Today's Question:  What does your personal desk look like?        GIVE A SHOUT

SEARCH KEYWORD -- signed request

  The Problem With Client-Side Analytics

Client-side analytics is broken. The numbers produced by it are trivially spoofable by competitors and nefarious characters. Most websites use client-side analytics of one type or another and the only way to get numbers you can trust is to compare numbers from multiple providers and to take an average of the closest two.This post highlights the problem and proposes a partial solution that substantially mitigates the issues with minimal effort. Our proposed solution is simply to include a digital...

   Client side,Analysis,Problem,Tricks,ASP.NET,spoof     2011-10-22 12:58:51

  JavaScript's Two Zeros

JavaScript has two zeros: -0 and +0. This post explains why that is and where it matters in practice. The signed zero Numbers always need to be encoded to be stored digitally. Why do some encodings have two zeros? As an example, let’s look at encoding integers as 4-digit binary numbers, via the sign-and-magnitude method. There, one uses one bit for the sign (0 if positive, 1 if negative) and the remaining bits for the magnitude (absolute value). Therefore, -2 and +2 are encoded as f...

   JavaScript,zeros     2012-03-24 05:21:49

  PHP Multithreading – Faking It

PHP doesn’t really support multi-threading per se but there are ways to do “fake” multithreading. Here’s one I saw in the PHPClasses.org newsletter – Multi-thread Simulation. Note that this class is intedend for use on a webserver, as opposed to running PHP scripts from a command line (or similar). Check the end of this post for some alternatives you can try if you’re using PHP as a stand-alone scripting language. Now, I’m going to be lazy and just ...

   PHP,Multithreading,Possible,CURL,Fake,Si     2011-09-04 23:07:22

  HeartBleed: Inside the heart, what causes the bleeding?

Just after a few weeks since Apple's famous goto fail bug, there is one bug in OpenSSL which catches the attention from the world again. The bug is named HeartBleed, found in OpenSSL library, a famous open source library supporting lots of  SSL/TLS communication among server/client applications. The reason why this bug catches the attentions from the world is it affects almost all sites which are using the affected OpenSSL library, these includes many applications like Nginx server, some v...

   OpenSSL,HeartBleed     2014-04-09 05:47:30

  Integer overflow

You may be familiar with integer overflow, but what you may not be familiar with is how gcc handles signed integer overflow. First let's look at the standard, for unsigned integer, the standard says : A computation involving unsigned operands can never overflow, because a result that cannot be represented by the resulting unsigned integer type is reduced modulo the number that is one greater than the largest value that can be represented by the resulting type. In other words, unsigned integer ov...

   Integer overflow,gcc,Linux     2012-10-20 13:33:10

  UIWebView Secrets - Part1 - Memory Leaks on Xmlhttprequest

My first blog post on iphone subject reveal a big memory bug when using UIWebView component. This is the (only one) component to display some HTML content in an iphone interface. UIWebView object has a lot of differents issues and I’m going to highlight the biggest of them. Actually, all XMLHttpRequests used in javascript code are fully leaking!!! I mean when you do a request that retrieve 100ko of data, your memory used grow up for 100ko! This bug is not always active, but almost always....

   XMLHttpRequest,Memory leak,Mobile device,UIWebView     2011-11-25 13:46:30

  The war with spam comment

Spam comments are annoying and notorious. They are either malicious data from hackers to exploit the loopholes of the site or advertisements posted by robots. These kinds of comments have their own features and patterns, if we are careful enough, we can find ways to block most of them although it's not so easy. To block the comment with malicious executable codes such as JavaScript, we should remember one rule : never trust user input. So wherever there are user inputs, we need to check the vali...

   Spam comment,Block,Filter     2013-11-29 20:29:43

  SameSite attribute in cookie

Starting from Chrome 51, a new attribute SameSite has been introduced for browser cookie. This attribute is to prevent CSRF attack. Cookie is normally used to store data exchanged between client and server. It frequently stores user login information. If a malicious website can forge a HTTP request with the valid third party website cookie, it may be called a CSRF attack. For example, if a user logins to a bank website your-bank.com, the bank server responds a cookie: Set-Cookie:id=a3fWa; L...

   JAVASCRIPT,COOKIE,SAMESITE,CHROME,CSRF     2019-09-14 04:57:51

  Use Java ThreadLocal with caution

According to Oracle documentation, ThreadLocal is a class provides thread-local variables. These variables differ from their normal counterparts in that each thread that accesses one (via its get or set method) has its own, independently initialized copy of the variable. ThreadLocal instances are typically private static fields in classes that wish to associate state with a thread. In short, ThreadLocal variables are variables belong to a thread, not a class or an instance of a class. One common...

   JAVA,MEMORY LEAK, THREADLOCAL     2015-11-03 07:31:57

  A mini post on GoLang context

In a GoLang web server, every request coming in will be handled by a goroutine. In the request handler, the logic may also need to create new goroutine to handle other tasks like RPC call. When the request is processed and response is returned, these goroutines created need to be exited so that no goroutine leak should happen. package main import ( "fmt" "log" "net/http" ) func main() { http.HandleFunc("/echo", func(w http.ResponseWriter, r *http.Request) { fmt.Println(&r) w.Write(...

   CONTEXT,GOLANG     2019-12-14 06:21:02

RECENT