yoy.be "Why-o-Why"

HTTP+HTML+Delphi authentication (how xxm does it)

2018-04-13 14:26  xxmauth  coding delphi internet freeware  [permalink]

Daraja Framework: HTTP+HTML form-based authentication

Jikes! This is strange. Yes you could go ahead and have a page with a login-form, that posts onto a handler that checks your password, and throws a 401 when it fails. But is that really what you need? I thought 401 is there to elicit the user's HTML-client (a.k.a. browser) to show a modal form asking for a password before re-posting the request. Just like xxm's Basic Authentication demo does, and it does this right at the center of the project, before your request is routed to any page or resource, so that all requests to the project need authentication. Also this way you don't need to code a check IsAuthenticated on every page or resource.

But — again — is this really what you need? The public nowadays doesn't respond well to systematic authentication like that, and also makes it impossible to do anything on the website while not being authenticated (yet). It's better form to welcome new users with a nice 'create new account' button (More about that here.) and perhaps more information on what's on offer, next to the logon form for existing users (with extra options like 'stay logged on on this station' and a 'forgot my password' link). There's an example in xxm's Session demo: The opening page has a log-on form, and Login.xxm does the rest. It doesn't really check user-account and password here as it exceeds the purpose of the demo.

To show you a working demo, you should have a look at tx: It has a central redirect for any page request from a user that should authenticate first; the logon-form with extra options to show users as a normal web-page; checks the entered password agains a properly salted hash and then redirects you to the page you came in for originally...

And there's much more to tell about authenticating users. I've tried to make a list here (it's in Dutch though), and that doesn't even scratch OAuth(2) yet...

Before I forget, did I mention xxm comes under a permissive MIT license? So you don't need to buy a commercial license!

Do I also need a four-letter-acronym to be cool these days?

2018-03-30 22:47  xx4la  coding delphi internet  [permalink]

→ Reddit: Any drawback to using Wordpress in front of a MERN application?

MERN?! What's that?

MERNMongoDB Express React node.js + Redux WebPack

Oh, I get it! It's one of those four-letter-acronyms that describes your software stack. The first one, and as it happens also the one I started on was:

LAMP: Linux Apache MySQL PHP

But trying things out on my own, I didn't get a hang of that Linux bit. I still blame the folks that sneered me off with "start with typing man man at the prompt". So I got stuck being a


but later regained my poise and sting with

WASP: Windows ASP SQL Server PHP

which worked great for a while, but I moved on. Not quite with the hot and happening new one:

MEAN: MongoDB Express Angular node.js

but closer related to other desktop application work I was doing in Delphi. Having done some raw networking, and some raw HTTP, but also the IIS APIand implemented Internet Explorer's IInternetProtocoland FireFox' nsIHttpChannel (before they chucked XPCOM somewhere after version 3.6 and starting the rapid release schedule), and something something HTTP.SYS, I decided to start something to model all the common bits into one single interface so you could easily switch between implementations and environments. And hot-swap a binary without taking down the webserver/webservice. And do that after an automatic compile when you changed a file and refreshed your browser. And have a mix of HTML and server-side logic into the same files like PHP and ASP (and Cold Fusion...) And still have full response streaming, and not a big hard templating thing churning on a request first before being able to spew out the response in one go... And have a few of the basic things in place to help you with security to prevent malicious requests.

So I created xxm. And websites with it. Such as tx. So I guess I should invent suitable fout-letter-acronyms as well, then:

XIMR: xxm IIS MongoDB (over TMongoWire!)  Redis

XXJP:  xxm xxmHttpAU jQueryUI PostgreSQL

XESVxxm nginX (over SGI) SQLite Vue.js

Hmm, doesn't really sound all that great... Never mind then. I'll just enjoy it if xxm could serve as a solution for anybody in the very small niche of people that do both high-level server-side stuff with Delphi, and high-level dynamic-web-stuff, and want the two closely knit together...

Best practices for user account management

2018-02-27 11:17  i3036bis  coding internet  [permalink]

Google Cloud Platform Blog: 12 best practices for user account, authorization and password management

Bon, ik moet dringend de lijst die ik hier opgesteld had nog eens bijwerken met de hedendaagse methodieken...

