My XNA game needs to connect to my website with a WebRequest to a PHP page that checks the database for the user and checks to see if the password is correct.
I already have a login script that will return a message such as "success" or "fail" obviously this is temporary and needs to be improved for secrity reasons, it could easily be faked.
C# Login Request
//Create the POST data
ASCIIEncoding encoding = new ASCIIEncoding();
string postData = "username=" + user + "&pass=" + pass;
byte[] data = encoding.GetBytes(postData);
//Make a request
WebRequest request = WebRequest.Create("http://example.com/login.php");
request.Method = "POST"; //We are posting the info
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = data.Length;
//Open a stream, write into, then send it
Stream stream = request.GetRequestStream();
stream.Write(data, 0, data.Length);
stream.Close();
//Get response
WebResponse response = request.GetResponse();
stream = response.GetResponseStream();
//Make a new stream, We will read from this
StreamReader sr = new StreamReader(stream);
string responseString = sr.ReadToEnd();
//TODO: If the responseString says the client if authenticated, procede, if not, display error to user (Invalid password, etc)
And the PHP script just finds user and compares submitted password (All of this is integrated with a Joomla site database, so users have a site and game account).
Now, how can my PHP script send back a reliable way of authentication, and provide some sort of token/id, so when I want to submit for example, a high score later, it knows that it is coming from this user, and isn't being faked?
To be blunt, there's no real way to ensure the data you are receiving in your PHP script is actually coming from your client. The best you can do is make it harder. Do be careful how much time you spend on this, it's a deep well, and those that want to cheat will.
Session Hijacking is only really concerning 3rd parties who are trying to access or manipulate your information. For games, this 3rd party doesn't care about your high score, they want credit cards and passwords. (Passwords are an other story, but you pretty much need SSL)
From your description, you are primarily concerned with cheating, and essentially all cheating is 1st party. The player wants to cheat. The only sure way to prevent (most) cheating is to run the game on your own systems and give the client as little control as possible (eg. EVE Online, Diablo 3, anything Blizzard). This is usually quite difficult to achieve, so I'll propose some alternatives.
To understand your enemy, there are a plethora of memory editing tools out there. Everything from injection functions to changing your money from 100 to 999999 can be done. Changing numeric values (like score) would take me ~15 minutes, and I am not very good at it.
Sanity checking. In your PHP, make sure the submitted score actually makes sense. Assume everything you get from the client is manipulated.
Punkbuster. Paying companies like Punkbuster or getting your game on Steam where you can (might be able to) use VAC. These tools don't publicize how they work, and VAC even has a delayed ban system so that you don't know what triggers it, but in broad strokes, they monitor for memory changes and/or scan for known hacks.
Honesty. Pssh, yeah right (j/k). Lol, but really: You trust your friends right? Consider scoreboards without griefers.
Maybe implementing something like season-based scoreboards? Every X days, the scoreboard resets. This reduces the incentive to cheat.
And that's pretty much it. You can try to obfuscate your memory values and it might stop people like me, but if somebody wants it bad enough and knows enough, they'll be able to break it and release a tool.
I will say this though: Make something worth hacking first! If people have gone through the effort to cheat, that's a great sign, and you should feel happy.
You're referring to a Session Token. Session tokens are a great way to authenticate actions for a given period of time after sign in. Your php can associate a session token with a username, which gets cleaned by a server process after a given amount of time, at which point the user must again log in.
Related
Q1 - I have been reading through the docs for reCaptcha, and looking at many different forum cases but I am not experienced with API calls at all - I am trying to add a captcha to my custom contact form but I am stuck on the verification step trying to figure out how/where to send the info for verification, and how/where to receive it so I know weather or not the user is verified.
(Side Question: Why is it necessary to validate the token generated by the captcha? Isn't it good enough that you can tell weather or not the puzzle/answer was solved?)
