• It uses a proprietary format for storing my account information. (Older versions used the Keychain format.)
• It does not integrate with Mobile Safari or anything that's not a browser (e.g., iTunes). This means browsing on my iPhone or iPad is practically impossible, and my iTunes password has to be easy to type, leaving me vulnerable.
• There's currently no way for developers to make sure their sites support 1Password. Given the way 1Password works, microformats seem like a possible solution.

Earlier this year, I heard about Account Manager, a new effort from Mozilla that aims to help web sites and users connect in a safe and consistent way. In other words, it can potentially make managing passwords online a lot easier, more consistent, and more secure. Furthermore, because it's being developed as an open standard, widespread support is a possibility.

The spec uses MediaWiki, which does not number sections by default. Because all references within the spec use section numbers, you might want to log in and select "auto-number headings" in your preferences. (You can also refer to the table of contents at the top.)

This weekend, I managed to find some time to explore Account Manager a bit. With the help of Dan Mills, I got it working with Firefox 4. He was also kind enough to provide some preview builds for you to use:

• firefox-4.0b4pre.en-US.mac.dmg (Mac)
• firefox-4.0b4pre.en-US.linux-i686.tar.bz2 (Linux)
• firefox-4.0b4pre.en-US.win32.installer.exe (Windows)

If you want to try it out before I give you a quick tour, install one of the Firefox 4 preview builds linked above, and visit my Account Manager demo.

Implementing Account Manager is pretty straightforward. To keep things simple, I'm only going to show you how to implement login and logout. Think of this as two steps:

1. Inform the browser whether the user is logged in.
2. Inform the browser how to log in and log out.

The first step is accomplished via the X-Account-Management-Status header. (This is a response header you can set with the header() function.) Here's an example:

X-Account-Management-Status: active; id="chris"; name="Chris Shiflett"; authmethod="username-password-form"

This header informs the browser that the user is currently logged in as chris. Instead of active (logged in), you may specify none (not logged in) or passive (remember me). The rest of the header is a semicolon-delimited list of attributes, three of which are currently defined: name, id, and authmethod. There are various options for authmethod, but I'm only going to be talking about username-password-form.

Informing the browser how to log in and log out is almost as easy. You indicate these things in an Account Management Control Document (AMCD). You can view my AMCD to get an idea of the format, but because json_encode() doesn't generate the most readable JSON, I'll share the PHP as well:

<?php
 
$json = array(
    'version' => 1,
    'sessionstatus' => array(
        'method' => 'GET',
        'path' => '/lab/account-manager/status'
    ),
    'auth-methods' => array(
        'username-password-form' => array (
            'connect' => array(
                'method' => 'POST',
                'path' => '/lab/account-manager/login',
                'params' => array(
                    'username' => 'username',
                    'password' => 'password'
                )
            ),
            'disconnect' => array(
                'method' => 'GET',
                'path' => '/lab/account-manager/logout'
            )
        )
    )
);
 
echo json_encode($json);
 
?>

Although it's not indicated in the spec yet, sessionstatus is now required. In a future post, I will discuss this in more detail along with registration and other features.

After you create your own AMCD, specify its location with a Link header:

Link: <http://shiflett.org/lab/account-manager/amcd>; rel="acct-mgmt"

As a reminder, you can try my demo of Account Manager. I encourage you to use something like Live HTTP Headers, so you can examine the HTTP traffic. If you want to implement Account Manager on your own sites, be prepared to make frequent changes.

Here are a few additional things I noticed:

• Account Manager does not seem to abide by the Cache-Control header correctly, which can make development cumbersome. You must restart Firefox for any AMCD change to take effect. (See my comment below for an alternative solution.)
• It is not currently possible to protect against CSRF, but there are ongoing discussions about it, so a solution is sure to come in the near future.
• Logging out currently requires the GET request method. As I've discussed before, POST is more appropriate. Because Account Manager provides a consistent interface, the request method you choose to use has no aesthetic implications, so I hope most people will use POST.

