dow.ngra.de

If you’re like me you might have a few Twitter accounts registered by now. They require a unique e-mail address for each account, but apparently plus addressing is completely legit. With services like GMail supporting them, I’m now free to register as many accounts as I want!

The latest Dev Channel version with the “–new-http” switch fixes all the problems I had with Google Chrome for me. Kudos to the team!

If you are using Google Chrome and want to keep up with the latest updates switch to the dev channel: http://dev.chromium.org/getting-involved/dev-channel.

I gave Google Chrome a quick spin. At least two problems came out:

• Digest-based authentication isn’t handle correctly, the sent request does not include the query causing 400 Bad Request
• Google Analytics will randomly crash the Flash plugin freezing the whole browser (with all the talk of isolated processes…)

On the immediate positive side it fixed my main pet peeve with Mozilla Prism — the inability to change font size, so I replaced the Prism shortcuts with Chrome applications. It is also really, really fast.

All in all it’s fast and cool, but needs lots more polish before massive adoption.

There are two main ways to associate a session state with a user — session cookies and session URL parameters. However for public sites there may be some risks for the URL-based approach.

Cookies are saved on the computer and are only ever sent in requests to the domain that has saved them. They have always been a focus of security attacks and thus they are pretty well protected. E.g. they cannot be accessed by the included third-party JavaScripts, which is important considering the current proliferation of web widgets.

On the other hands URLs are definitely accessible to the third-party scripts. What’s even worse, is that the browser will send the URL of the previous page as Referrer, when you click a link to go to the third-party site. Since most web servers will log the Referrer the owner of that site can access the logged-in user session as long as it’s live and possibly access private user data.

We hit this issue, when watching the statistics for ZeroTurnaround and clicking on a referrer link to JavaBlogs.com, which uses URL-based sessions. To our surprise we could access the logged in user data. Of course on JavaBlogs there’s not really that much data to access, but on another site this could be a serious issue.

For all I know this issue could be a very old and well-known one, but I never heard of it and apparently neither have JavaBlogs owners. If you’re making a public site make sure to keep this in mind.