Before the closing head tag:
<script src='https://www.google.com/recaptcha/api.js'></script>
End of my form:
<div class="g-recaptcha" data-sitekey="my-site-key"></div>
I can see the string/token generated by a correct answer when I call:
grecaptcha.getResponse();
Now (as I understand it) I have to verify this string/token which is where I get stuck:
URL: https://www.google.com/recaptcha/api/siteverify
METHOD: POST
DOCS: https://developers.google.com/recaptcha/docs/verify
I am relatively decent with jQuery and vanilla JS but when it comes to API calls I have almost no experience, which is why at this point in the docs I am unsure of how to 1 - form an/the API call (for verification), 2 - where to make the API call from template files-wise, 3 - how to get the response back, or rather how the response comes back.
As I mentioned I am using a Bigcommerce store, and the Google reCaptcha documentation mentioned in several different areas that this step is done on the server-side (or should be). I know that I am fairly restricted in the template files that I can modify - I can view and modify the HTML/CSS/JS files but I have no access to any PHP.
Any help or push in the right direction would be greatly appreciated - at this point I am going in circles finding and trying to read/follow the same docs (Google and other) and forum cases. Thank you.
Trying to answer your questions one by one.
Client side Captcha's are discussed here, please check and note that considering the power of Java Script, client side captchas are not safe.
How reCAPTCHA works: Once someone include below script, google will verify
user.
https://www.google.com/recaptcha/api.js
Writing below attributes in the Form will send data to google first and
response will be added in final post of the current Form with
attribute named g-recaptcha-response :
<div class="g-recaptcha" data-sitekey="your_site_key"></div>
How to validate reCAPTCHA One has to validate this g-recaptcha-response with google. [ NOTE: this is requried becaues
client can send any random value for attribute g-recaptcha-response
without going through Captcha ]
$verifyResponse =
file_get_contents('https://www.google.com/recaptcha/api/siteverify?
secret='.$YOUR_SECRET.'&response='.$_POST['g-recaptcha-response'])
/*allow_url_fopen must be ON if you want to use file_get_contents.
check it using phpinfo();*/
file_put_contents( "logfile", $verifyResponse, FILE_APPEND );
$responseData = json_decode($verifyResponse);
$register_result = 'Robot verification failed, please try again.';
if( $responseData->success )
{
$register_result = 'You are not a bot';
}
else $register_result = 'You are a bot.';
Captcha with HTML/JS/CSS reCaptcha will not work for you if you don't have PHP access.
Puzzles as Captcha Captcha Puzzles are also possible and such captcha's are also available but they are handled on server side.
The reCaptcha verification si to make sure that the answer you received does come from reCaptha server, that the user is not a robot, that it hasn't matured, and that it hasn't been used more than once.
All this is really important to the server running the app, more that the cliente showing the form in order to accept or reject the form to be processed.
This is why the validation has to be done on the server. The client is an unsecure environment that can be tricked so the server cannot trust it.
Besides, to do the validation you need a secret api key. As it is secret it can't be embeded into the client code.
If you don't have access to the php or cannot add and aditional php to do the validation, I don't think you can implement reCaptcha.
EDIT I
The bottom line is that client code (js, jQuery running in a browser) cannot be trusted to do any kind of validation from the server point of view.
For example suppose you implement an input element for the user to enter the result of the sum of two random integers between 0 and 9. Very simple.
In the javascript code in some place there is an:
if(a + b === c){
sendFormToServer();
}else{
reject();
}
Anyone using the browser's developer tools could bypass the "if" and directly call sendFormToServer(). And the server has no way of knowing it.
I'm using Java but the question is language-agnostic, so I posted it under twilio-PHP tag too.
My application needs to connect two customers: A and B. I want to transcribe the conversation and find out whether one of the parties did not pick up and screened the other to voicemail.
I'm following the steps in the click-to-call-tutorial
However, it looks like the Rest API supports recording but not transcription. I successfully can do:
Map<String, String> params = new HashMap<String, String>();
params.put("From", myTwilioNumber);
params.put("To", customerAPhoneNumber);
params.put("Url", "http://MyHandler.jsp");
params.put("IfMachine", "Hangup");
params.put("Record", "true");
Call call = client.getAccount().getCallFactory().create(params);
which gets the entire conversation recorded, but not transcribed!
