Turns out when PHP was upgraded, the php.ini file was replaced, and in the new version, it has the production value for html_errors which is Off. Once I set html_errors=On in /etc/php5/apache, colourful HTML-formatted output was producted by Xdebug.

For the Curious reader, I’m using the following xdebug configuration file, which I’ve located in /etc/php5/conf.d/xdebug.ini to prevent any php.ini changes from overwriting my Xdebug directives. Please note that this is a slightly modified version of the default xdebug configuration included in wamp, which I find to be quite nice:

zend_extension="/usr/lib/php5/20090626/xdebug.so"
xdebug.remote_enable=1
xdebug.remote_host="127.0.0.1"
xdebug.remote_port=9000
xdebug.remote_handler="dbgp"
xdebug.remote_mode=req
xdebug.profiler_enable=1
xdebug.profiler_output_dir="/tmp/xprofile/"
xdebug.collect_params=On
xdebug.show_local_vars=On

Check it out Here

From the developers website:

fakemail is a fake mail server that captures emails as files for acceptance testing. This avoids the excessive configuration of setting up a real mail server and trying to extract mail queue content.

I am quite impressed with this handy little script (written in both Python and Perl), as it works exactly as advertised: taking out the time required to properly configure a SMTP server and saving the hassle of having dozens of test messages showered across inboxes. Instead of forwarding emails on to their recipients, it simply saves a raw copy of the email to the specified directory.

The script has a windows installer that bundles the script with python and will run on all flavors of Linux and Unix assuming that they have perl or python installed.

To configure Zend_Mail use fakemail place the following in your bootstrapper or common config file:
[php]Zend_Mail::setDefaultTransport(new Zend_Mail_Transport_Smtp(‘localhost’,array(
‘port’ => 10025
)));[/php]

The ‘localhost’ variable is the address of the computer that fakemail is running on (likely the local machine). The port number is the port that is specified when fakemail is run on the command line.

For more information about fakemail, binaries, and a usage guide. Visit the developers website at Sourceforce: http://www.lastcraft.com/fakemail.php

<IfModule mod_expires.c>
     Header set Cache-Control "max-age=3600, public"
</IfModule>

The above checks to ensure the mod_expires module is loaded in apache, and if it is the Cache is set to expire 3600 seconds from now: 1 hour. Furthermore, the page can be cached in a publicly accessible (shared) cache.

Getting caching working with Zend was a little more challenging. By default Zend (or PHP) writes caching information to headers disabling caching. However, the code snippit below (to be placed inside an Action Controller) blanks out the expires header, sets the cache-control header so that the page expires in one hour, and blanks out the Pragma header.

The expires header allows the server to specify a date when the cache expires (Rather than setting the max-age offset) and the Pragma indicates if the page can be cached in a proxy. I found, with Firefox 3, if Expires and Pragma weren’t blanked out, they would take preference over the Cache-Control header, disabling caching of the page.

$this->getResponse()->setHeader('Expires', '', true);
$this->getResponse()->setHeader('Cache-Control', 'public', true);
$this->getResponse()->setHeader('Cache-Control', 'max-age=3800');
$this->getResponse()->setHeader('Pragma', '', true);

After the addition of caching, the page load was reduced to 8Kb of data pulled down over 9 requests: about a 90% optimization.

I have been using the Dojo toolkit as my Javascript library of choice since back in early 2006 when it was still around version 0.4. Since then, the project has made tremendous strides including the release of version 1.0 and 1.1 with 1.2 on the way. At the beginning of 2008 I started using the Zend Framework to build MVC PHP applications and, with the release of 1.5, it has become my PHP framework of choice.

To my delight, the Zend Framework and Dojo have recently announced a partnership which will lead to tighter integration of these two great open source frameworks.

One of the most exciting additions to the Zend Framework is the Zend_Json_Server support for JSON-RPC. I have been using JSON-RPC with Dojo for quite some time and, up until now, it has been challenging to find a design pattern that plays nice with the Model View Controller implementation in the Zend Framework. However, with the addition of the Zend_Json_Server this is no longer the case.

Prerequisites:

This tutorial assumes you are familiar with developing in PHP and javascript and are experienced with dojo and the Zend Framework using the MVC paradigm.

Common Pitfalls

• Absolute paths are used in the code examples. Ensure that you modify them to reflect your server’s directory structure. This tutorial assumes that you are working with a ZF project whose /html/ directory corresponds to the root of your webserver
• Ensure you place a .htaccess file in /html/scripts/ that disables the re-write engine. If you fail to do this step, when trying to load dojo libraries, ZF will be trying to find controllers that match the requests and throwing exceptions.

