Just Journal Developer Blog

 I was recently told that in some cases it's possible to hijack a session from any webapp, and that just journal had a problem with this.  I quickly went to work on this problem.  It has caused problems for big sites like MySpace and Facebook.  

What does session hijacking mean to me?

Session hijacking means stealing your login.  While you're logged into the account, someone could read your private blog entries and post entries to your account.  Anything you can do, they can do to.  They don't know your password, and can only do this while you're logged in.

What users can do to protect themselves:

1. Always use the secure login feature.  (SSL)  This will prevent the first type of attack on your account.  
2. Always log out of just journal when you're done.  Don't just leave the site.

Steps we're taking to minimize this attack

1. A review of just journal's code is pending.  
2. We're probably going to limit special characters allowed in titles of blog entries, journal titles, music, tags, etc further.  We may limit what can be pasted into blog entries as well.  The only other attack possible is stealing a session cookie which requires a cross site scripting (XSS) attack.  That means someone put javascript code on the site and used that to steal your session.

 I've added a Tag Cloud to justjournal.com  You can see the tags that all users use on the site and their popularity.  Eventually, they'll link to blog entry choices.

 I added the new tags code tonight.  I'm still working on it, but it's significantly more useful.  There are still some performance and usability issues I want to work on.

The development version of just journal can now display recent entries with tags filtered by the tag.  I'm working on refining the design and allowing general searches.  Once that's complete, I'll publish the new code. 

http://www.cnn.com/2008/WORLD/europe/07/14/oldest.blogger/index.html?eref=rss_topstories

A 108 year old woman died.  Since 2007, she's been blogging about her entire life.  She also posted video entries on youtube.  It gives new meaning to blogging for life.  Some people live very interesting lives.

 Just Journal uses the FCKeditor for entry.  I updated the version we're using to 2.6.2.  It's been a few years since I updated this.  It now supports safari, and I've created a custom layout.  

I may work on the layout, but users can now see the HTML source view in all browsers that support the editor, change colors, fonts, and other styles, and make alignment changes.  Let me know if you have problems using the new interface.  I'm considering allowing users choice of their editor when logged in.  

This update does not include any backend code, so the tag changes aren't up yet.  Also, the form includes a trackback field, but that's not used yet.  

I've been testing some additions and changes to the tag feature. The listing should be much better in the next version. I want to get one more problem ironed out and then I'll be updating the site.

I also added a GTK interface in cvs for the unix client. It's not the best, but it's usable.

I released a zip file with the source for the just journal server as of yesterday on source forge. It includes the intellij idea project files.

CNN has an article that suggests blogging can be helpful to deal with problems.   

I found a bug in the tags feature. It's listing tags multiple times on the left hand side. (oops) I corrected the SQL query and it will be updated when I role out the trackback software in the next few weeks. (probably much sooner)

I've got a partial trackback implementation done. It will be added to the site on the next rollout of the just journal software. I haven't decided when that will be yet.

Trackback allows you to post a comment on another blog or receive trackbacks from users on other blogs. For instance, someone could see your blog entry and then write their own entry commenting on it on another site. That would then show up in your trackbacks.

I'm still working a few things out. One common problem with trackback is spam. Users should be able to delete any trackback that is spam from their blog. I'm also considering some type of screening system for new ones. You would have to approve a trackback before anyone could see it.

I'm not going to implement completely automatic trackbacks because few blogs still use them anyway. That means if you want to trackback on a blog entry, you need to know the trackback URL ahead of time.

An example blog with trackbacks is:
http://www.homebusinesswiz.com/2007/03/how_to_make_a_trackback_on_a_b.html

The trackback URL looks like this:
http://www.becomeacertifiedcoach.com/cgi-bin/mt/mt-t.cgi/214

On just journal, the trackback url for a specific entry will look like this:
http://www.justjournal.com/trackback?entryID=somenumber

The database server was upgraded tonight. Please report any oddities.

I'm part of the way through adding tags to just journal. My implementation is a cross between what other sites call "tags" and "categories". You'll see a list on the left side of your blog with all the ones you've used, and each entry will list one or more tags that you've used.

To add several tags, you can list them using commas, semi-colons, colons or spaces. They must be lowercase with no numbers. The software should take care of the lowercase part for you.

Eventually you'll be able to do a number of things including:

tag new and existing entries
bring up all entries under a certain tag (using a link on the left)
search by tags

I've added partial support for the MetaWeblog API today.  You can use that in combination with Windows Live Writer to post blog entries on Just Journal in addition to our own client. 

The post URL is http://www.justjournal.com/xml-rpc">http://www.justjournal.com/xml-rpc">http://www.justjournal.com/xml-rpc

When it asks for the homepage or whatever, use the URL to your blog.  It is something like http://www.justjournal.com/users/yourusername Replace yourusername with your user name :)

I just published an updated version of just journal. I've been working on it for awhile, but just got an opportunity to finish it.

Changes:

Half the code for tags is now implemented. You can see the tag place holders. I need to add the code to add tags when submitting a blog entry next.

Just Journal now supports RSD (Really Simple Discovery). This should allow some blogging clients to "find" the xml-rpc interfaces (like blogger api) on Just Journal.

The stats on the front page now using fixed floating point numbers so it should be much closer to adding up to 100% for public/private/friends entries. I made use of the String.format method in java.

There are some fixes for Dashboard users. Entries now assume you want comments, and emails on comments for entries.

Some error messages were fixed and I've added more logging on the comment feature to track down some bugs that seem to randomly manifest themselves.

We've hit 500 users. The site has been growing at an increasing rate for the past 6 months. I've very happy about the new users. :)

Outstanding bugs:

A bug was reported to me recently involving the friends feature. Entries are not visible on their page, but do work on your "friends" page. I'm working on this issue.

New features:

I'm about halfway through getting the timezone feature working. The holdup is time to work on it.

Site downtime:

Just Journal was down for a few hours earlier this week. The file system with the database filled up. I've made some room which should cover us for awhile. I may need to buy some new hardware (read a new server) this year to handle the new users and another site I'm hosting.

A new command line client was created for UNIX-like operating systems. It has been tested on MidnightBSD, but should work on other BSDs and possibly linux/solaris/etc. I'm not actively working on support for other systems at this time, but would take patches to this effect.

The client requires xmlrpc-c which can be found on sourceforge.net.

it does not use SSL or any crypto to protect logins.

Usage is jjclient -u username -p password < myfile.txt or input and an EOF character. This is documented in the README accompanying the source code.

This is now on the Just Journal website and in the MidnightBSD ports collection.

Some of the code is now time zone aware, but it's still defaulting to the server default (EST). Eventually I'll allow users to select their own time zone. Some of the RSS feeds are now published in GMT.

I fixed two bugs today.

1. Users with a username that was exactly 3 characters could not login. This has been fixed.

2. This change has not been published, but I have the RecentBlogs servlet that spits out RSS for the site validating with the w3's feed validator. The dates are now in the RFC822 format (with 4 digit years). It publishes them in GMT.

Some users get an error "no group 1" when logging in. This is not fixed as I haven't tracked the cause just yet. (tigress is one)

The SSL certificate expires today. I'm working on adding a new cert to continue with encrypted services. It will be from another company as I cannot continue to spend $65 a year.