Page top

2011/06/24: Security Things

Created:

Always use secure-HTTP / Secure HTTP / Permanent Link

So, I was sick for the past week or so. Symptoms included stomach-ughiness, feeling stomachaches in place of hunger, and headaches; there was also one instance of throwing up, after which I immediately began recovering. I believe I am now well enough to resume being a functional member of society, insofar as I am technically a NEET. Also, this is why I had no comic this past Sunday, for those of you who ignore comments.

I've set up a new function on the site: "Always view site in Secure-HTTP," which you will see below the title of every page, right by the "permanent link" and whatnot. With this enabled, even if you go to http://dizzy.pestermom.com/?p=blog-20110624, it will automatically redirect you to https://dizzy.pestermom.com/?p=blog-20110624. It uses a cookie, like some other things on the site.

Getting it to turn on worked well enough, but I had a disproportionate amount of difficulty getting the code to turn it off. There were no errors or anything, it was simply not turning off, and I didn't have the faintest idea why. Here is where the problem was, rendered here in pseudocode:

  • If the "alwaysSecure" cookie is set OR the "alwaysSecure" parameter in the URL is "yes," then set the "alwaysSecure" cookie so that it will expire 30 days from now (as opposed to the previous expiration date, if it was already set).
  • OTHERWISE, if the "alwaysSecure" cookie is set AND the "alwaysSecure" URL parameter is "no," delete the "alwaysSecure" cookie.

Can you figure out what I did wrong?1

Mini review of Duke Nukem Forever, having completed it: Mediocre game overall. Graphics are kinda shitty in some places. Bits of cleverness buried under tons and tons of stupidity (macho and otherwise), which it frankly revels in, even when it makes fun of itself. Some story-elements are abhorrent if taken seriously — not that you should probably take the game that seriously, I mean the protagonist is literally "first name: Duke, last name: Nukem"; but I will not blame anyone for abhorring them.

Statler: I guess the only award Duke Nukem Forever will win is the Guinness World Record for "longest time in development"!
Waldorf: Think anyone'll ever beat it?
Statler: Nope! Always bet on Duke!
Both: DOHOHOHOHOHOHO!

1Answer: The condition for turning the system off is that the cookie should be set and alwaysSecure is yes, but for turning the system on, it only requires that the cookie be set. The cookie is set no matter what, and since it was checking the turning-on conditional before the turning-off conditional, it never got a chance to check if alwaysSecure was no. I solved the problem by simply reversing the order of the two conditionals.

2 Comments (auto-closed) (rss feed)

John Evans

I would have said something along the lines of...

if (alwaysSecure cookie is set)
{
test if we want to turn it off; otherwise turn it on;
}
else
{
test if we want to turn it on; otherwise do nothing;
}

Statler and Waldorf make anything better.

Dusk

I feel happy with myself for figuring out what the problem was before looking at the answer.