Slaarti The Hutt
  • slarti

LJlogin 2.0 Release

It is with a great deal of relief and some quantity of pleasure that I finally release LJlogin 2.0, the long-awaited, much-anticipated overhaul and feature upgrade of everyone's favorite Firefox-based LiveJournal account management system. In the process, I'm also announcing the official opening of the new LJlogin site, built on the Trac system, which will allow me to more readily provide updates to documentation and a view into the source code and any issues I create in the tracker for things I'm working on for any future versions.

For a full accounting of the new features and such, please see the roadmap entry for this milestone. A couple of things that I can readily tell you are that you will need Firefox 2+ for this -- sorry, 1.x users, but you'll have to catch up to the modern world :-) -- and that yes, this version does include support for multiple LJ sites.

So, fire up your Find Updates buttons, and Share and Enjoy!
Slaarti The Hutt
  • slarti

ScrapBook authentication

Okay. One bugaboo that several people, myself included, have grumbled about is that despite LJlogin assuring you that you're logged in, ScrapBook refuses to believe it. Well, I've finally done about as thorough an investigation as I can manage, and the results... are not good, and have me rather annoyed.

Once upon a time, there was the ljsession cookie, which represented the sum totality of authentication and session management. Then a bunch of pwnage happened, and LJ realized how hellaciously insecure that was, so they went to what they referred to as the "2+n cookie scheme". In the 2+n scheme, there're the ljmastersession cookie, which is similar to but more complex than ljsession used to be, and the ljloggedin cookie, which provides a uid/sessionid mapping. Those are the "2", and the "+n" are what they call "domain session cookies", one per user account whose journal you visit. The idea is that the most a person who sets up some malicious JavaScript in their journal layout can manage to thieve is the domain session cookie, which doesn't provide enough info to pwn your account.

So what happened to good ol' ljsession? Well, if you log in via login.bml, it gets set to the value of a domain session cookie that ScrapBook can recognize. Problem is, the creation of a domain session cookie can only happen on LJ's servers, because they require a lookup/generation of a time-based randomized "secret" that's stored in LJ's database. Everything else that goes into a domain session cookie, I can construct, but without that secret, I can't actually create one, and LJ's client interface provides for no such thing.

I could, probably, theoretically, do something involving making requests to login.bml and scraping the results I got, but that would be a much more complex, probably error-prone, and ultimately disgusting procedure, so just so everyone knows, I'm considering "ScrapBook login compatibility" to be way the hell down towards the bottom of the feature pile. If someone wants to find someone at LJ to talk to to add a "generate a domain session cookie based on your existing master session stuff" client protocol call, that'd be awesome, but I really can't be arsed to do the necessary "which comm do I post to, and how can I be sure I talk to an Actual LJ Person and not a Volunteer Who Can Only Pass Things Along To Actual LJ People" investigation myself right now, when I have to worry about getting myself organized to work on the chunks of code I can readily improve myself.

Okay. End of tl;dr rambling and ranting.
Slaarti The Hutt
  • slarti

LJlogin 1.2.1 Released: Now FF2.0.0.5 Compatible!

Okay, folks. Go ahead and hit that "Find Updates" button in the Add-Ons box and get yourselves the LJlogin 1.2.1 update. (I'm confident enough in the general FF2.x compatibility to finally consider this a full point release update, complete with update notification support and all. Aren't I nice.)

What was wrong? Well, basically, at some point, while studying how cookies work, I coded the session saving function to write the cookie to include "HttpOnly" ; I can't recall if I actually thought I understood what it was for, or if I just thought it should be there. It turns out that that's a flag to say "hey, no, don't let JavaScript muck about with this cookie", and Firefox just never paid attention to that before now. And since LJlogin is JavaScript-based, well, yeah. I take that out of the cookie strings, and suddenly it's like magic. Magic and crankiness.

My thanks to bogboblin and kintotech for the first bits of solid info on what users were seeing, beyond "it doesn't work," and my profound thanks to Ted Mielczarek for the Extension Developer's Extension, which was invaluable to the actual debug process.
  • Current Mood
    cranky cranky
Slaarti The Hutt
  • slarti

New Firefox Incompatible With LJlogin

Hi, yes, I'm aware that the 2.0.0.5 upgrade to Firefox breaks LJlogin. My thanks to everyone who's informed me of this on the previous post. :-) (Actually, no, seriously, it's good to get sufficient independent confirmation.) For those of you who didn't know, uh, don't upgrade to 2.0.0.5. For those of you who did, uninstall and get 2.0.0.4 again until I upgrade myself and do some code spelunking.

I have to say, I'm vastly unimpressed with Firefox having apparently fucked something in their APIs over the space of a point release update. Dirty pool.

I'll update again when I have a new release. Just to warn you all, though, I'm currently only aiming to fix this problem; I haven't yet gotten it in me yet to tackle all of the other cross-extension incompatibilities and wanted features yet. (If anyone else cares to tackle any of these, however, I do accept patches. :-)
Slaarti The Hutt
  • slarti

LJlogin 1.2.0 Released

It's done. Finally. I am so freakin' crispy now. But it's done, and I'm announcing the release of LJlogin 1.2.0, available from the usual location.

A few notes: First off, the website has not been updated to reflect the additions and changes to LJlogin's functionality. I'll work on that later. There was a maybe-related something I was going to say here, but I've forgotten.