As a side note -
params.put("IfMachine", "Hangup");
indeed hangs up, when reaches voicemail, but not before leaving a voicemail with random noise. Looks like Twilio's "probing" the response, and by the time it understands it got to voicemail, background noises have been recorded. Which is terrible user experience. Any advice?
Additionally, my call handling servlet does:
TwiMLResponse twimlResponse = new TwiMLResponse();
Say sayMessage = new Say(
"Hi, customer A, stay on line to speak with customer B?");
twimlResponse.append(sayMessage);
Dial dial = new Dial(customerBPhoneNumber);
twimlResponse.append(dial);
But when I'm looking at the TwiML Verbs , there is no place where I can set params.put("IfMachine", "Continue") . So the field call.getAnsweredBy() is null for the second call. In other words, I cannot know whether conversation between customer A and B ever happened.
Additionally, [TwiML Verb Record] ( https://www.twilio.com/docs/api/twiml/record ) does allow transcription, but if I do
twimlResponse.append(new Record());
it stops the conversation and records one of the customers.
So I cannot direct the REST API to transcribe, and TwiML Verbs does not even record the conversation in a way I want.
Can anyone help?
Thanks.
Twilio developer evangelist here.
I'm afraid that when recording both legs of a call, using the REST API, then transcription is not available. Transcription is only available on single messages recorded by the <Record> verb when the recording is under 2 minutes long.
I'd recommend recording the call and downloading the file to be sent off to a third party transcription service in order to transcribe longer, 2 legged calls like that.
In terms of the answering machine detection, it is an experimental feature and requires Twilio to listen to the first few seconds of a call to work out whether it is a machine or not. A good alternative, which can work as part of your <Dial> verb as well, is to use call screening. This is a good article on the pros and cons of AMD, as well as a good description of using human detection by call screening.
Let me know if this helps at all.
This is YouTube's 500 page. Can anyone help decode this information?
<p>500 Internal Server Error<p>