Patching Zend Framework

At the time of writing, the Json-RPC component has not been accepted into the Zend Framework (although it will be soon). To get the Zend Framework (ZF) working with Json-RPC we must download code from the incubator area of SVN. If you don’t know how to use a SVN client to check out code, read about it here. Download the current version of ZF and then, using an SVN client, download http://framework.zend.com/svn/framework/standard/incubator/library/Zend/Json/ and place it in the json directory of your local copy of ZF.

Setting up the Directories

For the purpose of this tutorial I will be using code and examples from Nickel: the application that will eventually run SFU Bookswap V.3. I use a fairly standard MVC directory structure as recommended by the ZF docs:

application
	|-default
	|-controllers
	|-views
html
	|-images
	|-scripts
		|-nickel
			|-RPC
library
	|-Nickel
		|-Models
		|-RPC
	|-Zend
		| .... Framework checkout

The reasoning behind placing the Nickel folder in the library is so we can use Zend_Loader to load classes on demand. Also, as a condition of this, the classes in the Nickel folder follow the ZF naming convention: so, say, the class for a book model would be named, Nickel_Model_Book.

Similarly, there is a corresponding directory structure in the scripts folder. This is to be used with the Dojo packaging system. So, to access the RPC handle for the book model we would call a function such as nickel.rpc.book.getAuthor()

Creating the RPC Controller

The next step is to actually create the RPC controller. I have created a file in /application/default/controllers/RpcController.php which contains the RpcController action controller class. RpcController has two actions: one which will return the SMD (simple method declaration) to dojo when the JSON-RPC object is instantiated. The second action, the service action, actually processes the RPC request and returns the result. So, we have:

/application/default/controllers/RpcController.php
[php]_getParam('class');

		$server = new Zend_Json_Server();

		$server->getServiceMap()->setDojoCompatible(true);
		$server->getServiceMap()->setTransport('POST')
       		->setTarget($this->getHelper('url')->url(array('controller'=>'rpc', 'action'=>'service')))
       		->setId($this->getHelper('url')->url(array('controller'=>'rpc', 'action'=>'service'))); 

       	$server->setClass($class);

       	$this->view->data = $server->getServiceMap();
		$this->render('service');
	}

	public function serviceAction(){
		$class = $this->_getParam('class');

		$server = new Zend_Json_Server();
		$server->setClass($class);
		$server->setAutoEmitResponse(true);

		$server->handle();
	}
}[/php]

The smd Action takes ‘class’ as a parameter. This is the name of the class that we wish to expose via Json-RPC, such as Nickel_Rpc_Book. Please note the function call setDojoCompatible(true) which forces the server to generate dojo-compatible SMD definitions. The target function call sets the target of the function calls (the service url) to the service action defined below.

The service action simply processes the RPC request by calling the specified function with the sent parameters.

There is a fairly large security hole opened by this implementation. Since any value can be passed to the ‘class’ argument, it is possible to remotely call functions for any class that can be auto-loaded. A ‘safer’ implementation would simply concatenate the class parameter with “Nickel_Rpc_”. This way is less likely that an attacker could compromise your server by calling a dangerous function.

Writing a RPC Class

Now that we have the RPC server set up we need some classes in Nickel_RPC to call. For the purpose of this example we will use a very simple Book class that has basic functionality:

/library/Nickel/Model/Book.php
[php]getTitle();
	}
	public static function setTitle($bookId, $title){
		$book = new Nickel_Model_Book($bookId);
		$book->setTitle($title);
		$book->update();
		return true;
	}
}
[/php]

In the above RPC class, in addition to the simpleEcho function, we have two static functions: one that reads the title from the Book Model, and the second which writes a new title back to the database via the Book model. Notice that the functions are static: this is because, in the case of our book anyways, a notion of $this doesn’t really make since, as we don’t actually know what book we want the title for unless we pass the book ID from dojo.

Writing the RPC Front-end

Now that we have the backend written, it is fairly quick to write the frontend.

The first step is to create the book rpc file so we can include nickel.rpc.book using a dojo.require statement:

/html/scripts/nickel/RPC/book.js
[js]dojo.provide(‘nickel.rpc.book’);
dojo.require(‘dojo.rpc.JsonService’);

nickel.rpc.book = new dojo.rpc.JsonService(‘/rpc/smd/class/Nickel_RPC_Book’);
[/js]

The above code snippet should be saved as book.js and placed in /html/scripts/nickel/rpc. When this file is included, a new JsonService object is created with functions populated from the SMD generated by the RPC controller class. As a result, nickel.rpc.book will now contain three functions: simpleEcho, getTitle and setTitle.

