Sunday 23 December 2012

Ubuntu 11.10 Shortcuts

Launcher

  • Hold Super – Show launcher.
  • Hold Super, then 1 or 2 or 3 and so on until 0 – Opens or puts focus to an application. The number actually corresponds to the location of the icon on the launcher from top to bottom.
  • Adding Shift will open a new instance of the application if it’s already open.
  • Super+T – Opens the trash can.
  • Alt+F1 – Put keyboard focus on the Launcher, use arrow keys to navigate, Enter launches an application, Right arrow exposes the quick lists if an application has them.
  • Ctrl+Alt+T – Launch a terminal window.

Dash
  • Tap Super(Press, don’t hold) – Opens the Dash.
  • Super+A opens the Dash in Applications Len
  • Tab -  Move to the next lens (When the dash is open)
  • Shift+Tab – 11.10+ only – Move to the previous lens (when the dash is open)
  • Alt+F2 – Invokes the Dash in a “special mode” to run a command. Typing in a Folder Name will find that folder in Nautilus, you can also use ~ as a shortcut in the field. Typing an application name will show different settings of that application with that application itself.

Panel
  • F10 – Open the first menu on the panel, use the arrows keys to move along to the end of that list or to the last menu, which is ‘Session’ by default.
  • Press Esc to close the menus without choosing anything.

Window Management
  • Super+W – Spread mode, zoom out on all windows in all workspaces.

Spread Mode
  • Super+D – Minimize or restore all windows; (Show Desktop.)
  • Alt+Tab – Switch to other applications, you can hold Alt down and then hit tab to switch to the next application.
  • Alt-` (The key to the left of 1 on US layouts, by default Unity will take it as any key above the Tab key.)- Switch between an application’s windows. Hitting this combo when you’re already focused on an application will automatically switch only between the windows for that application.

Window Placement
Cycling through the same key Unity will cycle through different placement widths, so experiment by hitting the NUM key multiple times, for example Ctrl-Alt-numpad 5 5 5:
  • Ctrl+Alt+Numpad 7 – Place window in top left corner of screen.
  • Ctrl+Alt+Numpad 8 – Place window in top half of screen.
  • Ctrl+Alt+Numpad 9 – Place window in top right corner of screen.
  • Ctrl+Alt+Numpad 4 – Place window on the left side of the screen.
  • Ctrl+Alt+Numpad 5 – Center/Maximize the window in the middle of the screen.
  • Ctrl+Alt+Numpad 6 – Place window on the right side of the screen.
  • Ctrl+Alt+Numpad 1 – Place window in the bottom left corner of the screen.
  • Ctrl+Alt+Numpad 2 – Place window in the bottom half of the screen.
  • Ctrl+Alt+Numpad 3 – Place window in the bottom right corner of the screen.
  • Ctrl+Alt+Numpad 0 – Maximize window.
  • Alt + F7 with Arrow keys – Moves the current window on the screen in the current workspace. Use Arrow keys to change its position fast, and use Arrow keys (on NUMpad  when NumLock is off) to change it slowly.

Workspace Management
  • Super+S – Expo mode (for everything), zooms out on all the workspaces and lets you manage windows.
  • Shift+Alt+↑ – Expo mode for all windows in the current workspace only.
  • Ctrl+Alt+← / → / ↑ / ↓ – Change to a new workspace.
  • Ctrl+Alt+Shift-← / → / ↑ / ↓ – Place window to a new workspace.
  • Alt + F10 to resize current window between normal size and/or maximize.
  • Ctrl+Alt+L - Lock the screen.

Unresponsive Script on browsers and some settings for firefox.


Warning Unresponsive script

When JavaScript code runs for longer than a predefined amount of time, Firefox will display a dialog that says Warning: Unresponsive Script. This time is given by the settings dom.max_script_run_time and dom.max_chrome_script_run_time. Increasing the values of those settings will cause the warning to appear less often, but will defeat the purpose: to inform you of a problem with an extension or web site so you can stop the runaway script.
Complete Error Message: “A script on this page may be busy, or It may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.”
Sometimes you may be able to identify the extension:
"Script: chrome://fastdial/content/storage.js:71" 
This error is telling you that Firefox thinks that a script may be running out of control and would make Firefox hang if nothing is done. The script could be something on a web page you're accessing, in an extension you installed, or even Firefox itself. 