Sorry, something went wrong.
<p>A team of highly trained monkeys has been dispatched to deal with this situation.<p>
If you see them, show them this information:
AB38WENgKfeJmWntJ8Y0Ckbfab0Fl4qsDIZv_fMhQIwCCsncG2kQVxdnam35
TrYeV6KqrEUJ4wyRq_JW8uFD_Tqp-jEO82tkDfwmnZwZUeIf1xBdHS_bYDi7
6Qh09C567MH_nUR0v93TVBYYKv9tHiJpRfbxMwXTUidN9m9q3sRoDI559_Uw
FVzGhjH5-Rd1GPLDrEkjcIaN_C3xZW80hy0VbJM3UI5EKohX35gZNK2aNi_8
Toi9z3L8lzpFTvz5GyHygFFBFEJpoRRJSu3CbH5S2OxXEVo4HgaaBTV7Dx_1
Zs1HZvPqhPIvXg9ifd4KZJiUJDFS8grPLE7bypFsRamyZw-OCVyUHsGQKBwu
77pTtRwpF3hOxYLxM4KnAyiY1N6yrASSWyaeumRDENAoEEe8i8MRxzifqHuR
leatvNMiwsg1pbSl7IIiaKljZaD9UkRms4Kvz1uYUNk4AwXnJ9-Wq44ufMPl
syiHp_LwaeqyuxXykJMl-SA9p05VrJc4kCETUW3Ybp0yTYvVrqggo56A0ofC
OiyAmifQA9pdYVGeumrQtbFlFyDyG9VKNpzn5lqutxFZPsS8xjiILfF3bETD
H4aUb5fT4iERFsEL7S-ClsXiA4yAJdAcNH-OhGg9ipAaIxRRTOR5P1MYx6s6
-OrqgpT5VEaEx2hMpS1afaMd2_F21sxvcz2d8sCpEceHHSfsntTth6talYeD
4l63aUTbbCKV1lHxKWxdUjACFKRobeAvIpcJPcdHSN3CNQI-LlIWIx9jeyBU
tDcL6S6GpRG_Z2of9fmw0LHpVU5hKlQ3lCPd4pVP6J02yrsBi0S9OLoE9jmM
T2FfCvU1sWUCsrZu4-UPflXMyRnFK8aN8DYiwWWE8OvnLQ-LIaRDhjp29u9a
LT6Lh4KxEmWF5XeZTwrzJxtuDLVomxVD5mpwFvK0YSoaz9dnPGXb0Fm2txSL
BvGssSrWBJ4FeR6eEEkd_UkQ-aUnPv2W-POox17n54wzTwLugYjslRenMzmk
I4_jlXcx9NpKmUg7Pa0qJuaElt-ZymPv6h0cXRUlyZtS0iT9-CQOHWLYMi3I
kKrYa6bKUCAj058JEderSnbXqGEMvwBeZ_xgJpAjJiSgMOxJPokhbS6ezIv4
1JNr_dvQyvu4vh-YQNZ37fNTqQcoDZtYflBsJjuGrJlmIcqBYufB9g6nUaOE
xPAKjPdvZ_z1Rn_8sWVf8NHNBBKGe5lgDgBxypsV0kIwVa9QOlehivOaieBI
tmqHNdQIfdob0XUTEBPSeLj9hmw3Bqplc3gqUfFhIvpHml6dOTbjBhfkq0TE
5yCRHL2VSe2Xt9_i8SPQA2yCtJVO8HP6pnohmxqlBWSTE8Xj87PI6quX7f9i
0W6PdtkMYaGJsd_Ly_4Ag-KmGNHN585tF9eC5HeQ8Gz-vHZWOUiM4OQAG9UA
31ENOAjHtYb--ketbUcdX_FdjGiPtI_GxYeBqEShICotcd-S-E3bEGO-77M2
CuUUdB1AUYVDZR81XejVG5kSWsrz-p1qZ-6sSpSHCp114C6PheQPCwRHEr_1
AS-DkZfIuZ-w8XAo6pHIwvnv0dORSo-hPFgw1rw2VE4aKsgeMc7ZoPUxby1d
Zr-o-0X4ZMgxoQHw_Ub27rTTHxS5Czt_vgBPq7k5OK5dm6b7JCs6Dbn2dsIA
AakPL26t4smr8IiPAnqNC2sn7vxSiAe9mTJ670eNc6C9dCSGwqzqSURiLHmT
kFyLhNSOdipttECmSSA1qh_E0K4LUhiOq7MFDEzg9CLD8kuJrqpEGgltYpD-
8lk7KEpyjMqbWFs-qeD8uJpsVfY2ac1C67OmyGzkERVoC245-YXuNCP8KUZH
LGzRm9jXwUP_piDETX0N5xj34VOCfUTffT1WlWHmB9WRPhwjIsYYy_kgR-uT
kIEDQ23NVUEGgDoryl-ymysIfwifjq-lPB3e85dz1PajNxawsCrKNeR_4hhq
zE_E4ete1EgXeAYoeH4UIgrPGXDD-KfoNoB6viNs0GzNU9czD9Avr-tDtARO
