LJlogin Announcements and Discussion

The subject pretty much says it all. I am, in fact, running Firefox 3.5 with LJlogin 2.1.3 right now, and you can be, too! The Find Updates button should hopefully work, This Time For Sure, at least assuming you're already running 2.1.2, but failing that, there's still the LJlogin site that you could get the new version from.

Other useful links, especially for Windows users:

• The New Profile Dance
• Password Exporter extension, which is useful for doing clean exports/imports of your passwords, for times when copying the password database files doesn't work because the files themselves are messed up somehow.

Share and Enjoy!

So, given the number of "when will LJlogin support FF3.5?" questions I got back when 3.5 was still only in the release-candidate stages, I'm sure lots of people have been hoping I'd get it done now that it's officially released. Yyyyyeah, I tried. Sorry, folks, I really did, but it turns out that it isn't quite as simple as updating the maxVersion number and rebuilding.

It should be, according to the all of the change documentation I've seen. Instead, for no reason I can adequately determine at this increasingly-late hour, the preference observer I set to look for changes in which sites a user has enabled to update the statusbar... eventually just stops getting called. If anyone else in the audience with Firefox extension development experience can offer any insight on that, I'd appreciate it. In the meantime, I'll try again tomorrow after work. I just wanted to put something up to stave off the inevitable "when?" questions.

EDIT: While I appreciate the sentiments and all, I don't really need my inbox getting filled with encouraging buttpats about how people love LJlogin and are waiting on me to upgrade and whatever. Suggestions on dealing with the problem I stated above, however, are more than welcome. I love you all, but I'm more concerned for my technical issue. :-)

Sigh. Okay. This is a really minor update, so that Dreamwidth users can ask LJlogin to log in usernames up to 25 characters. (Technically, it lets any other sites' users try it too, but those other sites won't like it, so don't do it.)

Hitting the "Find Updates" button in Firefox's Add-Ons box should get you LJlogin 2.1.2. For some people, it might. For others, it might not. For those who it doesn't work for, uninstalling the old and installing the new ought to work instead, but before you do, please look under Tools -> Error Console, see if there are any error messages that reference LJlogin, and if there are, post them here so I can maybe suss this out one of these days? Thanks.

Also, before I open up the floor to commentary, I am going to link to: The New Profile Dance. If you find that LJlogin Suddenly Stops Working For No Readily Apparent Reason, especially if you're on Windows, try this first.

Okay, good news and bad news.

The good news: LJlogin 2.1.1 is now available. It's a small update, as such things go, but those users who are on either Inksome or Dreamwidth will probably be happy that there is now support for them. (The Dreamwidth support is subject to some future fluctuation as DW themselves get their stuff buttoned down, but logging in and out works fine.) There's also a tiny fix to the logout procedure so that it actually tells LJ what session to expire, rather than expecting it to... I don't know, magically intuit it somehow, oops.

The bad news: I forgot the password to the program that signs the updates manifest and thus had to generate a new set of keys for it, so Firefox is going to complain if you go into the Add-Ons box and tell it to look for an update. You're going to have to uninstall 2.1.0 and install 2.1.1 from the website. Sorry. I've got the new password saved somewhere, so this shouldn't happen next time.

The website also includes, in the Roadmap under the milestone "The Future," a list of things I plan on working on sometime soon-ish.

Share and Enjoy!

Okay, folks. If your browser hasn't already offered it up, go ahead and punch your Find Update buttons. 2.1.0 is live and I'll get to see just how well my server can take the strain this time.

Yes, this version includes support for FF3. Secured Updates was actually less of a pain in the ass than I feared. However, I never thought that I could possibly hate whatever would come to replace FF1/2's Password Manager more than I hated the PM itself, but FF3's Login Manager has made the impossible possible.

Yes, this version shuffles the preferences into a tabbed system that shrinks it down to a size that should be manageable for most folks. I also have vast hate for dialog box XUL coding, but that's not exactly news.

For the overall list of features, what relative few there are, consult the roadmap entry for this version.

EDIT: Some people seem to be reporting issues with getting updates to work. In that case, go right to the source and ask the horseand get the package from the link there.

