• Who has the oil?
  Wicked infographic that shows countries based on how big their oil reserves are.
  (categories: via:jonudell maps oil infographic visualization infoviz )

• thoughtwax’s mihalycsikszentmihalyi Bookmarks on Delicious
  Forgive me for bookmarking a bookmark. Quote: "Sony’s first mission statement: To establish a place of work where engineers can feel the joy of technological innovation, be aware of their mission to society, and work to their heart’s content."
  (categories: business missionstatement sony innovation )

I’ve got to write all this out hoping that it’ll bring some clarity to what I’m seeing, here’s the stage:

• Tomcat 6.0.16 changed the way that cookies are sent from the server to the browser IF the cookie value contained any of the following characters: “()<>@,;:\\\”[]?={} \t”, the change being that if you attempt to set a cookie while inside an application deployed in Tomcat 6.0.16, the cookie value would get wrapped in double quotes and the cookie version would get set to 1. All fine and dandy.
• Except that as part of the fix, someone decided that the path part of the cookie should also get wrapped in double quotes and IE6 and IE7 don’t like that, in fact they’ll ignore cookies where the value of the path attribute is quoted, which led to this bug getting filed and fixed as part of the 6.0.17 release.

At least they thought it was fixed, here’s what I’m seeing: if you set a cookie that contains any of the above mentioned characters (let’s say that hypothetically you’re using the TokenBasedRememberMeServices class, itself part of Acegi, that sets a cookie whose value is the Base64 encoded representation of your username, an expiration time and another string, long story short the value ends up looking something like this: YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==) then Tomcat will end up wrapping the cookie value in quotes, will set the Version to 1 and … well, did you know that when you set the version of a cookie to 1 that the cookie looks different? Here’s Tomcat setting the cookie pre-6.0.16:

Set-Cookie: yankeessuck=YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw==; Expires=Thu, 19-Nov-2009 02:29:29 GMT;

and here’s the same cookie being set in 6.0.18:

Set-Cookie: yankeessuck="YWFyb246MTIyODI0ODEwMjk5NjoyOGM5ODc4YzExOGZiOGZjZTBkZDE0ZTA1ZWRhZTM3Nw=="; Version=1; Max-Age=31536000;

See the three changes? The cookie value is quoted, the version attribute was added and … hey, look at that, the expires attribute turned into the max-age attribute. I guess that’s cool right? I mean all browsers should support RFC-2109 (which was published in 1997 and then superseded by RFC-2965), right? Well, it looks like (and this is where I’m hoping someone will prove me wrong) neither IE6, nor IE7, nor Safari honor the max-age attribute which means, drum roll please, you can’t set a persistent cookie on IE6, IE7 or Safari via Tomcat 6.0.18 that contains any of the above mentioned characters. Someone PLEASE prove me wrong.

If I’m right (and this Citrix KB doc seems to back up the IE6 / IE7 behavior I’m seeing), anyone that has deployed an Acegi-based Java web application that uses the default TokenBasedRememberMeServices on the latest version of Tomcat is 100% screwed. I’m not sure who to blame more: IE for being the lamest browser ever (although Safari doesn’t seem to like Max-Age either) or Tomcat for changing (in a pretty big way) the way they publish cookies in a point release.

For more on RFC-2109 and RFC-2965, check out this blog post.

• 32. Facebook for Spies – TIME’s Best Inventions of 2008 – TIME
  Huh, I wonder why they’d call it A-Space.
  (categories: clearspace spies! facebook timemagazine inventions )

• CS193P – iPhone Application Programming @ Stanford
  Continuing ed online class @ Stanford on the iPhone.
  (categories: iphone stanford tutorials programming osx mobile )

• Code: Flickr Developer Blog » Lessons Learned while Building an iPhone Site
  Great tips on building non-native iPhone apps.
  (categories: iphone javascript mobile optimization )

• google-caja – Google Code
  Caja (pronounced "KA-ha") is "virtual iframes": it allows you to put untrusted third-party HTML and JavaScript inline in your page and still be secure. Caja
  (categories: scripting widgets xss opensource )

• Coding Horror: The One Thing Every Software Engineer Should Know
  Quote: "Just because you’re a marketer doesn’t necessarily mean you’re a marketing weasel. Sure, the two things are highly correlated — but at its core, marketing is little more than an intermediate level course on fundamental human communication. Not something us programmers have historically been so great at. "
  (categories: software programming marketing engineering )

• Product Parenting
  Mostly about product management. Quote: "Unlike your coworkers, software products deserve to be treated very much like children. They’re rebellious and wayward. They need to be given strict boundaries and lots of guidance."
  (categories: productmanagement management software business )

• Google Enterprise website search solutions
  Sheesh. If you want to develop against a Google Search Appliance, you pay $5k, attend onsite training and complete a certification and then… then they’ll send you one of the appliances. Retarded.
  (categories: google enterprise search certification )

• BibliOdyssey: River Deep Mountain High
  Some wicked cool maps / infoviz showing the relative heights of mountains and rivers.
  (categories: visualization maps mapping rivers mountains )

• WordPress › Blog » The Visual Design of 2.7
  I really like the dashboard. The top two widgets on that page (stats, right now) are money.
  (categories: ui interface design blogs wordpress usability )

• Yahoo! Releases OpenID Research (Yahoo! Developer Network Blog)
  Quote: "Now the bad news. None of the users had heard of OpenID before, and none of them even noticed the OpenID sign-in box displayed below the traditional email/password login form on the site. In many cases, the test subjects entered their Yahoo email address and Yahoo password to try to log in. We had told the test subjects that they could sign into the site using their Yahoo! account without having to register."
  (categories: openid ux usability research fail )

• Rands In Repose: The Culture Chart
  Quote: "Unlike the org chart, you’re not going to find the culture chart written down anywhere. It doesn’t exist. The culture chart is an unwritten representation of the culture of your company and understanding it answers big questions that you must know: * What does this organization value? * Who created this value system? * Given this value system, who contributes high value? * Who is most aware of how value is being created?"
  (categories: strategy software culture value )

• The Programming Aphorisms of Strunk and White – Coding the Wheel
  Good stuff on programming from a book about writing.
  (categories: writing quality programming softwareengineering style simplicity )

• SolrJS
  Really nice JS interface to Solr
  (categories: search lucene solr javascript ui )

• Thoughts on the Financial Crisis – O’Reilly Radar
  Quote: We don’t know yet how problems in the overall economy will affect our business. But what we can do now are the things we ought to be doing anyway: * Work on stuff that matters: Assuming that the world does go to hell in a handbasket, what would we still want to be working on? * Exert visionary leadership in our markets. In tough times, people look for inspiration and vision. The big ideas we care about will still matter, perhaps even more when people are looking for a way forward. (Remember how Web 2.0 gave hope and a story line to an industry struggling its way out of the dotcom bust.) * Be prudent in what we spend money on. Get rid of the "nice to do" things, and focus on the "must do" things to accelerate them.
  These are all things we should be doing every day anyway. Sometimes, though, a crisis can provide an unexpected gift, a reminder that nobody promised us tomorrow, so we need to make what we do today count.
  (categories: strategy economy future business quotes )