Want to participate in a new browser technology that just might prove to be more important than tabs? Install Firefox 4 (Mac, Linux, Windows), read the spec, try my demo, join the mailing list, and most of all, have fun!

There's a lot I did not cover in this post, but I will be blogging more about Account Manager in the near future. One of the missing topics I'm most interested in exploring is how Account Manager can potentially be supported by apps other than Firefox. It's possible that 1Password could continue to be essential, because it could be the app-neutral data store for all of my account data.

Tue, 17 Aug 2010 17:09 GMT — Chris Shiflett’s Blog

PHP finally has an anthem. This is what we’ve been lacking. [j.mp] /via @coates

If you haven't listened yet, take a moment to do so. There are a few options:

• Download the song (MP3)
• Download the entire album (MP3)
• Download the entire album (CD)
• Watch on YouTube

The song is by Lee Fernandes, who goes by @reelfernandes on Twitter. I couldn't find the lyrics online, so I created a new document on TypeWith.me to solicit help. To my delight, prompted by Sean's request, Lee joined and helped us out. :-)

TypeWith.me is made with EtherPad software. Lee thinks it's excellent. If you're sad about yesterday's news about Wave, you should give it a try.

The complete lyrics are below, with some links to add context. Enjoy! :-)

Oh yeah. (Oh yeah.)
(Just one day it just hits you all of a sudden. It's just like...)

Oh yeah, I'm so PHP this year.
Got a mic in the left, and 'n the right, cold beer.
Compile that Apache.
Now we got version 5 and two chicks laid out in the back seat.
Yeah, sometimes the code looks a little trashy.
But, this ain't ColdFusion.
Stop talking sassy, and pull up them panties.

I'm really... I'm just saying; why don't you go check out the API reference docs.
They're really good.
(They are.)

Is it underline or CamelCase?
I can't remember; I've been busy poundin' cakes.
It's what PHP developers do.
We get more booty than you.
Don't be jealous when you smell us; check the Boolean dude, it reads...

[chorus]
(Oh yeah.)
Check the Boolean dude; it reads true.
(Oh yeah.)
PHP gets more booty than you.
(Oh yeah.)
Check the Boolean dude; it reads true.
(Oh yeah.)
PHP gets more booty than you.
(Oh yeah.)
Check the Boolean dude; it reads...

True, PHP gets more booty than you,
but we still keep it clean.
MySQL really real wrappin' all strings.
Filter input like it was a herpes strain.
(You know what I'm saying?)
That's why we got the STD class.
Objects we pass might need to be trashed.
Girl, what you doin'?

Come gunzip this.
Be my witness as I strip this string of all slashes.
Now, I got what I need.
No traversing my filesystem when you ain't supposed to be.
That's how it is rolling with PHP.
All the hot chicks, yeah, they love PHP.
(It's so true.)
(Oh yeah, that's what I'm talking about.)

[chorus]

(Yo, yo, tell 'em about it.)

PHP: Hypertext Preprocessor.
It's real out here.
Somebody better call the mod_security officer.
My concern is for those weak half-assed scripting languages.
The ones that can't hang with us.
It's strange, but they get hanged and remain in dust.
Some aren't quite dead and still remain a pain to us.

PHP's got more muscle.
In a nutshell, nothing's quite like it.

Predicted by the ancient cultures and the psychics.
The ones who dreamt in recursive states.
Whispering premonitions of open source community gates.
PHP.

(Oh yeah...)

[chorus]

If you're curious to learn more, you're in luck. Sean and Paul Reinheimer will be interviewing Lee for a future episode of Pique Web, their new podcast on PHP and related web technologies.

Oh yeah!