Using The Front-end.

Finally, we have the opportunity to see the fruit of our labour. Create an indexController and the accompanying view. In the view, after including dojo.js, create a new script block:

/application/default/views/index/index.phtml
...
[js]
...
[/js]

dojo.registerModulePath adds a module path to the dojo loader. This allows us to include our custom nickel modules easily and on-demand.

Conclusion

The Dojo Toolkit and Zend Framework provide a highly structured, maintainable JSON RPC system when used together. This can be used to easily propagate dirty javascript data objects to persistent storage in the backend, as well as expose PHP function calls to javascript to return useful data.

I hope you have enjoyed this tutorial. If you find any typos, mistakes or just wish to leave a message, please add a comment below.

I also encourage you to link to this post if you have found it at all useful in developing your web-application.

We can see that we have two choices: force the users to login to each separate application separately, or somehow combine all the applications under a single login.

A Central Authentication Service

Central Authentication Services allow a user to share a single login across multiple applications and even websites. OpenID and Yahoo are examples of large CAS hybrids that are becoming increasingly popular amongst social networking sites. However, CAS does not have to be so global in scope, many universities and companies use CAS when their services are best provided by several applications.

How it works

The series of events that occur during a CAS authentication session are as follows:

1. User attempts to gain access to the secure area of a photo gallery
2. The gallery detects that this user is not authenticated to view this content
3. The user is re-directed to the login page of the Central Authentication Service. A callback URL is passed to the CAS by means of a GET variable
4. The user enters their login information and it is verified. A cookie is set to identify this user as authenticated in the future
5. The CAS redirects the user to the callback passed by the photo gallery. A ticket is passed to the photo gallery callback page by means of a GET variable
6. The photo gallery establishes a secure connection to the CAS and checks to ensure the ticket is valid, if it is, the user has been successfully authenticated

Depending on the CAS setup, when the user enters another secure area of the website, say the wiki, they will be redirected to CAS, then transparently redirected back to the wiki callback page. This occurs because the user has already authenticated themselves with CAS, so there is no need to re-enter login credentials. To the user, it appears as if they were immediately authenticated by the wiki.

A Central Authentication Service also reduces some aspects of user information management as, if the user wishes to update their password; they need only do it once. However, CAS does not solve the problem of propagating other types of user information, such as the users name and contact information to the various applications. Furthermore, the authentication routines of the participating applications much be refactored to authenticate the user via CAS, then load the user information out of the local application database.

In Conclusion:

Central Authentication is a good way to improve the user experience if you are currently forcing users to authenticate multiple times. Furthermore, from a developers standpoint, it is a clean and safe way to pass authentication tokens between applications, especially if these applications may reside on separate domains.

For more information on CAS, including a JAVA server implementation, protocol descriptions and clients in multiple languages visit http://www.ja-sig.org/products/cas/index.html

The CookieInjector userscript simplifies this process, by allowing the user to copy-paste the cookie portion of the dump and have the cookies from the dump automatically created on the currently viewed web page.

To Use The Script:

Fire up Wireshark, formally Ethereal, if you don’t have Wireshark you can grab it from: http://www.wireshark.org/. Start listening for traffic on the same interface you use to access the internet. To cut down on extra packets, enter tcp as a capture filter. TCP is a transport layer protocol featuring reliable transport, congestion control and connection oriented transfers. Since HTTP uses connections between client and server and therefore the TCP protocol, is is safe to filter out all non-TCP packets. To further filter the packets that Wireshark is displaying enter http.cookie in the filter field. This will filter out all packets which are not using the HTTP application layer protocol and all HTTP packets which do not contain cookies.

Next go to a website that uses cookies. Most websites which support user logins or shopping carts use cookies for these purposes. Make sure that the website that you visit does not encrypt the entire session (such as a banking website), otherwise the packets will be encrypted and not viewable in wireshark. After capturing a couple packets which contain cookies scroll down to the Hypertext Transfer Protocol portion of the packet preview, expand it, and scroll down to the cookie line. Right click on the line, and select copy->Bytes (Printable Text Only). This will copy the human-readable portion of the packet which represents the Cookies associated with this website.