To paraphrase from my response to someone who commented to ye olde 2.0 release post, asking about my progress on updating LJlogin:

Yes, I'm working on it. I've nailed down the remainder of the new feature/bug set, made a development branch in the revision control repository, set up dev profiles for FF2 and FF3, and started on adding in FF3 Login Manager support last night. Progress will happen as I have time at night, once I'm home from work.

(And I'd like to take a moment to ask the Mozilla team, in the highly unlikely event that they might be watching, just how fucking hard it could be, in the process of completely revamping their password/login manager system to presumably be better/easier to use, to have put in a function to extract just the one set of login info for a specific site-and-user... like they had for the old Password Manager... instead of having to get all logins for the site and then do a loop yourself comparing the usernames 'til you get the one you want. Big ol' wind-up cymbal monkey clap, there, guys.)

You can follow what progress I make as I make it via the LJlogin site, linked from the comm. (The Roadmap, in particular, has a nice progress bar view of how many tickets have been closed out of how many completed.) If you have actual bugs or feature requests, you can go ahead and make them, but I'd ask that people not just chime in to cheer me on or ask how I'm doing. I appreciate the support, but it takes time to look them over and delete them that I could spend getting actual things done. Thanks. :-)

It is with a great deal of relief and some quantity of pleasure that I finally release LJlogin 2.0, the long-awaited, much-anticipated overhaul and feature upgrade of everyone's favorite Firefox-based LiveJournal account management system. In the process, I'm also announcing the official opening of the new LJlogin site, built on the Trac system, which will allow me to more readily provide updates to documentation and a view into the source code and any issues I create in the tracker for things I'm working on for any future versions.

For a full accounting of the new features and such, please see the roadmap entry for this milestone. A couple of things that I can readily tell you are that you will need Firefox 2+ for this -- sorry, 1.x users, but you'll have to catch up to the modern world :-) -- and that yes, this version does include support for multiple LJ sites.

So, fire up your Find Updates buttons, and Share and Enjoy!

Okay. One bugaboo that several people, myself included, have grumbled about is that despite LJlogin assuring you that you're logged in, ScrapBook refuses to believe it. Well, I've finally done about as thorough an investigation as I can manage, and the results... are not good, and have me rather annoyed.

Once upon a time, there was the ljsession cookie, which represented the sum totality of authentication and session management. Then a bunch of pwnage happened, and LJ realized how hellaciously insecure that was, so they went to what they referred to as the "2+n cookie scheme". In the 2+n scheme, there're the ljmastersession cookie, which is similar to but more complex than ljsession used to be, and the ljloggedin cookie, which provides a uid/sessionid mapping. Those are the "2", and the "+n" are what they call "domain session cookies", one per user account whose journal you visit. The idea is that the most a person who sets up some malicious JavaScript in their journal layout can manage to thieve is the domain session cookie, which doesn't provide enough info to pwn your account.

So what happened to good ol' ljsession? Well, if you log in via login.bml, it gets set to the value of a domain session cookie that ScrapBook can recognize. Problem is, the creation of a domain session cookie can only happen on LJ's servers, because they require a lookup/generation of a time-based randomized "secret" that's stored in LJ's database. Everything else that goes into a domain session cookie, I can construct, but without that secret, I can't actually create one, and LJ's client interface provides for no such thing.

I could, probably, theoretically, do something involving making requests to login.bml and scraping the results I got, but that would be a much more complex, probably error-prone, and ultimately disgusting procedure, so just so everyone knows, I'm considering "ScrapBook login compatibility" to be way the hell down towards the bottom of the feature pile. If someone wants to find someone at LJ to talk to to add a "generate a domain session cookie based on your existing master session stuff" client protocol call, that'd be awesome, but I really can't be arsed to do the necessary "which comm do I post to, and how can I be sure I talk to an Actual LJ Person and not a Volunteer Who Can Only Pass Things Along To Actual LJ People" investigation myself right now, when I have to worry about getting myself organized to work on the chunks of code I can readily improve myself.

Okay. End of tl;dr rambling and ranting.

Okay, folks. Go ahead and hit that "Find Updates" button in the Add-Ons box and get yourselves the LJlogin 1.2.1 update. (I'm confident enough in the general FF2.x compatibility to finally consider this a full point release update, complete with update notification support and all. Aren't I nice.)

