small updates

We've made a few small changes in the past few days. Some of them are invisible to most users, backend changes. A few of them are stylistic changes that we feel are steps in the transition to a prettier bookmarking tool.

First, we cleaned up our bookmarks lists a little bit:

As you can see, we added some space between bookmarks, floated the info and edit/save links to the right, and replaced the single-color english links with colorful icon-based links.

• Green links with pencil icons have already been saved by you: click the pencil to edit the link.
• Click a heart to add the link. 
• Click the pencil to add or view comments.

We also simplified our add bookmark dialogue (and fixed a unicode bug):

The top action bar, search bar, and lower action links have been removed. And a cancel link has been added. Much less cluttered than before.

We've got plenty of other updates in queue. But, we're certainly not opposed to taking a detour if you find any bugs or have any great suggestions. And if you like what we've done so far, we'd like to hear about it!

thepointless.com: beginning facebook integration

I've been taking time recently to work on thepointless.com. Frankly, it generates significantly more traffic than Svidgen currently does, and I'd like both reward and harvest those visitors, rather than let the flow of people slowly die off as I have in the past.

On a content level, I've removed a lot of fluff and pushed article-type content out to the angry stickman blog. The site has been trimmed down to a few outbound links and two activities: the clickometer and the dots. Both of these have generated a good deal of traffic in the past and have been featured on other sites, including some youtube videos.

I've also started some facebook integration. So far, this has involved three things:

1. (re)Creating a facebook page
   This was pretty easy to do. The site is pointless, so the facebook page could be equally pointless. The primary obstacle, which is still an issue, is getting facebook to properly auto-update notes based on the RSS feed of the angry stickman blog.
   
   In general though, I find this to have been a good investment. The page allows me to instantly remind previous "likers" that the site is still there, and it's still awesomely pointless. Furthermore, because it's social, interactions with the facebook page serve as a free advertisement directly in friends' news feeds.
   
2. Adding a Like button to the site
   This was pretty easy to do. It's set to share the count with the corresponding facebook page. It's easy for someone to click if they like what they see. And that subscribes them to future status updates from the site. Good stuff.
   
3. and Basic "score" publishing
   The clickometer and dots provide "scores" after the initial interaction. Using the simple JavaScript FB API, these scores can be easily published to a user's FB news feed. And a few folks publish their scores every day, which occasionally leads to an increase in traffic, and more importantly, a really awesome news feed item.

From a marketing perspective, the ROI for reworking the site and starting some basic FB integration has already been great. I'm seeing traffic slowly increase. And I've seeing pages/visit increase drastically. People are engaging more with the site and publishing their interactions, which is turn is drawing more attention.

Since this blog is intended primarily for geeks, I'd be willing to write a little about any of the specifics of the "integration." But, I'm not going to rush on that unless someone voices their interest. The main points are these:

• thepointless.com has been remade and has my active attention.
• facebook integration, even on a basic level, is really beneficial.

In any case, keep your eye on thepointless.com for more updates. I'm thinking of recreating the monkey war next, with facebook integration -- but who knows? It's thepointless.com after all, anything could [or couldn't] happen ... 

efficiency concerns

I just wanted to let folks know that I'm aware of some efficiency concerns on Svidgen. Namely, your Heros' Bookmarks list and tag autocompletion for <user x's=""> Bookmarks have the potential to operate very inefficiently. The latter issue deals with the order in which tags are being filtered. And there's actually a two-stage optimization that I'm considering there. I have some ideas for the former issue, but it's less likely to be an issue until the site grows in popularity. You probably haven't even noticed that one.

So, in short, if you're experiencing some particularly high tag autocompletion latency, know that I'm aware of it. And I'll try to have an optimization in place within a week or so.

A brief authentication issue has been resolved

An issue with authentication, which was reported this afternoon, was preventing users from signing in. We can see how preventing users from signing in might be bad for business. So, we promptly corrected it.

The issue involved a few misplaced lines of code that break the user out of SSL after successful authentication. The code should have been moved to it's new home with a larger segment of code, but it's such a small snippet of code that it was simply overlooked.

For those interested geeks:

if ($signin_event == true) {
    make_secure(false);
}


After successful authentication, the $signin_event flag is set to true. After the core signin routines are called successfully, the make_secure() method is called with a value of false, returning the user to the "non-secure" version of the site. For the production version of the site, this means redirecting the user from an https URL to an http URL.