If you haven’t already, install Greasemonkey, and the CookieInjector userscript. Clear your private data, ensuring that the Cookies and Authenticated Sessions options are selected. This will delete all your cookies, so we can see the script in action. Press alt-c to view the CookieInjector dialogue, paste the cookie string from wireshark into the text box and click OK.

Congratulations! Your cookies have now been restored!

How The Script Works:

After the page has loaded the CookieInjector class is initialized. This involves setting up the dialogue and binding a function to the onkeydown event. When the user presses the ALT-C key combination, the CookieInjector keyPress function is called, which checks to see if the correct key combination has been triggered. If it is valid, the dialogue’s display style is changed, making it visible in the middle of the page.

After the user enters the cookie that was copied from Wireshark, the script does a quick cleanup of the string, and then adds the cookies to the browsing session.

Note that the cookie’s host will be the domain that is loaded in the browser when the cookie is injected. The root path will be used for the root of the cookie to ensure that the cookie is persistent across the entire domain. Finally, the cookie is a session cookie, which means that the cookie will expire when the browser is closed.

Security Implications Of Cookies

The use of cookies for identification and authentication presents a dangerous security risk for un-encrypted connections. Most websites (such as Hotmail, Facebook and Gmail), only encrypt the username and password when initially authenticating the user and all traffic following the initial handshake is un-encrypted. As a result, the cookie information is readable by anyone who is listening with appropriate software, and malicious users can steal the cookies of other users on the network, possibly gaining access to their accounts. Un-encrypted or weakly encrypted wireless connections (those which do not use WPA or stronger encryption schemes) are especially susceptible to cookie stealing. This is because anyone with a wireless card can simply listen to all network traffic as it is broadcast through the air, intercepting cookies, images, web pages and any other traffic which may or not be intended for them. Intercepting traffic on a switched network (most LANs) is more complex, but can be accomplished using ARP Poisoning or software such as Ettercap

The take-home lesson is to use encrypted connections, like https, whenever privacy is important. Always remember that if the connection is not encrypted anyone could be listening in.

Download CookieInjection Userscript

External Links:

Greasemonkey: https://addons.mozilla.org/en-US/firefox/addon/748
HTTP Protocol: http://en.wikipedia.org/wiki/HTTP
TCP Protocol: http://en.wikipedia.org/wiki/TCP
Cookies: http://en.wikipedia.org/wiki/HTTP_cookie
Wireshark: http://www.wireshark.org/
Ettercap: http://ettercap.sourceforge.net/
ARP Poisoning: http://en.wikipedia.org/wiki/ARP_spoofing
Ethereal: http://www.ethereal.com/

As part of this initiative ULife maintains an events calendar that is available both in HTML and RSS formats. I was much more interested in the RSS feed as it can be easily parsed and manipulated by server-side PHP.

How The Refactor Works (In A Nutshell)

The basic operation of the script is very straight-forward.

1. A copy of the ULife calendar RSS feed is downloaded and cached from https://events.sfu.ca/rss/calendar_id/3.xml.
2. The RSS feed is parsed by a slightly modified version of Last RSS which converts the feed into PHP associative arrays.
3. The arrays are then passed to the Smarty Template Engine which makes the output look all pretty

Simple eh? There is a little bit more of business logic, as the user is able to specify the template file to use, the CSS file to use, the number of days to display as well as indicate if the script is to output a full HTML page or just the HTML code needed for the calendar.

Currently the preferred way to include the calendar on a dynamic web-page is to use the PHP readfile (or equivalent) command with the argument being the path to the Refactor script. If the page is not dynamically generated the other option is to use a Javascript include, which uses cross site scripting to fetch the content and write it to the screen.

Right now there is only a single template available – a vertically aligned one, and a single style – a dark one. Users of the script can of course come up with their own style-sheets by simply downloading and editing the dark style sheet to their liking. If there is demand for it, I will write more templates, starting with a horizontally aligned template, along with a couple more style sheets.

To play around with the Calendar Refactor take a look at http://ulife.dustint.com

The new version of the Bookswap website also sports some new features and improved functionality. The process for making an offer has changed slightly: now the seller of the book is immediately notified of offers via email, rather than when the posting expires. This is intended to provide sellers with up-to-date information on people interested in their postings so they can make informed decisions if they are considering selling their book via another means.

Since sellers are notified of offers immediately, it is less important for postings to expire in a timely matter. As a result, the restriction on the time before the posting expires has been removed. This way, sellers can choose to have high-value books expire quickly if they intend on selling them to the bookstore and have books which may take longer to sell persistent on the site.