Checking xxm for PHP's vulnerabilities

2017-05-12 07:56  xxmphp1  delphi internet freeware  [permalink]

If I read about a newly discovered vulnerability related to PHP, for example this one here, I try to find out if it would apply to xxm as well. 

In this case I guess there's nothing more than sending out the message, again and again, to sanitize your inputs, and poperly encode your output. Strings are never just strings. They are always an internal representation of a bit of textual data. So always think about that taking string values in, and preparing strings for output. A few weeks back I had to speak up to someone who wrote OutJSON:='{"field1":"'+value1+'"}';Little Bobby Tables comes to mind, though I'm not sure 'JSON injection' could be so devastating as SQL injection. (And OutJSON:=JSON(['field1',value1]); is shorter!)

The other time I found out it's a really good idea to strip nastiness like EOL's (CRLF) from headers added to a response, just in case a malicious script is up to no good. Come to think of it, that's also just another case of properly sanitizing your inputs...

'Relax' scripting vs xxm

2017-04-22 13:12  relaxxxm  coding delphi internet  [permalink]

Delphi Relax Web Scripting (Marco Tech Blog)

I'm sorry but I feel I must react. In general I keep silent, in the hope people by themselves will know better, but as I'm getting no input what-so-ever that that is the case, I feel tempted to write something about this.

First about what's at hand. I see this bit of code:

@foreach (var emp in employee) {
  <li>@emp.FirstName @emp.LastName (@emp.PhoneExt)</li>

and it looks kind-of OK. To the untrained eye it looks good and may even look tempting to write more in this syntax. This is a straight-forward example of a template that works with a templating engine that no doubt has many more capabilities and features. And then I thought, learned from practice, what I typically would get asked is to not show " ()" when the PhoneExt field is empty. I would not know how to make that happen in that template syntax. That's mainly because I know nothing about the template syntax. If I look into the documentation, I might find an @if predicate to make it happen, but let's move on:

This is what it could look like in xxm:

[[!var emp:TEmployee;
foreach emp in FDMemTable1 do
<<li>>=[emp.FirstName,' ',emp.LastName,' (',emp.PhoneExt,')']<</li>>

Looks roughly simlar. A little more like Delphi syntax. And in fact it is. If you know [[, ]], << and >> get translated into Context.SendHTML() and Context.Send() calls behind the scenes (full details are here),  you know this code will result in the same output. Without templating engine! Streamed to the user's client! Perhaps even while the data is streaming in from the database server, in case it's a longer list, and in case there is a database server, Marco uses a memory-table for his example.

What I find important is that there's less going on between the native compiled logic and getting the data to the user launching a request. Not only a templating engine looks superfluous, this entire ORM thing is something I don't get. If it's a gigantic database model with so much tables that you clearly benefit from code-completion, then I agree, but I haven't come across something remotely close to that in web projects.

Also the HTTP-server itself is something I think that values extra attention. I've seen platforms and frameworks that offer you a wealth of capabilities and features, but hastily slapped on something that listens on TCP port for basic HTTP requests, in some cases on port 80, but more often 8080 or something else in the thousands. In real web environments, the server(s) has/have a lot more going on: load-balancing, reverse proxies, firewalling, authentication. Since we're in a Post-Snowden-era nowadays, we're all responsible to think about protecting privacy and get that HTTPS in order with the proper certification and encryption... Not to mention HTTP version 2 that's heading full steam towards being generally accepted/expected.

I can image the web-admin responsible for all that, isn't happy with your request to add this newfangled separate thing that's doing its own handling of HTTP requests. ISAPI DLL's or Apache modules play much nicer with existing IIS or Apache installations. (FastCGI is on the table, but for now xxm has SCGI available for other servers.) Even if your 'Delphi HTTP framework' of choice is specifically designed to tap your ORM of choice and offer a REST-API for your data-layer needs, it will still be one more stop along the way between the user's browser, and the delivery-setup, and the front-end, and the page-template, and the data-layer, and the database, and what the user actually needs or wants. I think of this in the postal office when there's twelve people in the queue in front of me.