Thu, 05 Aug 2010 14:31 GMT — Chris Shiflett’s Blog

If you've used MongoDB, you might be familiar with the default behavior of using a UUID as the primary key. This is convenient, especially if you partition your database across servers, because you don't have to coordinate the primary key in any way. If you use sequential identifiers (as I demonstrate in this post), you can use multiple servers and interleave identifiers by advancing each server's sequence by the total number of servers. (For example, with two servers, advance each sequence by two, so one server generates even identifiers, and the other generates odd.)

I'd rather not discuss the advantages and disadvantages of either approach, because it's exactly this debate that makes it very difficult to find any useful information on using sequential identifiers with MongoDB. Instead, I'm just going to explain how I did it, and hope this is helpful to someone. :-)

First, create a sequence collection that you can use to determine the next identifier in the sequence. The following creates a collection called seq that has a single sequence in it (for users), but you can add as many as you need:

db.seq.insert({"_id":"users", "seq":new NumberLong(1)});

If you assign seq to 1 instead of new NumberLong(1), it will be interpreted as a float due to a JavaScript quirk.

Before adding a new user, you need to increment the sequence by one and fetch the next identifier. Fortunately, the findandmodify() command provides an atomic way to do this. Using the MongoDB shell, the command would look something like this:

db.seq.findAndModify({
    query: {"_id":"users"},
    update: {$inc: {"seq":1}},
    new: true
});

Because I'm using Lithium, I added a method for fetching the next identifier to my User model:

<?php
 
namespace appmodels;
 
class User extends lithiumdataModel {
 
    static public function seq() {
        $seq = static::_connection()->connection->command(
            array('findandmodify' => 'seq',
                  'query' => array('_id' => 'users'),
                  'update' => array('$inc' => array('seq' => 1)),
                  'new' => TRUE
            )
        );
 
        return $seq['value']['seq'];
    }
 
}
 
?>

If you're not using Lithium, you can use the MongoDB class to execute a command().

With this in place, adding a new user is a simple process. I create an array called $data with everything I want to store for a user, and then do the following:

<?php
 
$user = User::create($data);
$user->_id = User::seq();
$success = $user->save();
 
?>

This example should be easy to adapt to any environment. Once you have the next identifier in the sequence, you simply store it as you would any other data.

I hope to blog more about both MongoDB and Lithium. As these technologies are still pretty new to me, please feel free to point out any improvements. I'll update the post accordingly.

Thu, 29 Jul 2010 19:52 GMT — Chris Shiflett’s Blog

Two weeks ago, I had the great honor of giving a keynote at the Dutch PHP Conference. Because I had never been to Amsterdam or to the Dutch PHP Conference, I was really excited to have a chance to speak there. It was also an opportunity to give my favorite talk to a new audience.

On the morning of the keynote, I followed along with conference organizer Lorna Mitchell to the RAI Center where the conference was being held. As soon as I saw the stage, I smiled. Not only would I be able to stand on a stage unobstructed by a podium or any other obstacle, the seats were arranged like a theater, making it easier to connect with the audience. (Conference organizers, please take note.)

It was lucky that I arrived early to test the video and audio. If you own a MacBook Pro, you may or may not know that it puts the sound card to sleep if it has been unused for a few minutes. (If you use headphones, you can hear when it sleeps and awakes.) When you're connected to a massive sound system for a theater, this behavior creates a really horrible noise. The solution I came up with was to play iTunes the entire time with the iTunes volume control turned all the way down. Hopefully this trick will save someone else a lot of trouble. :-)

As I began speaking, I noted that PHP had just turned 15 years old. Years ago, the community was energized by all of the misinformation being spread about PHP. It doesn't scale. It's insecure. It's not maintainable. When I began speaking about security, it was partly in response to some of this. I wanted to educate developers, so that we would not only take responsibility for the security of our apps, but also so that we could avoid the most common and dangerous security problems.

These days, petty insults probably continue in the comments on Digg or Hacker News, but no one takes them too seriously. Can PHP scale? Well, the biggest and most popular sites on the Web all use PHP, so I guess so. With no misinformation to energize us, it can easily seem like the PHP community has lost its luster. Not so.

