. - My laptop is switching off when I close the lid. Apparently, another
systemdcomponent is doing this. Here is the workaround. - Jindřich's TeXlive page is yet to be updated for F18. There is the texlive-release.rpm package, but it points to a non-existent directory. I have yet to solve this.
- On the positive side,
systemctlno longer needs the.servicesuffix for the services.
To sum it up, we are slowly heading to the distribution where find(1) and grep(1) are no longer the sysadmin's friends, and
the sysadmin will need to use the specific D-Bus interfaces to talk to the
most parts of the system. It is kind of sad.
3 replies for this story:
Peter Krutý wrote:
> FedUp provides no visual feedback about the progress of update. Who the f* wants to see the flashing Fedora logo during the upgrade, instead of some meaningful information? Are we trying to emulate MacOS or what? I see very nice progress bar, when my macbook is updating :).
Vašek Stodůlka wrote:
I switched to Debian with Gnome 3 and Gnome 2 removal. I'm probably too conservative (and old) for Fedora. :-)
Yenya wrote: Re: Vašek Stodůlka
The problem with Debian is that it is, well, Debian. I prefer RPM over DPKG for technical reasons, and I prefer my system without the mandatory GNU/ prefix for political reasons. I also like the short release cycle of Fedora.
Reply to this story:
Wed, 02 Jan 2013
PF 2013
I wish happy year 2013 to everyone who reads this blog.
0 replies for this story:
Reply to this story:
Thu, 29 Nov 2012
Secure Login at Alza.CZ
Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:
In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.
3 replies for this story:
dan wrote:
I agree, their login form is weird. I checked it with firebug and fortunately the credentials are not sent over in plaintext - it's still HTTPS. It seems that something in the way they are sending them confuses the browser - they are not using a standard HTML form, they are sending the credentials using XHR request. The login doesn't even work with JS turned off.
toto wrote:
Ty máš co kritizovat...spíš si oprav CSS. http://imgur.com/PBm7C
Yenya wrote: Re: toto
Well, the "official" URL of my blog does not start with https, so it is not my problem that it contains http-only images or whatever when accessed over https. Also, there are no private data sent over the net during communication with my blog (as opposed to Alza.cz).
Reply to this story:
Wed, 28 Nov 2012
SOAP::Lite
Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.
For example, look at this:
HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
BEGIN {
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
}
So apparently the only way how to use Basic authentication is to override
a global function in some foreign namespace. And what to do when I want to
use two SOAP servers with two sets of credentials inside a single application?
There are more similar "features" in SOAP::Lite. For example, tracing can
only be set up globally in compile-time, or by manually calling ->import().
My dear lazyweb, is there a SOAP module with cleaner design?
UPDATE 2012/11/28: Tracing
FWIW, it is probably easier and cleaner to do both basic authentication
and tracing at the transport level - the transport module here is
LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:
$soap->transport->add_handler(
request_prepare => sub {
shift->authorization_basic($login, $pass);
},
);
$soap->transport->add_handler(
request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
response_done => sub { print STDERR shift->content; },
);
I wonder why the SOAP::Lite manpages suggest such dirty ways
of handling this (and I have not even started mentioning things
like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global
variable; ugh)
3 replies for this story:
Adelton wrote:
From man page: Because "SOAP::Client" inherits from "LWP::UserAgent", you can use any of "LWP::UserAgent"'s proxy settings. Can't you really apply the same to the ->credentials call? Eg, $soap->transport->credentials($netloc, $realm, $uname, $pass); ?
Adelton wrote:
By the way, who is holding a gun to your head to force you to use SOAP?
Yenya wrote: Re: Adelton
Well, why TF they have "redefine the get_basic_credential" in the POD as their prefered way of handling basic auth then? (ISDS is the gun holder there, but fortunately this is not my job, I just tried to help one of my colleagues :-)
Reply to this story:
Tue, 27 Nov 2012
Cookies Auth and 403 Forbidden
In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.
When the yet-unauthenticated user accesses an URL for authenticated users only,
Apache2::AuthCookie returns the HTTP response with "403 Forbidden"
status code, and with text/html body containing the login
form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive.
So the user fills the login form, submits it, and the server returns the real
page for that URL, this time with "200 OK" status code.
This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with
the following two use cases:
- Nokia Symbian-based phones. After receiving 403 from the server, they display their own error message, and ignore the returned HTML altogether (except for the page background :-).
- Microsoft Word. When the link to the authenticated page is embedded inside the Word document, and user ctrl+clicks it, Word apparently starts MSIE to get the page. However, in this special case MSIE does not display the login form after getting the 403 status, but reports the error to its caller (MS Word) instead. So Word displays a generic error pop-up to the user, without the user being able to log in.
What to do now? The problem is clearly in the HTTP status code 403, and in its
mis-interpretation by some clients. I don't want to return the login form
in a 200 OK response, because I need e.g. the web crawlers to know that this
is not actually the page they tried to access. As for Symbian, they can be
clearly identified by their User-Agent string, so I can
return 200 OK only for them. But as for MS Word, I have no clue: what I see
is the request made by MSIE (and again, I probably don't want to return
200 OK to every unauthenticated MSIE request).
Any other suggestions, my dear lazyweb?
2 replies for this story:
Adelton wrote:
I'm not sure about that 403: "Authorization will not help and the request SHOULD NOT be repeated". Since you are using cookies for something it's not technically supposed to be used (authentication), I wouldn't worry about that 200 that much. I'd either make it 200 or 302 to some login page, ideally with some Pragma: no-cache so that spiders don't index/cache it.
Yenya wrote: Re: Adelton
Well, the request after 403 is not repeated (by the browser itself). Apache2::AuthCookie returns a login form in that request, and the action of this form is some different URL (which, by coincidence, returns 302 to the original URL, if correct credentials are submitted). So I still think 403 is a perfectly legal way of returning the login form.