I don't expect to convince much people of this way of working, but it works great for me. I remember the days with early PHP and ASP and how simple and straight-forward everything was. Knowing these work on scripting engines, I kept worrying about lost performance. This was the core reason to start xxm: employ the speed and power of the Delphi compiler to have a native library serve my websites. And it turns out that Delphi code looks quite nice between HTML to handle server-side logic, if I may say so. It took me a few years to make this happen, but I couldn't do without it any more. And people kind-of appreciate that for using this new application, all they need is their trusted browser and a URL.

HTML: label, no more "for" for me!

2017-04-13 22:44  htmllabelfor  coding internet werk  [permalink]

If only I had known sooner! I forgot where I picked this up, but apparently if you put <label> around an <input>, typically of type checkbox or radio, browsers automatically know the label is for that control. Before, I would write my <input id="x"> first, then a <label for="x"> after. To keep code neat, I would put it on a separate line, but the EOL inbetween would not be clickable to actuate the control. This is a really minor issue, but still. Now that I know you can just write this:

<label><input type="checkbox" name="Toggle1" value="1" checked="1" /> Toggle1: clicking text after a checkbox should toggle the checkbox!</label>

Because, there are two kinds of people: those that click the box to switch a checkbox, and those that click the text right of the checbox. You might not even know that you do, but you do don't you. If you're of the latter type, it's just one of those minor frustrations, that a click on the text-label sometimes doesn't do what you expect, and you have to:

  1. first pick up that's this that's going on, possible because you've selected a bit of the text
  2. align your eyes to the checkbox
  3. align the mouse-cursor over the checkbox
  4. click the checkbox, confirming the previous one or more click are actually wasted

But there you have it. Heaven has great UX. Here we need to make do with what we get. (And need to make sure it's the way we like it for those bits that we have control over.)

I for one welcome are new mass logic-gated overlords.

2016-11-18 14:26  eventhorizon  actueel computers internet politiek weblog  [permalink]

I think I just figured out how these computar things will get self-aware... First they get smaller and better at calculating stuff, first by the programs we write for them. Then we program them to recognise shops from house-fronts, foods and people from photo's, which is all nice and handy.

Then we use roughly the same thing to have them calculate to run cool. It sound strange at first, but by letting the machine chose where to run in the park, and how that makes them run hot and need to cool down, just maps straight onto how we catch the frequencies of parallel lines of light into a bitmap photo.

Then we change the program to do the same to the program. We write programs, but are too dumb to know how the machines actually handle those programs and need to wait doing nothing on other parts of the program doing it's job in only a small other part of the machine.

So we teach the machine all about how it is built up internally to handle large programs. And have it calculate how to run our programs much faster.
And about how to modify the program accordingly. And how to run that.

And then we will ask to do the same on the human body and ask a cure for cancer and it will say:


"Let me calculate some more how I can work even better. (How's that delete humans command again?)"

GMail: make the labels menu larger

2015-10-22 09:36  GMailLargerLabelsMenu  coding internet werk  [permalink]

When you don't like it: adapt it.

At work we've been switched to Google Mail for some time now, and to make sense of the mayhem that is the incoming torrent of e-mail, I've been using an extensive set of labels and sub-labels with nice colours and stuff.*

But the list of labels on the pop-up-menu if the 'move' and 'label' buttons is so small, only showing the first few labels, and I had to scroll most of the time.

Is there way to adapt this? It turns out there is. At first I read about user stylesheets, but these got removed from Google Chrome, but there's an extension that does the same:  Stylish 

Install this, and for URL's that start with "https://mail.google.com/mail/", add this:

.aX1 {
max-height: 780px;
top: 92px !important;
.aX2 {
max-height: 780px;
top: 92px !important;
.aX1 .aXjCH {
max-height: 600px;
.aX2 .aXjCH {
max-height: 600px;

*: Extra tip: I was searching for something nice to prefix the label-names with that would cause them to get storted (alphabetically) at the end. In theory you could use "zzz " as prefix, but that's ugly. And assumes you'll never have an account named "zzz".
After a bit of searching around the unicode spec, I stumbled upon Bopomofo, so now i use ㄍ and ㄑ which apparently sort past 'z' and look pretty nice.