In my talk, Security-Centered Design, I suggest we take a lesson from the design community, where user experience takes priority. We must evolve, or as Aral Balkan puts it:

The age of features is dead; welcome to the age of user experience.

My talk revolves loosely around security, but it's really a call to arms for my developer peers to take a step back and consider the bigger picture. We need to zoom out. Sometimes, even with a subject as technical as security, the social elements of the problems we face are just as important as the technical. If we can't empathize with users, we can't be great developers.

I want to thank everyone who took the time to say nice things about my talk. Hearing it described as the "best keynote I have ever seen" and the "highlight of the event" is really encouraging and makes it all worthwhile. I can't possibly thank you enough.

I'll leave you with a little taste of the talk where I invite everyone to participate in a change blindness experiment. I may discuss change blindness and how it applies to the Web in more detail later, but for now, see if you can spot the difference in the two photos I used in the change blindness video I created for this talk.

Thanks again to everyone who woke up early after a late night at the conference social to see me speak, and I hope to see you again sometime. :-)

Wed, 30 Jun 2010 22:12 GMT — Chris Shiflett’s Blog

One morning via Skype, I shared a crazy idea that I wasn't entirely sure of yet, trusting Jon to tell me if it was a bad idea.

What if we make every URL a sentence?

Before he could respond, I pasted in some examples I had been playing with to help clarify what I meant:

• /is (About)
  • /is/here (Contact)
  • /is/hiring
  • /is/chris-shiflett
• /does (Work)
  • /does/web-design
• /helps (Clients)
  • /helps/digg
• /thinks (Planet)
  • /thinks/about (Tags)
  • /thinks/about/oscon
• /remembers (Timeline)
  • /remembers/2008 (Archive)
• /writes (Books)
  • /writes/essential-php-security
  • /writes/http-developers-handbook
• /has (Site Map / Search)
  • /has?php
  • /has/colophon
  • /has/accessibility
• /shares (Feeds)
  • /shares/news
  • /shares/planet
  • /shares/everything
• /presents (Talks)

These URLs still adhere to a basic — albeit shallow — hierarchy to help keep things organized, but instead of the usual about, work, and clients, I used verbs like is, does, and helps. I was pleasantly surprised to hear Jon liked the idea. He noted some limitations, like the challenge of avoiding awkward wording when the hierarchy was deep, but he thought it was worth trying to map out the entire site to see if we could make it work.

Because the site was fairly small, it turned out well. As I noted previously, this approach isn't appropriate for all sites, but it can give URLs a voice of their own. (I don't use URL sentences on shiflett.org.) It can also help you organize your pages. For example, if a page can't fit neatly into a sentence that starts with example.org is..., then it probably doesn't belong in the about section of the example.org site.

There are other ways to make sentences with URLs, especially if your domain name can be used as a verb. And you don't mind. :-) Using verbs (present tense) as the top-level hierarchy is just one example.

There have been other uses of URL sentences over the years:

• Jon collaborated with Jon Gibbins on a really neat site for Denna Jones that uses URL sentences and other interesting innovations. (Pages like the colophon do not, but the primary ones do.)
• Clearleft use URL sentences in their latest redesign. Paul Lloyd discusses this and more in a related post about URLs.
• Ann McMeekin cleverly uses URL sentences to indicate categories for her blog. Some posts she considers; others she shares. A full list of categories is available in the sidebar.
• Cameron Koczon used URL sentences when redesigning Jessica Hische's site. She chose verbs like typographizes and designifies to add a bit of her personality to the mix.
• Martin Geber used past tense verbs as his top-level hierarchy, creating URLs that align with the idea that his site is a personal archive of thoughts, memories, and the like. He writes more about the inspiration for the site. Thanks for the nod, Martin!
• Kernpunkt gives a German interpretation of URL sentences. This is the only non-English example I've seen.
• There are some examples of URL sentences being used to add a bit of flavor to an existing site without reorganizing everything. Adrian Sevitz pointed me to his company's site as one such example.