However, the redirect() method used in this make_secure() method outputs the HTTP Location header with some informational HTML and then terminates the script. And this was occurring before the session cookies were being sent — not a problem for the staging version of the site, which requires no redirection when make_secure(false) is called. For the production site, however, this was preventing the cookie headers from being sent. (One might say that the $signin_event didn't really happen yet :) )

We failed to detect this, because we already had the session cookies from our previous sessions, and it really didn't seem like a game-changing update. So, for ourselves and anyone else who happens to be human, here are some web development reminders:

• Keep the "subtle" differences between yours staging and production environments in mind. They start to seem trivial after awhile, and they're easy to forget. But, minute differences can be crippling.
• Test authentication, session, and cookie-related updates with a clean cookie cache. This is most important when you're playing with cookies. But, anything that touches "the session" in a unique way should probably be tested from a blank state.
• Always keep in mind which methods terminate the script, blocking other important actions. In the very least, be ready to check your methods if you have any doubts. It can be difficult to debug strange behavior if you've totally forgotten than redirect() terminates execution instead of returning. One might say that redirect() should never terminate execution anyway. I didn't necessarily like implementing it that way, but there's good rationale for it in this case.
• Be careful when you copy and paste! It sounds like a simple and stupid reminder. But, I've been involved in web development for years, and I still forget to fully examine my context when I'm tired, bored, under-caffeinated, or simply doing something tedious.

This is by no means an authoritative, comprehensive list to avoid mishaps. It's what came to mind while I was writing this update. So, there you have it.

If you have any tips you'd like to share for avoiding mishaps like this, feel free to comment.

New Feature: search tailoring!

Since its inception, Svidgen has provided bookmark-improved search results a Google Custom Search Engine (CSE). Well, we've finally enabled a Search Just These Sites feature. You can now slice and dice the public bookmarks on Svidgen in any way choose and search within just those sites.

I'm talking about some pretty vast flexibility here. You can search across some really particular slices of the web.  For instance:

• All sites bookmarked on Svidgen
• Just your bookmarks
• All sites with certain tags, like recipes
• Sites that your heroes tagged with world of warcraft
• Just your humor sites
• Or maybe just one site that you happen to think is awesome

And we're working on making this even more flexible and friendly. But, even in the its current state, you can tailor your searches to work against slices effectively enough to eliminate retail results for cool mist vaporizers when you really just need to know the health benefits of cool mist vaporizers. And you can easily get results solely from your list of scholarly sources when your professor says, Wikipedia is not a valid resource! And you can do great things we haven't even thought of! So, post your ideas!

There's just one problem: we're not really sure what to call this. Today we're thinking search tailoring best describes it. A few days ago we thought that search slicing or slice searching was best. What do you think?

What's the best way of saying, You can search the web how you want to now?

Oops! We had a tiny security issue ...

Alright, it's not like there are enough users or conversations taking place on Svidgen that a little security hole here and there is a big deal--it's in BETA, and I'm pretty sure I know the entire user base on a personal level.  I am still slightly embarrassed to admit, though, that I just noticed a big security issue with internal messaging.  Until a few minutes ago, psuedo-knowledgeable users would have been able to log in and view the subject line and participants of any given conversation in the system.

... Yeah.  That's a pretty big oversight.  And to be perfectly honest, I'm not sure when I removed the necessary security checks for participation on the functions that return those two pieces of information--but they were missing.  My best guess is that they were removed or omitted for debugging and never (re)added.

Well, I (re)added them and double-checked the rest of my messaging functions for missing security code.  It should be all better now.  The lesson for all solo developers out there (and small development teams, I guess) is to remember to try cracking your system during testing!  You can't trust any code you've written yourself, precisely because you've written it yourself!


In addition to running some crack-in attempts on your own system before publishing, it's a very good idea to have another developer (or twenty) look over your code and check for holes, efficiency issues, and algorithmic errors.  As illustrated in any math class, the wrong solution always looks right to the student who wrote it.

(IE8) Cookies have been reassembled!

Well, I said I would post back when I determined in what way IE8 was breaking my cookies, and I think I have.  The issue seemed to be a combination of a difference in behavior in which IE8 handles session cookies (cookies that are deleted when the browser closes) for linked resources (such as my opensearch xml specification) and an authentication policy I previously had on Svidgen.  That is, until recently, any un-authenticated HTTP request acted as an explicit sign-out.  I think this would still be a nice security precaution to implement, but IE8's cookie handling won't allow it.

My initial quick-fix for this issue was to give my opensearch specification some caching rules that would encourage browser to avoid requesting the spec on each page load (they really shouldn't be anyway).  However, because these caching directives are not necessarily adhered to, I have now also changed my session behavior to some extent.  Unauthenticated HTTP no longer act as an explicit sign-out on Svidgen.  If this behavior doesn't seem to match your experience with the site, please let me know as soon as possible!