What was wrong? Well, basically, at some point, while studying how cookies work, I coded the session saving function to write the cookie to include "HttpOnly" ; I can't recall if I actually thought I understood what it was for, or if I just thought it should be there. It turns out that that's a flag to say "hey, no, don't let JavaScript muck about with this cookie", and Firefox just never paid attention to that before now. And since LJlogin is JavaScript-based, well, yeah. I take that out of the cookie strings, and suddenly it's like magic. Magic and crankiness.

My thanks to bogboblin and kintotech for the first bits of solid info on what users were seeing, beyond "it doesn't work," and my profound thanks to Ted Mielczarek for the Extension Developer's Extension, which was invaluable to the actual debug process.

Hi, yes, I'm aware that the 2.0.0.5 upgrade to Firefox breaks LJlogin. My thanks to everyone who's informed me of this on the previous post. :-) (Actually, no, seriously, it's good to get sufficient independent confirmation.) For those of you who didn't know, uh, don't upgrade to 2.0.0.5. For those of you who did, uninstall and get 2.0.0.4 again until I upgrade myself and do some code spelunking.

I have to say, I'm vastly unimpressed with Firefox having apparently fucked something in their APIs over the space of a point release update. Dirty pool.

I'll update again when I have a new release. Just to warn you all, though, I'm currently only aiming to fix this problem; I haven't yet gotten it in me yet to tackle all of the other cross-extension incompatibilities and wanted features yet. (If anyone else cares to tackle any of these, however, I do accept patches. :-)

It's done. Finally. I am so freakin' crispy now. But it's done, and I'm announcing the release of LJlogin 1.2.0, available from the usual location.

A few notes: First off, the website has not been updated to reflect the additions and changes to LJlogin's functionality. I'll work on that later. There was a maybe-related something I was going to say here, but I've forgotten.

Also, users of SessionSaver will probably find that it stops working upon installation of LJlogin 1.2.0. This is a known flaw, and will be worked on and hopefully fixed in 1.2.1 when I recover enough from the coder burn of the 1.2.0 dev cycle. In the meantime, Crash Recovery is LJlogin 1.2.0-compatible, and can be made to serve as a session saver by following the directions on its page. Apologies for any inconvenience on that score.

Finally, if any of you should happen to ever be in the Fredericksburg, Virginia area, feel free to look me up. :-)

Share and Enjoy!

[Edit: I'm lazy, so this is an edit rather than an entirely new post. FF2.0 users, try out version 1.2.0a from the website. It's the same code, but with the maxVersion bumped up to 2.0+.]

[Edit the second: For you GJ users out there, libekory has a present for you, to tide you over until I eventually maybe add multi support into the code base.]

Not quite an announcement, but more than just silence.

1.2.0 is what I like to call "feature-complete". This means that I've finished all the work of coding in new features and fixing all the new bugs that those new features cause. As it currently stands in my version control repository, LJlogin will, as far as I can tell, perform all the functions I've required of it. (And it's about goddamned time; the last couple of feature-adds involved too much mystery-solving in the debug phase.)

I'm not releasing it yet, though, because there are some re-factoring things to be done based on things I've learned in this dev cycle -- in other words, holy shit, is there some stuff I've been doing in rather too roundabout a manner, and I need to clean that up, or I'll feel dirty about it -- and if I don't do it now, I know I won't bother until the next time something breaks and I curse myself for being lazy. This should, to my mind and in my hopes, not take more than another couple of days at most.

Almost there, folks.

Hi, gang. I've seen all the latest comments in the last post. Yes, LiveJournal apparently did something new in their "security" procedures to utterly fuck LJlogin. Now the ljsession cookie no longer contains the username at all. They've also apparently added an "ljloggedin" cookie containing a subset of the information from ljsession. I'm totally not happy about this.

I've also only been awake for about 15 minutes or so, and have to get ready to go to work. I have no time estimate on a fix. Sorry to disappoint everyone on that score; the last fix was so quick because all it needed was a quick improvement to how I was doing one thing. Now I have to find out if there's any way at all to usefully get a username given the information that's being provided now. It'll take some research, and possibly some support requests or something, and who the hell knows how long it'll take.