Also, users of SessionSaver will probably find that it stops working upon installation of LJlogin 1.2.0. This is a known flaw, and will be worked on and hopefully fixed in 1.2.1 when I recover enough from the coder burn of the 1.2.0 dev cycle. In the meantime, Crash Recovery is LJlogin 1.2.0-compatible, and can be made to serve as a session saver by following the directions on its page. Apologies for any inconvenience on that score.

Finally, if any of you should happen to ever be in the Fredericksburg, Virginia area, feel free to look me up. :-)

Share and Enjoy!

[Edit: I'm lazy, so this is an edit rather than an entirely new post. FF2.0 users, try out version 1.2.0a from the website. It's the same code, but with the maxVersion bumped up to 2.0+.]

[Edit the second: For you GJ users out there, libekory has a present for you, to tide you over until I eventually maybe add multi support into the code base.]
  • Current Music
    Shriekback - Fish Below the Ice
Slaarti The Hutt
  • slarti

A brief update

Not quite an announcement, but more than just silence.

1.2.0 is what I like to call "feature-complete". This means that I've finished all the work of coding in new features and fixing all the new bugs that those new features cause. As it currently stands in my version control repository, LJlogin will, as far as I can tell, perform all the functions I've required of it. (And it's about goddamned time; the last couple of feature-adds involved too much mystery-solving in the debug phase.)

I'm not releasing it yet, though, because there are some re-factoring things to be done based on things I've learned in this dev cycle -- in other words, holy shit, is there some stuff I've been doing in rather too roundabout a manner, and I need to clean that up, or I'll feel dirty about it -- and if I don't do it now, I know I won't bother until the next time something breaks and I curse myself for being lazy. This should, to my mind and in my hopes, not take more than another couple of days at most.

Almost there, folks.
  • Current Mood
    accomplished accomplished
The Shadow
  • slarti

AAAAAAAAAAAARRRRRRRRRRRRGGGGGGGGGGHHHHHHHHH

Hi, gang. I've seen all the latest comments in the last post. Yes, LiveJournal apparently did something new in their "security" procedures to utterly fuck LJlogin. Now the ljsession cookie no longer contains the username at all. They've also apparently added an "ljloggedin" cookie containing a subset of the information from ljsession. I'm totally not happy about this.

I've also only been awake for about 15 minutes or so, and have to get ready to go to work. I have no time estimate on a fix. Sorry to disappoint everyone on that score; the last fix was so quick because all it needed was a quick improvement to how I was doing one thing. Now I have to find out if there's any way at all to usefully get a username given the information that's being provided now. It'll take some research, and possibly some support requests or something, and who the hell knows how long it'll take.

Goddamnit. Fuck you, LiveJournal, right in the ear.
  • Current Mood
    cranky wrathful
Slaarti The Hutt
  • slarti

LJlogin 1.1.1 - Special surprise ljsession change edition!

As just about everyone knows by now, LJlogin stopped working within the last day or so. I don't know the specifics behind their doing so, but I've tracked down the problem to a change in the ljsession cookie that LiveJournal returns.

It's ultimately my own fault, as the function that extracts the username from the ljsession cookie (used to print the username in the statusbar and to hand to LiveJournal during a logout attempt) made an assumption about the pre-username content of ljsession that was suddenly no longer valid. Thus, the regexp I was using failed, and thus the username wouldn't be returned, leading to much wailing and gnashing of teeth, etc.

However, it turns out that JavaScript has a function that can split a string based on a field delimiter. I didn't know that it did, but I've seen it in other languages so this time I went looking for it and found it, and using that instead of a regexp search not only fixes the problem, but should hopefully prevent it from happening again, barring a more extensive change to ljsession cookies.

In light of this, I'm releasing LJlogin 1.1.1, implementing this fix. It's available at the usual location. This is the only change from 1.1.0; further feature additions are beyond the scope of what I planned on for tonight, although I am thinking of them for the future. Share and Enjoy!
  • Current Music
    Battlestar Galactica on SciFi
Slaarti The Hutt
  • slarti

LJlogin 1.1.0, now with Firefox 1.5 compatibility

The subject line pretty much says it all. The important stuff, anyway. I did some reading, found where things did and didn't change between Firefox 1.0 and 1.5, and implemented the needed changes. I'll have to admit that I haven't test it myself, having still not gotten my system in general upgraded, but others I've asked to test a release candidate indicated no problems, so I'm comfortable enough going public with it now.

It's available via the link from the userinfo page, as usual, plus the Update button in Tools->Extensions should Do The Right Thing.

Also, for Mozilla Suite users, I'm sorry, but I tried. I really did. There are just too many stupid little differences -- not least of which being the utterly retarded unstandardized "write your own install.js" non-system for installation -- to make it worth the trouble of trying to make it work. I hate to have to put it this way, but suck it up and install Firefox already. :-)

Comments, etc., as usual, are always welcome. Share and Enjoy!
Slaarti The Hutt
  • slarti

LJlogin 1.0.1

Sorry, 1.5 users, I'm still not ready for you yet.

Anyone still using pre-1.5, however, may be interested in LJlogin 1.0.1, available from the URL in the userinfo and, theoretically, the "Update" button in Tools -> Extensions. New in this point-release version is, I think, fixes for incompatibilities with Google Toolbar and ForecastFox (both of which I've heard complaints about) without breaking something else further.

I may try to follow any guides to upgrading 1.x extensions to 1.5 that I can find, and put up a test release to see if blind crash-course upgrading without a test setup somehow does the job. Or abuse whatever version of Firefox is on the work machine at my new job. Something to get it done sooner than next year, if I can manage it.

As usual, feedback and assistance is appreciated whenever offered. Apologies if this post is a bit erratic; I need to get to bed soon.