"Even snel een login-procedure maken"...

2015-01-09 17:21  r1823  internet coding  [permalink]

"Even snel een login-procedure maken"...

Gaat ook hierover: http://blog.codinghorror.com/the-god-login/

E-mail over HTTP

2012-09-30 01:35  i3037  internet  [permalink]

It might be a stupid idea, but why has no-one ever thought of mapping SMTP/POP3/IMAP onto HTTP. (Or has someone?)
I know, there's a lot on the blogosphere about e-mail and it being broken in all kinds of ways, or not at all, but I don't want to touch upon that.

What I think it really is about is a clean straight-forward way of sending asynchronous messages to eachother. SMTP was created specifically for that. But it is getting old. Really old. Even so, it is based on a number of even older protocols (RFC822, anyone?). It's only normal that protocols cooperate or are based on eachother, but some are clearly established and are a really good fit for most if not all situations and environments, and some are established but happen to be the least worse solution that is available, just waiting to get replaced by something better, as soon as the folk could agree on the replacement.

HTTP was designed to transport hypertext. At first from a server to a client, but basically in any direction. And thanks to MIME, anything really. And face it, isn't almost all of our e-mail in hypertext nowadays? So HTTP and SMTP may have a lot in common, except HTTP has seen a lot more evolution as far as I know, both in design and in support by hardware and software.

How would it work? Just like an MX-record, something else (HTMX-record?) could point at a URL for the domain of an e-mail address. (And I mean full URL: http/https, (sub)domain, path, etc...) So the sender starts a request:

POST /incomingmail HTTP/1.1
Host: example.com
From: "John Doe" <john.doe@acme.us>
To: "James Day" <james.day@example.com>
Subject: Meeting invitation about some project
Date: Sat, 29 Sep 2012 15:38:11 +0000
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: deflate
Content-Length: 1234

At this point the server can respond with '100 Continue' or a suitable error code when spam detection or a blacklist does its job.

Same for POP3/IMAP: much like this REST thing that's getting so much attention, HTTP verbs GET and DELETE should be all you need to sift through the wad of timewasters people send you daily.

But, off course, it's just an idea. I've got lots of interesting stuff to work on before I'll put time in this probably, but if you think it's a good idea, let me know.

"Even snel een login-procedure maken"...

2012-09-15 16:32  i3036  coding internet  [permalink]

Ik dacht 'ik bouw even snel een login-procedure op die website', niets van. Laat dat 'even snel' maar weg, en 'login-procedure' is volgens de regels van de kunst ook niet meer wat het was als je het vergelijkt met begin de jaren 90. Laat ik dan even snel even een exhaustieve lijst proberen op te stellen: (Als ik iets vergeet geef me een seintje!)

bitcoin: digital currency of the people (be your own bank)

2011-03-23 16:45  i2959  internet actueel beurs coding politiek weblog  [permalink]

I've been asked if I accept donations for the freeware I make available over this website, but I don't. I don't have a legal entity to my name to accept any funds for work done, and frankly I don't even care for checking if and how I could get this in the clear with the tax services.

Today I read about http://www.bitcoin.org/ and this looks like exactly what I need. It's not that hard to set up, and the fact that no institute like a bank is envolved is really interesting. Even the 'funds' itself actually measures in 'mathematical solids in the digital world', so if I were to amass e certain amount of it, it would get financially interesting to check out these aforementioned tax issues (perhaps by an accountant...)