I'm really happy to see other people embracing URL sentences and adding their own creativity, personality, and style. If the idea makes sense for a site you're making, please let me know, and I'll add your example as an update or comment to this post.

If making sentences out of your URLs makes you smile or makes your work more fun, you should definitely do it. The best sites are the ones we make while having fun. :-)

Mon, 31 May 2010 20:14 GMT — Chris Shiflett’s Blog

The CSS Naked Day site has not been updated, but this year's CSS Naked Day is Fri, 09 Apr 2010. I'm a bit late, but the "day" officially lasts two days to account for time zone differences.

As I mentioned last year:

You have to look beyond the surface to truly appreciate good design, so participating in CSS Naked Day does more to show off my design than to hide it.

This is a chance to discuss improvements that need to be made to this site or any other. If you spot anything I could improve to better adhere to web standards or accessibility guidelines, please do let me know.

Join me, and show your support for web standards!

Thu, 08 Apr 2010 21:50 GMT — Chris Shiflett’s Blog

The first Webstock took place just a year prior to that impromptu discussion, and it has quickly become the top web conference around. I first began to realize what a big deal Webstock was when Nat Torkington had this to say about it:

Back home safe, utterly exhausted after Webstock. Best. Conference. Evar.

For those who don't know Nat, he ran OSCON — usually my favorite conference each year — for a decade. He has also been heavily involved in lots of other O'Reilly conferences, including unconferences like Foo Camp and Kiwi Foo Camp. For him to call Webstock the best conference ever is really saying something.

Fast forward to today. I'm sitting in a Starbucks in Los Angeles. The new Vampire Weekend album is playing. 16 hours ago, I began my journey to Wellington, New Zealand, and in another 20 hours, I will land there. (This journey will take a full day and a half.) I've been busy with a really exciting Analog project lately, so I haven't blogged about Webstock yet. If you haven't registered, you should hurry. They were almost sold out a few days ago, so it might already be too late. If you're lucky enough to be going, I hope you'll say hello.

I'm giving a workshop called Evolution of Web Security that combines some of my previous talks with some new material, covering the security spectrum from old to new, technical to social:

This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

I'm also giving a talk called Security-Centered Design that focuses and expands on some of the material from the workshop:

Security is more than filtering input and escaping output (FIEO), and it's more than cross-site scripting (XSS) and cross-site request forgeries (CSRF). Security isn't even always black and white. In order to create a more secure user experience, we need to understand how people think. Perception is as important as reality, and meeting user expectations is a fundamental of good security. In this multifarious talk, I'll explore topics such as change blindness and ambient signifiers, and I'll show some real-world examples that demonstrate the profound impact human behavior can have on security.

I gave this talk a few times in 2009, and I have updated it for 2010. Although the technical-to-social shift of web security isn't a topic that's being talked about that much yet, the transition is evident in a lot of recent activity, including solutions like OAuth and Facebook Connect. We need more people thinking about how to solve evolving technical and social problems. I don't pretend to have all the answers, but I hope this talk can be a catalyst for more awareness and discussion.

Webstock, here I come!

Sat, 13 Feb 2010 00:58 GMT — Chris Shiflett’s Blog

I used to speak at more than a dozen conferences each year, and it negatively affected the quality of my talks and the quality of my life. My speaking schedule for 2009 was much better:

Here's a brief list of other highlights:

• Sean and I wrote an article for Smashing Magazine.
• I participated in CSS Naked Day for a third time.
• I was Slashdotted for the seventh time.
• I visited Iceland for the first time with my friends Andrei and Helgi.
• I left OmniTI and started a much-needed period of renewal, also known as funemployment.
• I moved my office to a shared working space in Dumbo — Studio 612A — with the world's best studio mates.
• Sean and I pulled off another PHP Advent, an annual PHP tradition since 2007.