HBLSLIVRYq8caMA-jvpplTOMoDdmUMUWytf4Y_F5tKTpNtLPaAe1py1IgZBl
lfAGY9L_k5slelh_9gUBEkURxS2oMGf2gdSeDdRBxKKx5tF1b-cuMLK6JYZJ
vbGFYSsSENOkHrHEo9NdTwTi7NON9ZgRJgh7OaENK4TFCXrhKc4C6cyJs-V_
HZ0Q-B8XDyjL0qudg_0rJbjTNpNZajT_1WGsnhsTTAgMCGtTsj1T8vNx2LuX
lPQV30nUKpukdCP3zuiE9_aeJQ-nzf3dMQ-KnZU5APmGcIP_u2be6blieMWH
qVax1asKmuIjslh49ceM6lRt3Ia2bHUB8b1TMSjU4I79KPqc3clDnD8quNnU
cRkgfJ_8LCEoH7jml_2TNV0fLuH_9IOXF3jKjhT9K5f-e5N06GmPQLzdqzeQ
MnEtHuDcf4IizyKnB5GUXoNfQxbScQEzztQ_nHMYfF-E8KqoxxlK-Z0wfEDv
dJpL3mcNfFu_vz-_LJ0oI4dE0-vthsxbpTxVQkdI0E5XSi4nYfLqhXompk4j
gpxcHBjsXVbWcnelWhhQP15gCApj6Gz_ddRtk_uxiyiqZ44oUUDcl1KeWMTf
yhKDj7jgGNzTOkUsXZRPb9M77-ZYPuL2wR68E3b9PC_mS6HBHiUxQ7pXvkwS
Bi2CoFgd9SqBXk2O5I_BPaEoA8Aorazw4OvDrmTQrCk4OkGPKRukE4Ci2RMq
TZIYbBz-v3QxmOKHJoMXPNOfj93TRWpmlAd6iHCH6BVlSdfgfjdbHeD0b0ct
qXC_-S5fr1XFBuaZwaUTrBPxU-3IxWLp-dx7wpKcFykqKnByYpkzR3twKEXc
z--CZV79Qk3ZTMY9ATia4HbyhoAqY_hV9GKAHQdU_C-9qwYt0rliNUcizlBc
RHcwzoMyx30ciwbE8e9QsEH_AMa3E2ezuhjTqQlAG33_Gy5Bwe7fj6zNR0ud
jjpcNVf-wprWHEYxMcKwjCQvEHBtv6TnCHkgi_AOtPzzm3aYkMc_ysdNAnI7
DE_T9S5Mkcs6VdT2DWgUN_UC-oAw27xej0aTIn0GckXPDcLBgvrUhUPU3FRn
lW65syvFvxFmBOiCAEHD1q6Is1XhIf8vE6y0FMdNEWSMUW5rQG8f3KP_pjqG
XlUHnGrQPQysylrczHOj4E3WTT918xg2vrXVraDJbCYnJpaWp8m94iqZw2gJ
I_0UWOAZJMCYWz5jYf2DanCOBaGeZIO-UsWorP6YV3yHehirZ_Lc6KtaUorb
bm_BnnCqGVZypL4k6cDy-4GyO2GNohXzN-VWqbAIUQIat9w6RsDpzpS2DIap
96aMBDg24D73RhFTEgCSunPpbbGrDVU3GFkuTGFFBQWNfAU_F22XtoPr_ZB0
1zZPrBVXrEhebvrzp0Z31_sIT8zLop_oaSRvykbyJKKxucARfPee-d0xlgWN
WwKKtl49WVMhhu0OfDScH3knAVdv0LDAyt1fo3WF8jxdp7J9Hn3OWF3rcn0p
zw0gt6YV_6FRy_UbZmpLBvEhZQKUfKuxp6LK-SfHOilT29ERg9LJZhnyluTV
HELRtkJIcHzvphXupCIaIgZispYxHNSmAfze2cshWBYizGTBSKXWgrJeo7Q6
kEjim72yKaJ8JaLzMQFPxtQxhtvHRw94dCuXcajg3nE_r_9t7D8RicqF-CVV
tvp-rHMPhhizlgfixHWXrPB7reTtftT64pOSl5vUop8gTlbeW5Kg7WQAPNfp
zUH8YcAo0xDLJHA-FgTM4mYGih41rKaKKteWRFGU-fIyEzeO1s35tbGzlZ7R
btUG_fCpIbaJmucMZK9OzVBSfBgTBtFSesqKq6hIc8HctGcj5LPUfP9DRqqe
CrBi6bPjTlzrjaxJoU6oRq4ZtiBG38skOAaCUk61tpjilkq1fmWe2ByvLXhp
O2furZoiwNrizYmUmAW3ak3iSneScA64M-9apdZwhhEgpqyw5mUMYNT5SOOf
xZePlgXxhlL81t3KlofdbzT0w6tlbbT0NSbj9Q_zNkeZ8ar5aeMgTR-pJACg
baB20YVezziX-yboCF-uIptCTFNV
(Source: this post on HN)
The debug information contained in the (urlsafe-)base64 blob is likely encrypted.