Letting the script run longer

If you find that pressing the Continue button brings up the same dialog again, letting the script run longer won't help you; it will just make Firefox hang for longer. However, if you can use Firefox normally after pressing Continue, then the script may just needs extra time to complete.
To tell Firefox to let the script run longer:
  1. In the Location bar, (URL Bar)type about:config and press Enter.
    • The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
  2. In the about:config page, search for the preference dom.max_script_run_time, and double-click on it.
  3. In the Enter integer value prompt, type 20.
  4. Press OK
With scripts now allowed to run for longer times, you may no longer receive the prompt.
If you still receive the prompt (or if you want to see it again), you should set that preference back to the default value.
  1. In the Location bar, type about:config and press Enter.
    • The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
  2. In the about:config page, search for the preference dom.max_script_run_time.
  3. Right-click on it and choose Reset.

Troubleshoot extensions, themes and hardware acceleration issues to solve common Firefox problems

Some problems with Firefox are caused by extensions, themes or hardware acceleration. This article will help you determine whether one of these is causing your problem and, if it is, describe how to make Firefox run normally again. 

 Note: The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information. Consider using it before going though a lengthy troubleshooting process. 


Start Firefox in Safe Mode

When you start in Firefox's Troubleshoot Firefox issues using Safe Mode, all extensions are temporarily disabled, hardware acceleration is turned off and the default theme is used. This will help determine whether one of these is causing your problem.
  1. At the top of the Firefox window, click the Help menu and select Restart with Add-ons Disabled.... Firefox will start up with the Firefox Safe Mode dialog.
    Note: You can also start Firefox in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode
    You may need to specify the Firefox installation path (e.g. /usr/lib/firefox-4)
  2. When the Firefox Safe Mode window appears, press the button Continue in Safe Mode.
After Firefox starts in Safe Mode, test for your problem.

The problem still occurs in Safe Mode

If your problem persists in Safe Mode, it is not being caused by an extension, theme or hardware acceleration. Other possible causes could be plugins or changes made to Firefox preference settings, which are not disabled in Safe Mode.

The problem does not occur in Safe Mode

If your problem did not occur in Safe Mode, it is most likely because of an extension, theme or hardware acceleration. Continue following the steps in this article to determine the cause of your problem.

Turn off hardware acceleration

With some graphics card and graphics driver setups, Firefox may crash or have trouble showing text or objects on pages when using hardware acceleration. You can try turning off hardware acceleration to see if it fixes the problem.
  1. At the top of the Firefox window, click on the Edit menu and select Preferences
  2. Select the Advanced panel and the General tab.
  3. Uncheck Use hardware acceleration when available.
  4. At the top of the Firefox window, click on the File menu and select Quit.
  5. Start Firefox the way you normally do.
If the problem is no longer happening, then hardware acceleration was likely the cause. You can try updating your graphics drivers to see if that fixes it or simply run without hardware acceleration. Otherwise, your problem is likely related to extensions or themes. Continue with the steps in this article to see if they help.

Switch to the default theme

If you are using a theme other than the default Firefox theme:
  1. At the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open.
  2. In the Add-ons Manager tab, select the Appearance panel.
  3. Select the default theme, then click the Enable button, to make Firefox switch to that theme.
  4. Click Restart Firefox if necessary.
After you restart Firefox, test for your problem. If it no longer occurs, the theme you were using was causing it. If it still occurs, continue following the steps in this article.

Disable all extensions

To determine whether a faulty extension is causing your problem, you can disable all of your installed extensions:
  1. At the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open.
  2. In the Add-ons Manager tab, select the Extensions panel.
  3. Click the name of an extension in the list to select it.
  4. Click Disable to disable the selected extension.
  5. Repeat this for each of the other extensions in the list.
  6. Click Restart Firefox.
After you restart Firefox, all extensions will be disabled. Test for your problem.
  • If the problem still occurs with all extensions disabled, it is most likely that the localstore.rdf file in your Firefox profile is corrupt. You can Reset toolbars and controls to resolve the problem.
If the problem no longer occurs with all extensions disabled, one of your extensions was causing it. To find the extension that was causing your problem, continue as follows:

Test for faulty extensions

To determine which of your disabled extensions was causing your problem, you can re-enable each extension one at a time.
  1. At the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open.
  2. In the Add-ons Manager tab, select the Extensions panel.
  3. Click the name of an extension in the list to select it.
  4. Click Enable to enable the selected extension.
  5. Click Restart Firefox.
After you restart Firefox, test for your problem. If the problem comes back, the extension you just enabled was causing it.
Note: If you have a large number of extensions, it may be quicker to enable more than one extension at a time. The method with the fewest number of restarts required is: Enable half the extensions in this list, then restart Firefox and test for the problem. If the problem reoccurs, you know that the faulty extension is one of the ones you just enabled. If the problem does not occur, you know the faulty extension is one of the disabled ones. Repeat the process until the faulty extension is found.
After you find the extension that was causing your problem, disable or uninstall the faulty extension and re-enable the other extensions in the Add-ons window.