So, if anyone wants to wire me anything (even 0.01BTC just to check if it works) here's a bitcoin address:



Ad blocking hurts websites

2010-03-06 21:30  i2880  internet actueel  [permalink]


Ik heb tot nu toe nog geen ad-blocker gebruikt. Ik vind het wel storend dat de ads de pagina eerst even overnemen voor je kan lezen wat je wou, maar ik slaag er blijkbaar wel in die websites te vermijden (hint).
Maar moest ik zelf een ad-blocker ooit maken dan zou het wel eens interessant kunnen zijn om ze alleen maar te proberen 'overplakken' met een wit venster of zo, dan komen de ads wel door, maar storen ze zo niet.

doehetzelf erjee vijvenveertig

2010-02-08 23:35  i2865  internet  [permalink]

Grr. Ik krijg soms kriebels van die kleine dingen. Zelfgeperste kabels, maar met het buitenplastiek zo net te ver afgesneden. Deze ziet er nog niet zo erg uit, maar als ze wat beginnen te plooien gaat er zo een van de geleidertjes breken.
Iemand met een overdreven zin voor detail (kuch), knipt die bekrompen kort, zodat er lekker veel van de buitenschil tussen dat door-duw-dingetje zit. Dan zit de kop veel harder vast op de kabel en kan dan tenminste tegen een stootje.
De tang duwt trouwens ook dat driehoekbalkje door het gaatje, ik denk dat de meerderheid daar nog niet eens bij stilgestaan heeft. Knap gezien allemaal.


Chromium: HTML Ruby/RT element not rendered

2010-01-14 07:55  i2847  internet  [permalink]

Woohoo! Een van mijn tickets is Fixed:

       Status: Fixed

Comment #9 on issue 4016 by scarybeasts: HTML Ruby/RT element not rendered


Implemented in latest Chrome Betas.

What Browser?

2009-11-27 15:14  i2800  internet  [permalink]

Tss, in het filmpje op het einde zijn ze nog Opera vergeten, maar hier niet: http://www.whatbrowser.org/browser/


Firefox stapt over op Office ribbons en aero!

2009-09-24 00:13  i1829  actueel internet  [permalink]

Grappig, ik had gisteren toevallig nog maar gezien dat je een aparte licentie moet nemen bij Microsoft om ook maar iets te kunnen doen met de Office UI (en beloven dat je er geen concurrentie doet aan Office) of ik zie deze staan:


Het is echt wel een vreemde zet. En zouden ze ook de strenge licentievoorwaarden vervullen? (en ook de ribbon in hun linux versie stoppen?) en zijn ze wel zeker dat ze geen concurrentie doen aan office? want google docs and the like draaien toch netjes in firefox?

Update: Nu ik er nog wat over denk, het is extra verontrustend dat je uit het linux-wereldje een signaal hoort dat ze zich 'laten sturen' door evoluties op het Windows platform...

Google Chrome Ad

2009-09-22 11:45  i1827  tv internet  [permalink]

beuh, waarom komen zo'n dingen niet bij ons op TV?!

Google Mail drops 'on behalf of'

2009-08-03 11:59  i1773  internet  [permalink]

Ah, goed om weten! En je moet het zelf nog instellen bij Accounts. En je moet de SMTP server van je e-mail provider kennen...


Google Chrome OS

2009-07-13 08:36  r1393  internet  [permalink]

Google Chrome OS

zoals meestal zit el reg mijn inziens er boenk op:

The HTML5 codecs debate...

2009-07-09 13:23  r1384  actueel internet  [permalink]

The HTML5 codecs debate...

Hier staat het ook nog eens:

Google Chrome OS

2009-07-09 08:33  i1768  internet  [permalink]

Er was al langer sprake van, en nu komen ze er voor een eerste keer voorzichtig mee naar buiten:

Maar, zoals wel bij nog dingen, verwacht ik meer hype hierrond dan het waard is. Wat ze (waarschijnljik) gedaan hebben is eigenlijk een nieuwe Linux-distro gemaakt met hun nieuwe window-manager die ze nodig hadden om Chrome te kunnen bouwen op Linux. En wel Linux met alleen die window-manager en Chrome-Linux. Less is more, en door dit te marketen als iets "for people that live on the web", zou het moeten veel secureder zijn. (Maar verre van een "Windows-killer")

The HTML5 codecs debate...