I also found some forum posts floating around which suggested that IE8 requires the domain attribute to be set in cookie headers.  I updated all of my cookie-setting code to reflect this alleged requirement, because it's good to be explicit.  However, I am very skeptical that IE8 ignores cookies without an explicitly set domain.  In fact I think the requirement was probably "deduced" by a shoddy developer at whits end ... Point me in the direction of some documentation if I'm wrong.

Internet Explorer 8 broke my cookies!

Fairly recently, I discovered that svidgen.com does not properly manage sessions with IE8.  Is seems as though the general session cookie (svession) is being set and maintained correctly in all browsers, including IE8.  However, my "subsession" authentication token (atoken) headers are not being respected by IE8 in all cases, causing signin to last for only a single page view.

After spending some time Googling around, it seems as though some other folks are having similar issues.  And, from what I can tell, this may have something to do with "enhanced" security on cookie handling in IE, which requires cookies to have the domain explicitly named--though I have yet to find any Microsoft-published documentation to confirm this.  In fact, I have yet to see any Microsoft-published documentation on cookie-handling in IE8 at all.

Can anyone point me in the direction of this documentation?  I can't find any cookie information on the IE8 Readiness Toolkit for Developers.  But the information regarding changes in cookie handling must certainly exist somewhere ... mustn't it?

In any case, I'm working to resolve the signin issue as soon as possible.  If you have any information that might help me resolve the issue more quickly, it would be greatly appreciated.  And of course, once the issue is resolved, I will post again with any information that may help other developers who are experiencing IE8 cookie issues.

Messaging on Svidgen has arrived!

Hooray! You can send messages to other users on Svidgen now!

Now all it needs is some users ...

Adding Messaging to Svidgen

Svidgen development has been delayed for awhile now. However, in the past few days I have gotten a good amount of work done on an upcoming messaging feature. A pretty standard feature on most social sites, it will allow users to send messages amongst themselves.

Svidgen's implementation of messaging will come in the form of conversations—at least initially. Conversation messages never get deleted or edited as long as the conversation itself exists. And, once involved in a conversation, a user can see all of the messages in that conversation. You don't reply to one specific user or reply to all, as you might for an email; you just add messages to the existing conversation (or start a whole new conversation).

Before the feature is released, a few more basic (sub)features are needed, such as the abilities to add users to an existing conversation, leave a conversation, and set up optional email notifications for new messages. Also missing is a user-lookup feature on the To field. But, these updates shouldn't take longer than a week or two (possibly less), barring any major and unexpected events in my life.

So, be on the lookout for the messaging feature to hit Svidgen soon!

Added Bookmarklets and the Webmaster's add2svidgen link

When I started Svidgen, I wanted to make sure to provide some greak bookmarklets--links that do magical things from your browser's bookmarks menu or links bar. I started with the most essential, the add2svidgen link. It pops open a little window, prefilled with the URL and Title for the page you wish to bookmark. Just add tags and a description (both optional) and click Save Bookmark. Of course, if you're not signed in you're prompted to do that first ...

Now, I've sort of jumped out of order on my pendind updates list and added two new links for your links bar. They're not really bookmarklets, but they're both very magical. And they make using Svidgen much more convenient (and useful).

The first, the mine@svidgen link, takes you to the signed-in user's bookmarks, sorted by recency. If you're not signed in, it takes you to either the bookmarks specified by default_to=username in the URL or the general directory. If you're signed in when you grab the link from the About page, your username gets embedded in the URL. So, even if you're not logged in, that link will still go to your public bookmarks.

The second one, recent@svidgen, takes you to the most recently linked URLs on Svidgen. The neat thing is that this link is so easily customizable! I've included a textbox next to the link that allows you to update the link with tags (with the help of JavaScript). You get the same autocomplete feature on this textbox as you do with any other tags box on the site. So, finding tags you want to link directly to is a snap. Just type your favorite tags in (like humor), hit the Update button, and drag your new humor@svidgen link to your links bar.

And lastly, I added some copy-paste code for webmasters. It's located on a special webmasters page, which I hope to add more gadgets to in the future. Currently, all I have there is the code for HTML+JavaScript version of the add2svidgen link. When the site increases in popularity, I'll see about getting Svidgen listed in the addthis directory--at which time my add2svidgen code will likely appear side-by-side with addthis code.

That's it for now. I'm still trying to finish up SvidgenF (my simpleton's framework) and get messaging and pages up and running on Svidgen. Hopefully my next post will come with a nice slew of fancy updates ...