Updating extensions

If an extension was causing your problem, it may have an update available that will fix it:
  1. At the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open.
  2. In the Add-ons Manager tab, select the Extensions panel.
  3. Click Find Updates.
  4. If updates are found, install them by clicking Install Updates.
  5. When the installation is complete, click Restart Firefox.
After Firefox restarts, your extensions will be updated. If the extension that was causing your problem had an update, re-enable it and test for your problem again.

Checking extension settings

Some problems are caused if the settings of an extension override Firefox settings (e.g. problems with toolbars). Therefore you may want to check the extension's settings to see if you can find the option that is causing your problem:
  1. At the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open.
  2. In the Add-ons Manager tab, select the Extensions panel.
  3. For the extension that is causing your problem click the Preferences button.
  4. Click your way through the settings to see if there is an option that may solve your problem.
  5. If you found a suitable option, click Save and Restart Firefox
Content refers to following links.
http://support.mozilla.org/en-US/kb/warning-unresponsive-script
http://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems
http://kb.mozillazine.org/Unresponsive_Script_Warning

Thursday 20 December 2012

OpenERP 7.0

OpenERP has lots of new feature and completely new user friendly UI and with viral features, I am damn sure it will rock the world of ERP.

Here following are some analysis of mine on 7.0, how it works and how everything initialized and how instance of OpenERP webclient initiated, hope you will like this.

Before going further let us see OpenERP client-server architecture, how OpenERP user, client, server and database interacts with each other., which clarify above descriptions.






































I will start with starting procedure of OpenERP Server from terminal with command-line arguments, I will also describes some method call, what that method do in short description. Here I have explained the flow of server, how each job got initialized, Still these is not the perfect flow but I'll update and improve this day by day,  for better understanding follow the flow with your system and "CORRECT ME" if I am wrong, please share your views for points on which you have better ideas with comment on this post.

Before starting flow let's see directory structure for OpenERP Server Version 7.0, so that whenever I take some reference of module or method so you can have better idea.



Note :- OpenERP server now runs in Embedded mode only, so now when you run OpenERP server.py what process goes in background, openerp-server will call main method with command-line arguments, this main method will sets os environment, will check root user for POSIX system, parses config file where all options are stored by calling parse_config method(Parse the configuration file (if any) and the command-line arguments.), also checks postgres user(Exit if the configured database user is 'postgres'), will initalize logger, set babel path(Mainly user for internationalization), setup signal handler(need explanation), runs test files(YAML), it also setups pidfile this file contains process ids. this methos will also imports/exports the translation based on translate_in/translate_out option of config, Config file may have workers defined in it either statically defined in config file or from command line, so this main method will starts the OpenERP service with workers(to provide multi cron environment), if there is no worker defined the it starts the serivces simply(there is start_services_workers and start_services methods defined for this) .

Now its start_service which starts service of http, netrpc, and cron, following is the description regarding all this.

1. start internal:
       start_internal method will initializes logger where log related OpenERP going to store, after that it will initiate object proxy, this object proxy will create a global object of self, so that object proxy service can be use globally(see init of object_proxy in osv.osv for detail), after starting and creating global object of objcet proxy service this will starts web service, the web service is the module which contains db, common, objects_proxy, report_spool classes, the start service method of web_service will creates instantiate this classes, the init methods of this classes will register their service with ExportService object, ExportService is a proxy class for exported service(as services of db, common and etc exported to it) this contains a dict of services so when we need to call particular service(i.e. particular object) we will call getService method of ExportService class.

Important Note :- This will also add openerp modules in sys.modules so that we can access our openerp modules .py file from anywhere by accessing sys.modules['openerp.module .py file']

After that this method will loads server wide modules by calling load_server_wide_modules, this method will read the addons path provided in config file or provided at terminal options(ultimately command line options are updates config file, see load_openerp_module method modules.modules).

load_openerp_module:// remain to write details

So in short the role of start_internal is to instantiate internal resource and export their service and load server modules.


