Colliding cookies

cookiesFor the Alberta Greens we're setting up a swath of subdomains to use in organizing voter phonebanking and canvassing. The setup looks like this:

However we had some strange problems where after logging in to one site you couldn't log into any of the other sites. A bit of research found that the problem
was that PHP session cookies were colliding. I found a post in the Drupal issue tracker that someone else had already filed for the problem. Different people did research in different area on what was causing the problem and how to fix it.

The problem happens because by default Drupal sets the cookie domains to be:
.sub1. domain.com
And all session cookies are given the same name. And in theory all should work as expected because PHP should return the most specific cookie for our current session. But it doesn't.

It turns out that web browsers return all the cookies that could possibly apply, not just the most specific one. And PHP gives Drupal the last cookie it gets, which unfortunately is probably not the one we want. So this is a PHP bug. It's also a bug in the original cookie spec as there are conflicting rules about what order cookies should be sent by the browser. And thus different browsers can return the cookies in whatever order they choose. Yikes, this runs deep.

So a bug has been filed with PHP. But meanwhile a patch has been filed to make Drupal work around the issue by giving a unique name (derived from the $base_url) for the session cookie. Hopefully this patch make it into Drupal 5.2.

So this rather complicated (and hard-to follow I'm sure) story shows why Open Source is so great. If it was just me trying to figure this out on my own, I would have gotten as far as "My cookies are colliding and I'm not sure why". And I would have created an ugly workaround that would have been difficult to maintain.

But because there were about 10 people working on it, we all pitched in a bit of effort and created a sollution that actually fixed the problem for the longterm.

Yet another reason why proprietary software isn't a good solution for running a website.

OSCMS Summit

So today is the beginning of OSCMS Summit 2007 (Open-Source Content Management Systems) hosted by Yahoo in Sunnyvale California. Unfortunately I'm not there. The conference sold out a mere days after registration opened; faster than I could contemplate what all I'd need to arrange in my life for me to go.

And so I'm trying to get as much info from afar as possible. Reading Blogs, Powerpoint presentations, podcasts, and hopefully some video when that becomes available. But it's just not quite the same. I can't talk to people face to face, I can't feel the energy in the room. Kathy Sierra comments on this phenomenon in a recent blog post: Face-to-Face Trumps Twitter, Blogs, Podcasts, Video...


So I was doing some development today for a new client's site. I was trying some new things and working with the Drupal API. Drupal has a good reference site for the API at api.drupal.org. I was working with a theme function. With the theme functions you simply copy the original function into your theme and then make whatever changes you want. It's part of what makes Drupal so easy to customize.

However when I pasted the function into my theme I started getting a bunch of errors. After a bit of hunting around I discovered that the code on api.drupal.org was not quite current. After finding the current version of the function, everything was ok.

I'm not sure how often the code on api.drupal.org gets updated, but apparently it's not enough. It's obvious that the main module that runs the site needs some updating as 5.0 is not even listed (You need to search under the HEAD branch). Does that mean that the code content hasn't been updated since before the last branch? That can't be right.

I wonder who to talk to about this?

Why we use Drupal

There's an interesting article on Collaboration Loop that talks about Drupal (The application that we use to run our websites) and why it works great for helping online collaboration.

There is probably nothing in Drupal that products from the big vendors can’t do and may have implemented somewhere. The difference is companies using Drupal are meeting customer needs faster and cheaper because they are sharing innovations within the community. This is resulting in a growing community that is increasing the pace in which new innovations are brought to market.
-Larry Cannell

Back from vacation

So I'm back from vacation. We had a great time out in Victoria staying with our good friends Lauren & Daryl Elving-Klassen. On the coast the trees have buds, and the tulips are just poking through the ground. We arrive back in Calgary to 10cm of fresh snow and highs of -15C. Who lives in this place??? A few days ago a minor vulnerability crept up in Drupal core. And another one in the captcha module which I use on sites that allow anonymous comments. I quickly patched all of sites that we work on (It would be pretty tricky to exploit these flaws, but we make it a policy to stay on top of these things). Unfortunately the patch for captcha made the module unusable in some of the most common configurations (!?!?!?). So I dug into the code and fixed the flaw. This is the great thing about Open Source Software. Someone found a vulnerability in the code and made a fix for it, giving it back to the community at large. I found a bug in the code and made a fix for it, giving it back to the community at large. No one person (or any closed group) could have created a CMS/framework/platform as solid/scalable/flexible/etc. as what Drupal has become. Because we share our work, we all benefit.

New site, new blog

I've been pretty busy with client work over the past few months which seriously delayed me getting this site up. But it's finally here. CommunIT.ca finally has a web presence. Rather important seeing as what we do is help other people (nonprofit organizations and the like) develop a web presence. And along with the new site is this new blog. What you'll find on this blog is news about CommunIT.ca and my thoughts on the sites that I'm working on and the tools that are used. The main tools that get used are Drupal and CiviCRM. These are two great FLOSS tools that are made for non-profit organizations.