Think about it from Google's perspective: You would want to display a stack trace, relevant headers of the http request and possibly some internal state of the user session to help a developer debug the situation. On the other hand all that information might contain sensitive information that you don't want the general public to see or that might endanger the user if he copy'n pastes it in a public support forum.
If I was to take a guess of the format I would imagine:
A public identifier of the key used for encryption (their servers could use different keys then)
The debug data encrypted using an authenticated encryption scheme
Additional data for error correction when OCR has to be used
For statistical analysis of the format it would be interesting to sample a lot of these error messages and see if some parts of the message are less random than you would expect from encrypted data (symmetrical encrypted data should follow a uniform distribution).
It looks like you are not the only one who is looking for some secret messages in YouTube error page. It seems that you can decode it using Base64.
Here is how:
http://www.cambus.net/decoding-youtube-http-error-500-message/
In a nutshell:
Sadly, contrary to my expectations, there doesn't seem to be any
hidden messageā¦ Screw you, highly trained monkeys!
I guess it is just another Easter Egg similar to 'Goats Teleported' performance counter Google Chrome had:
https://plus.google.com/+RobertPitt/posts/PrqAX3kVapn
But I guess unless you look like this, you can't be 100% sure.
It's entirely possible that this is random padding to avoid the "friendly" IE error pages that show if your error page does not contain more than 512 bytes of HTML. It would be base64 encoded if it were simply random bytes.
Imho this is all about customer care.
Actually there would be no need to send the error/debug message to the customer, because, I guess, it's already handled internally.
So:
why do we see this?
and why do they crypt it?
and is there really no hidden message for us?
Although the error might be handled and resolved internally, this does not necessarily satisfy a customer, who is not able to use the product. They pretty much do crypt by a good reason as this debug message might reveal more than a typical admin is used to.
And also there is no need to hide a message for us. Why? Because we NEVER stop until we find something.
I think:
internally the error is dealt with
external users might have something in hand to tell a technician if necessary and in return can get an approximation of ongoing problem
All in all nothing special about it and i think linking e.g. to the inf. monkey theorem is a bit overspectulated...
Error 500 means google has a problem which can not resolve. So when reporting a bug the most important thing is to prepare reproduction steps. So I tried to find an answer of the question "When this happens?"
I found this post in reddit: https://www.reddit.com/r/youtube/comments/40k858/is_youtube_giving_you_500_internal_server_errors/?utm_source=amp&utm_medium=comment_list
As resume:
It happens on desktops (www...), it works ok on mobile version (m...)
It happens for authenticated users. For anonymous users is working fine.
The problem is resolved after cookies are cleaned.
So I would give a direction: try to find the key in the session cookie. I hope my 2 cents will help.
It would appear that the savechanges method on breeze waits indefinitely when calling to or waiting for the server. Is there a way of getting it to time out? I am calling save change with allowConcurrentSaves: false. This now causes users who somehow do not get a response from the server to simply hang in limbo indefinitely say for example with a dropped internet connection.
I do not want to re-call the method with allowConcurrentSaves to false fearing that I might duplicate the data.
Any ideas?
Thanks
Update 16 May 2014
You can set HTTP-level timeout and cancellation with the AJAX Adapter's requestInterceptor as of v.1.4.12. See the documentation, "Controlling AJAX calls".
I'd still be reluctant to use this feature on save as you have no chance of knowing what whether the server persisted the data or not. Of course if your client hangs or crashes you don't know anyway. It's up to you.
Original Answer
Actually, there is a ready-made solution from Q.js. It's called timeout and it's mentioned in the API reference with a simplified example of its implementation and use in the readme.md.
I know you asked about Save but your question is pertinent for promises in general. Here is a query example adapted from the queryTests.js in our DocCode Sample
var timeoutMs = 10000; // 10 second timeout
var em = newEm(); // creates a new EntityManager
var query = new EntityQuery().from("Customers").using(em);
Q.timeout(query.execute, timeoutMs)
.then(queryFinishedBeforeTimeout)
.fail(queryFailedOrTimedout);
function queryFailedOrTimedout(error) {
var expect = /timed out/i;
var emsg = error.message;
if (expect.test(emsg)) {
log("Query timed out w/ message '{0}' " + expectTimeoutMsg)
.format(emsg));
// do something
} else {
handleFail(error);
}
}
Note: I just added this test so you'd have to get if from github or wait for a Breeze release after 1.2.5.
