Chris Shiflett's Profile

Hi John,

I agree with you. I think the optimal solution for this site is for me to let people have as many OpenIDs as they want and authenticate using any of them.

I hope to find the time to improve a few things, and OpenID integration is near the top of the list.

Delegation is also a good option, so you don't have to change OpenIDs whenever you change providers. For example, I use shiflett.org as my OpenID everywhere, and this didn't change when I switched to myVidoop.

Posted in /blog/2008/may/openid-with-myvidoop.

Thu, 08 May 2008 at 18:16:57: Link

Thanks for the additional information, Kevin and Koes. :-)

One nice combination I failed to mention is that you can activate a browser temporarily per Koes's instructions, and you can then have access to all of your saved passwords. (This requires a specific choice to save your passwords with myVidoop instead of locally.) I can see this coming in handy if I need to do something on a friend's computer at some point, because I can never remember my passwords.

Posted in /blog/2008/may/openid-with-myvidoop.

Tue, 06 May 2008 at 11:55:05: Link

Hey, Kevin, thanks for the comment. I just registered for an affiliate account.

Hope you like it, Ben. I'm glad I convinced you to try it out. :-)

Posted in /blog/2008/may/openid-with-myvidoop.

Tue, 06 May 2008 at 08:41:13: Link

Mark and Brad,

I know there are a lot of comments now, so it's hard to keep them organized, but I think this has already been answered pretty succinctly by Paul.

A brutally honest summary is that using strip_tags() in the way you suggest creates XSS vulnerabilities, which is precisely the topic of this post.

Hope that helps.

Posted in /blog/2007/mar/allowing-html-and-preventing-xss.

Tue, 22 Apr 2008 at 18:35:55: Link

That's an interesting idea, Sebastian. I might just do that.

Posted in /blog/2008/apr/css-naked-day.

Thu, 10 Apr 2008 at 10:01:25: Link

Thanks much, Gabriel. If you do something similar yourself, I'd love to hear about it.

Regarding the JavaScript on Jon's site, I think that was actually written by another Jon. I'm a big fan of both. :-)

Thanks again!

Posted in /blog/2008/mar/urls-can-be-beautiful.

Wed, 09 Apr 2008 at 22:01:17: Link

Thanks for the reminder, Christian. My CSS is now gone. :-)

Posted in /blog/2007/apr/my-first-css-naked-day.

Wed, 09 Apr 2008 at 07:37:55: Link

Thanks, Andrew, and happy to see you're a Real Genius fan. :-) You're right that it took a lot of effort, but hopefully that's not too apparent. Information architecture is one of those disciplines where doing a good job should result in a finished product that seems simple and obvious.

Joakim, I agree it's not appropriate for all sites, and to be honest, it's not a very scalable idea in general. I do like that the sentences are easy to remember; that was one of the design goals. :-)

Posted in /blog/2008/mar/urls-can-be-beautiful.

Fri, 21 Mar 2008 at 08:10:07: Link

Gap, I use a framework to handle that part, but you can also use ForceType:

http://httpd.apache.org/docs/mod/mo....html#forcetype

This lets you name a PHP file is instead of is.php, and you can access the full path info in PHP via $_SERVER['PATH_INFO'] or use the request URL via $_SERVER['REQUEST_URI'].

It would probably take a blog post to fully explain this technique, but hopefully that gets you started. All frameworks support this pretty conveniently, so that might be a better option.

Posted in /blog/2008/mar/urls-can-be-beautiful.

Wed, 19 Mar 2008 at 18:03:14: Link

Wes, that's a good idea.

This technique wouldn't prevent enumeration attacks, but it could be used to require an extra request for every attempt. In order to implement this technique for that purpose, it's important to be sure that an attacker can't simply reuse a token or omit it entirely. Requiring an active session is one option.

Posted in /articles/cross-site-request-forgeries.

Tue, 18 Mar 2008 at 13:29:35: Link