Goddamnit. Fuck you, LiveJournal, right in the ear.

As just about everyone knows by now, LJlogin stopped working within the last day or so. I don't know the specifics behind their doing so, but I've tracked down the problem to a change in the ljsession cookie that LiveJournal returns.

It's ultimately my own fault, as the function that extracts the username from the ljsession cookie (used to print the username in the statusbar and to hand to LiveJournal during a logout attempt) made an assumption about the pre-username content of ljsession that was suddenly no longer valid. Thus, the regexp I was using failed, and thus the username wouldn't be returned, leading to much wailing and gnashing of teeth, etc.

However, it turns out that JavaScript has a function that can split a string based on a field delimiter. I didn't know that it did, but I've seen it in other languages so this time I went looking for it and found it, and using that instead of a regexp search not only fixes the problem, but should hopefully prevent it from happening again, barring a more extensive change to ljsession cookies.

In light of this, I'm releasing LJlogin 1.1.1, implementing this fix. It's available at the usual location. This is the only change from 1.1.0; further feature additions are beyond the scope of what I planned on for tonight, although I am thinking of them for the future. Share and Enjoy!

The subject line pretty much says it all. The important stuff, anyway. I did some reading, found where things did and didn't change between Firefox 1.0 and 1.5, and implemented the needed changes. I'll have to admit that I haven't test it myself, having still not gotten my system in general upgraded, but others I've asked to test a release candidate indicated no problems, so I'm comfortable enough going public with it now.

It's available via the link from the userinfo page, as usual, plus the Update button in Tools->Extensions should Do The Right Thing.

Also, for Mozilla Suite users, I'm sorry, but I tried. I really did. There are just too many stupid little differences -- not least of which being the utterly retarded unstandardized "write your own install.js" non-system for installation -- to make it worth the trouble of trying to make it work. I hate to have to put it this way, but suck it up and install Firefox already. :-)

Comments, etc., as usual, are always welcome. Share and Enjoy!

Sorry, 1.5 users, I'm still not ready for you yet.

Anyone still using pre-1.5, however, may be interested in LJlogin 1.0.1, available from the URL in the userinfo and, theoretically, the "Update" button in Tools -> Extensions. New in this point-release version is, I think, fixes for incompatibilities with Google Toolbar and ForecastFox (both of which I've heard complaints about) without breaking something else further.

I may try to follow any guides to upgrading 1.x extensions to 1.5 that I can find, and put up a test release to see if blind crash-course upgrading without a test setup somehow does the job. Or abuse whatever version of Firefox is on the work machine at my new job. Something to get it done sooner than next year, if I can manage it.

As usual, feedback and assistance is appreciated whenever offered. Apologies if this post is a bit erratic; I need to get to bed soon.

Because I've gotten the question a few times, and seen comments elsewhere, this little announcement:

Support for the shiny new Firefox 1.5, plus hopefully fixes for whatever glitches are causing bad interactions between LJlogin and a couple of other extensions I've heard of, are forthcoming. Eventually. Here's the thing: I'm a couple of major versions behind in my machines' FreeBSD installs, so building apps like Firefox is a somewhat hit-or-miss proposition at the moment. Thus, my machines need to get reinstalled with the latest stuff first before I can do development-y stuff.

And I'm in the midst of getting myself moved down from Maine to Virginia to start a new job next week, driving with a carload of stuff (including my current active machine) on Saturday and the rest (including my currently inactive other machine, which will be switching server/desktop roles with this machine in the course of the reinstall) in a truck driven down by my parents shortly before New Year's. This should give you an idea of my available timeline for making necessary updates.

So, well, yeah. Probably not getting to 1.5 and other fixes sooner than January, unless someone wants to step up and give it a go. Apologies for the inconvenience, but real life has to take precedence here for bit.

So, since I'm about to bump the version on LJlogin to 1.0.0 and start making release announcements, I figured I should set up a community from which I could make announcements and receive comments. Maybe eventually I'll open it up so others can make general discussion posts, but not right away.

If you're here, then you presumably have some interest in my LJlogin extension for Firefox. (If you want the homepage to install it, there's a link in the sidebar.) Welcome! I hope you find it of use. Let me know if there are any problems. Share and Enjoy!