Oops ... maybe not
I gave what I think is a great answer for query. It may not be the right answer for save.
The problem with save is that you do not know on the client if the save succeeded until the server responds. Things could go wrong anywhere along the way. The server might not have heard the request to save. The server may have failed during save. The server may have saved the data but the response never made it back to the client.
Changing the value of allowConcurrentSaves won't get you out of this bind. Neither will having a save timeout.
In fact, adding a timeout to the save is probably deceiving. It is even possible for the save response to arrive after your custom timeout ... in which case Breeze will have tried to update your EntityManager ... and you won't know if Breeze succeeded or failed!
What if we added a Breeze save timeout. What should it do? What if breeze said the save had timedout ... and Breeze ignored a belated response from the server? Then imagine that the save succeeded on the server - it just took "too long" for it to respond to the client. Now you've got a client whose state is unexpectedly out of sync with the server. This is not good.
So I think you want a different solution to this very real problem. It's a user experience problem really. You can indicate to the user that you think the save is still in progress and then set your own timer. If the save isn't done when your timer expires, you can query the server to see if the data have been saved or if there is a connection ... or something along these lines. I can't think of a better way right now honestly.
Note that I'm assuming you need to know that the server succeeded. If you avoid store-generated IDs and always assume saves succeed unless the server tells you otherwise ... well that's a completely different paradigm and programming model that we could talk about someday (see meteorjs).
The net of all of this: I'm pretty darned sure that a save timeout is NOT what you want.
Still useful on a query though :)
Great question, and I wish I had a good answer. But it is definitely worth looking into. Could you please add this as a feature request to the Breeze User Voice. We take these requests very seriously in determining our priorities for Breeze development.
I am trying to find a way for extracting SID of a bosh session (ejabberd) using PID and JID so that I can use it in ejabberd_sm:unset_presence, I have searched everywhere but can't find a way to do it.
Basically, I have built a chat system using Ejabberd and Strophe and what I am trying to achieve is when user press offline button on one page all the sessions associated with that JID needs to go offline, I have extraced the PID by using ejabberd_sm:get_session_pid but can't find a way to extrct SID. I have also tried SID ! Disconnect but that disconnects the user completely which I don't want.
If anybody has done this kind of work please help me, other ideas for implementing such thing are also welcome.
Thanks
I did some digging on this and here's the deal. The value you get back from ejabberd_sm:get_session_pid is the ejabberd_c2s process for that user's session. But ejabberd_c2s is entirely unaware of BOSH. What you really need is the user's BOSH session ID which is maintained by the module ejabberd_http_bind.
As best I can tell there's no "nice" way to get this information out of ejabberd_c2s. I ended up doing something like this:
St = sys:get_status(Pid),
State = lists:nth(3, lists:nth(5, element(4, St))),
SocketState = element(2, State),
BindPid = element(2, element(3, SocketState)),
Now, all that gives you at the end of the day is a PID for the ejabberd_http_bind process. You can repeat the whole sordid business again, but here I suggest cheating a little:
MS = ets:fun2ms(fun(#http_bind{pid=BP, id=Id}) when BP == BindPid -> Id end),
mnesia:dirty_select(http_bind, MS).
As you can see, this is horrendously ugly. The nicer way to do it would be to modify ejabberd_c2s to accept a new type of sync_event that would return the socket information, and likewise modify ejabberd_http_bind to accept a similar sort of event to return the SID. And of course, both of these would be wrapped in public functions that internally make the relevant gen_fsm calls.
All that said, I'm not sure what good the BOSH SID is really going to do you. And in particular, I'm not sure what the difference between "go offline" and "disconnect" is in this scenario. But anyway, that's how you get the information.