The highlight of the year for me was announcing Analog. I still can't believe how supportive everyone has been, and I can't thank you all enough. You can tell there's a lot of excitement and energy in the air as we enter 2010, and I hope Analog is a big part of all of the good things to come.

Keeping with tradition, here's a list of things I hope to accomplish in 2010:

Thanks very much for reading, and I hope you have a wonderful 2010.

Fri, 15 Jan 2010 04:16 GMT — Chris Shiflett’s Blog

A few months ago, I was on top of the world. The place was called Sjónarsker, and the view was breathtaking. It was the third day of a road trip around Iceland with my friends Andrei and Helgi, and I had just shared some big news with them. I was leaving my former company and starting something new.

They wanted to know what I would be doing next, and although I didn't know, I did have an answer. "Good people. Good work." These four words became a personal mission statement in the months that followed — something to provide focus and clarity.

Good people and good work go hand in hand. I remember how much I enjoyed working with Jon Tan and Jon Gibbins a few years ago when redesigning my blog. The experience is perhaps best remembered with a comment I made shortly after we finished:

Working with both Jon Tan and Jon Gibbins was a joy; not only do they possess the skills necessary to shape ideas and bring them to life, but their rich personalities and keen sense of humor makes the entire process a lot of fun.

Good work isn't work; it's fun. To do our best work, we need to love what we do. We need to surround ourselves with good people who appreciate good work. We need the freedom to break boundaries. We need to be inspired. Above all else, we need to be happy.

I'm very happy to introduce Analog, a co-operative of web designers and developers:

Analog is a company of friends who make web sites. It's a co-operative where imagination, design, and engineering thrive; good people doing good work.

Allow me to introduce you to my friends.

Co-operatives are organizations that adhere to the co-operative principles. Jon's description of his personal values — values we all share — helps explain what we're about:

I believe that everyone working on a project should profit equitably from it according to the scope of their participation. I believe we should have the right to claim our own work irrevocably, without suffering the indignity of being white-labelled. (It still happens.) I believe that working for nothing in order to secure clients is daft, and reject the notion that designing "on spec" has any benefit whatsoever for anyone involved. I believe that if democracy and freedom are important to us, then they shouldn't be signed away when we take a job.

Being a co-operative is an important part of who we are. This is why we proudly use analog.coop as our all-important online identity. It's also why we're an industrial and provident society, which is something I hope to tell you more about in the near future.

Twitter seems to be the primary source of activity these days, so it felt natural to announce Analog there, which we did just before Christmas. We're still a bit stunned by what happened next. TweetReach says news of our launch reached more than a quarter of a million people on Twitter in the first few days. The abundance of support and kindness has been both overwhelming and uplifting. To those of you who helped celebrate our launch, I can't thank you enough.

There's a lot more to talk about — GeoIP wrangling, Twitter integration, #grid, Easter eggs, &c. — but I'll save those topics until I have more time.

For now, I just want to wish you a very happy new year! :-)

Thu, 31 Dec 2009 23:31 GMT — Chris Shiflett’s Blog

Paul gets things started with an article on comprehensible code:

Reading code is hard work. Here are some reasons why, along with some tips on how to make it easier for other developers to understand your code.

Thanks to everyone who has helped spread the love on Twitter and elsewhere, and thanks especially to our authors.

We've got a few surprises this year, so I hope you'll follow along. You can follow @phpadvent on Twitter, subscribe to our feed, or just visit phpadvent.org for a daily dose of tips, tricks, and tidbits.

You can also read previous PHP Advent articles if you haven't already:

• PHP Advent 2007
• PHP Advent 2008

In addition to PHP Advent, you might also be interested in 24 Ways, an advent calendar for web geeks.

Mele Kalikimaka!

Tue, 01 Dec 2009 23:07 GMT — Chris Shiflett’s Blog