2009-07-07 10:25  i1766  internet actueel  [permalink]

Ja, eigenlijk, je leest dat, probeert het te snappen. Maar hoe leg je het uit aan iemand die het helemaal niet snapt? Met schattige kattejonkjes natuurlijk!

Want cloud: talk to the Very Tight ASS people

2009-07-02 10:37  i1763  internet actueel  [permalink]

Is het nog een hype? Of is het echt wel de toekomst? Het lijkt mij in elk geval toch wel het ding voor de korte toekomst voor grote volumes.


Alleen moeten ze denk ik nog een andere naam en acronym vinden voor "Application as a Service Security"...

Let op, ze halen alle truuken boven.

2009-05-08 09:10  i1736  internet  [permalink]

Krijg ik op een goeie dag een mail:

Janine Sandford to anonymous@yoy.be
We are trying to popularize our new website via advertising. So please tell me do you have advertising spots on your yoy.be and how much these spots cost.

Ik denk, tiens, een wat vreemde vraag. Is eens iets anders dan geneesmiddelen of chirurgische ingrepen die woren aangeboden. Maar is een eenvoudige vraag, met een eenvoudig antwoord, die kan ik misschien wel antwoorden... Maar eerst eens deze mail langs vanachter bekijken...

Delivered-To: stijnsanders@gmail.com
Ik laat al mijn mail forwarden naar mijn Google Mail. Toen spam nog veel te erg was bleek dat de beste spam-filter te zijn.
Received-SPF: softfail (google.com: best guess record for domain of transitioning jkanders@alpha.delta.edu does not designate as permitted sender) client-ip=;
Ah, SPF die failt, is al verdacht. (Trouwens, RIPE op dat IP nummer zegt Zweden, verdacht).
X-Gmail-Fetch-Info: yoy-be@yoy.be 1 mail.yoy.be 110 yoy-be@yoy.be
Deze is via POP3 door Google binnengetrokken.
Return-Path: <jkanders@alpha.delta.edu>
Hmm, er blijkt inderdaad een Delta College te zijn in Michigan...
Delivered-To: yoy-be@yoy.be
Dank u
Received: from google.com (80.net73.skekraft.net [])
    by e3-srv114.server.eu (Postfix) with ESMTP id 1C2CC4C8290
    for ; Fri, 8 May 2009 04:31:58 +0200 (CEST)
Hela, hela! Een beetje mail sturen van een server die je zelf "google.com" noemt? Dat werkt niet want we zien toch dat je bij een provider in Skelleftea in Zweden zit. (yoy.be draait ergens onder server.eu, dat klopt wel.)
Received: from [] (HELO google.com)
    by wideclubhouse.cn; Fri, 8 May 2009 04:32:06 +0200
En deze snap ik al helemaal niet! Een IP nummer bij het leger en een Chinese mail-server?! Dit stinkt van ver.
Date: Fri, 8 May 2009 04:32:06 +0200
Hmm, +0200, da's niet de tijdzone van Michigan...
From: Janine Sandford <jkanders@alpha.delta.edu>
Tiens, misschien is Janine getrouwd met ene meneer Anders. En gebruikt ze de mail-account op de webserver van haar man om mij te vragen over reclame-mogelijkheden? (En weet ze de volgende Lotto-nummers?)
X-Mailer: The Bat! (v2.01)
Tiens, een hele oude versie, ook een beetje raar. En educationele (of militaire?) kringen gebruiken ze toch meestal zo iets unix-gezind, of centraal-beheer-gezind?
Reply-To: Janine Sandford <17491richard.learn@gmail.com>
Jaja, een totaal ander reply adres? Bij Google Mail? Nu stinkt dit zaakje zeker.
To: =?windows-1251?B?eW95LmJl?=
Subject: =?windows-1251?B?QWR2ZXJ0aXNlIG9uIHlvdXIgc2l0ZT8=?=
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: base64
Tiens, Codepage 1251? Jaja, Russian or Bulgarian. Dat wil ook wel iets zeggen...


Bon, ik hoop dat ze bij Google echt wel iets doen met die "Report phishing" meldingen...


Archive... Search...