The interface for selling a book has also been improved. The page has been divided into several steps with additional descriptions of all fields. This is an attempt to help new users navigate the process for the first time while, at the same time, not negatively impacting the speed of experienced users.

Perhaps the greatest change in the new version is the integration of the Google Books Database. Previously, when a user was adding a new book to the database, ISBNDB was queried for the book information and the cover image was searched in a separate step. Now Google Books is the data provider for both book information and cover information. This improves data integrity as there is a lower probability of a title / cover mismatches and, furthermore, the Google Books interface provides better searching over a variety of keyword types.

Check out the new site! Get some cash for your texts:
http://bookswap.dustint.com

http://books.sfu-rha.ca

Greasemonkey (http://www.greasespot.net/) is a handy Firefox extension which allows the injection of javascript (called userscripts) into the webpage currently being viewed. This allows for the customization of the look and feel of a website: improving the user interface or adding additional functionality.

In this example, we are going to use greasemonkey and Dojo to display a dialog widget on an arbitrary website.

To simplify the deployment of a userscript we are going to use the AOL Content Distribution Network to pull in a crossdomain build of the dojo toolkit. This is helpful to us as developers as we don’t have to build or maintain Dojo ourselves and is useful to the user as they get an optimized download from a distributed CDN.

First thing’s first: If you haven’t already, download and install the Greasemonkey extension, and create a new user script.

To access the power of Dojo, we must include the Dojo crossdomain build on the page we are visiting. To do this, we will dynamically create a new script element containing the address of the build and append it to the document head:

var script = document.createElement('script');
script.src="http://o.aolcdn.com/dojo/1.0.0/dojo/dojo.xd.js";
document.getElementsByTagName('head')[0].appendChild(script);

Next, since we are going to need a Dijit Dialog object, we will need to also include the Tundra Theme CSS file by appending it to the head object:

var link = document.createElement('link');
link.rel = "stylesheet";
link.type= "text/css";
link.href="http://o.aolcdn.com/dojo/1.0.0/dijit/themes/tundra/tundra.css";
document.getElementsByTagName('head')[0].appendChild(link);

Great! Now we have the Dojo javascript file included on the page as well as the Dijit Tundra theme setup and ready to use. Next, we will actually include the Dojo dependencies we need and display our Dialog!

To ensure that the Dojo Javascript file and the Tundra Stylesheet have been downloaded and parsed we must include the rest of the code in a function that will run when the window fires the “load” event To do this, we will add an event listener to the window object with the function as an argument:

window.addEventListener('load', function(event) {
var dojo =  unsafeWindow["dojo"];
dojo.require("dijit.Dialog");

Also notice that we have created a local variable called Dojo which is a refrence to the unsafeWindow dojo object. Greasemonkey runs all userscripts in a sandbox which provides enhanced security as well as ensures that they do not conflict with any preexisting scripts already on the page. Because, by default, Dojo is instantiated with a visibility relative to the window object it is not visible to our script. By creating a reference to it in a local variable, this allows us to access its functionality.

Also important is the dojo.require statement. This will pull in the dijit.Dialog object which we will be instantiating later on in our script. To ensure that all the dependences have been loaded before we try to create a dialog, we must wait until dojo knows that the external resource has been loaded.

dojo.addOnLoad(function(){
var dijit = unsafeWindow["dijit"];
dojo.addClass(document.getElementsByTagName('body')[0], "tundra");
 
var pane = document.createElement('div');
pane.id = "floatingPane";
pane.innerHTML="Dojo Lives... In GreaseMonkey!";
document.getElementsByTagName('body')[0].appendChild(pane);
 
dialog = new dijit.Dialog({
title: "Dojo Integration Test"
},pane);
dialog.show();
});
}, 'false');

A lot of stuff happens in the above code snippit:
First we grab a local reference to the global dijit object, next we assign a “tundra” class to the body tag, which will allow us to have the correct theme for our Dialog. We create a div node which will eventually become our Dialog, populate it with appropriate attributes and append it to the document’s body tag. Finally we create a new dialog object with a catchy title and the previously created div node as the contents, and display it on screen. Lastly, we close the window.addEventListener object that we created in the previous step.

Downloaded the complete userscript here:
Dojo Integration Userscript This script has been updated and is available here

Special Thanks to Shane Sullivan’s Dojo Debug Script which shows how to access the Dojo object from the Greasemonkey sandbox.