2. netrpc server(service)

      netrpc_server module has start_service method which starts netrpc service on specified domain and port, it instantiates TinySocketServerThread class.
TinySocketServerThread: it extends Threading and Server class. this will create main thread for netrpc interface, and initialize Server class(Here we mostly played with Threads for Server and socket instance).
Server class: // remain to write details

3. wsgi server

        wsgi_server.start_service() will start the WSGI server,this is the point where WSGI(Web Server Gateway Interface) is initialized using werkzeug library, creates a thread of serve, serve will creates WSGI server by calling werkzeug.serving.make_server, as we have creates a separate thread for this so for each server we will create and instantiate separate thread which will server forever, make_server takes application as a parameter(application to serve), for fetch application we have application method, this application method will returns instance of application either with Proxy or without proxy(based on options given in config, there is --proxy-mode to run OpnERP behind proxy to run OpenERP behind apache proxy read http://mishekha.blogspot.in/2012/02/openerp-webclient-with-apache-reverse.html), there is application_unproxied method which returns application handler (Question why again openerp.service.start_internal() called internal services are already initialized in openerp.service.start_service()), there are list of handler as follow:

wsgi_xmlrpc_1 : //TODO

wsgi_xmlrpc : //TODO

wsgi_xmlrpc_legacy : //TODO

wsgi_webdav : //TODO

The above all are the handlers which handles every requests, request like for access common service, object service or access any method, all of the above calls xmlrpc_return method which calls dispatch_rpc method a common gateway method which handles each and every RPC calls and returns result which in turn returned as a response in str format, if dispatch_rpc fails it will gives exception,
there is method xmlrpc_handle_exception which handles all kind of xmlrpc exceptions.

     Up to this we will have a WSGI server listening to our XMLRPC requests, now further we will see how any request initiated from web and how it is reaches to OpenERP Server and response given to client.

You will have question that how all modules are loaded and how web modules are loaded, so for this I will discuss load_openerp_module method of modules.modules.

4. cron

        Note:- For threading you can refer
                   http://docs.python.org/2/library/threading.html#thread-objects
                   http://docs.python.org/2/library/threading.html

        Start the above runner function in a daemon thread.

    The thread is a typical daemon thread: it will never quit and must be
    terminated when the main process exits.

The start service of cron module will create max_cron_threads(config option), by calling thread.Thread with target=cron_runner(Note:- cron will be a daemon thread as we have set t.setDaemon(True)),
We have set sleep interval to 60 seconds + number(index) of thread which is Steve Reich timing style that is first thread will have sleep time 61 second and second thread will have 62 and so on.

cron_runner :- this mainly checks for acquire job, This selects in database all the jobs that should be processed. It then tries to lock each of them and, if it succeeds, run the cron job (if it doesn't succeed, it means the job was already locked to be taken care of by another thread) and return.

In short this is basically cron module and cron_runner are responsible for run corn jobs by fetching from ir_cron model and runs it forever at particular interval.

If there is 60 cron threads then each one is wake up at the difference of 1 second as I discussed above time interval style of Steve Reich and at each second cron jobs got run.

Note :- Please share your views regarding the points in which you have better ideas.

Up to this We have seen how server starts, parse options and based on that options starts services as described above, now we will see how all modules got registered in pool(pool a directory of objects instances, with key as object name so when you get any object from pool like self.pool.get('some object') then you will have instance of that object and you can use datas and methods of that object) and how web is initialized.


As we already seen that  start_internal of service module will call load_server_wide_modules, this method will read the addons path provided in config file or provided at terminal options, as we have given server addons as well as web addons path from either terminal or in config file.

There will be web module always available to load in load_server_wide_modules because this is the module which is going to load always, whether user logged in or not, after login process, server will load database specific modules in which user logged in but web will always going to load, if you want some other modules to be pre-loaded then you can just set config setting or either you can give comma separated modules in terminal, -load is the option for it.

Note :- Let me clarify(as it is obvious) that loading of server addons is post procedure of login by default only web module is loaded, as user going to use web interface to interact with OpenERP.


This is the point where web module going to load

openerp.modules.module.load_openerp_module(m(web by default)) will load web module.

load_openerp_module :-Load an OpenERP module, if not already loaded. This loads the module and register all of its models, thanks to either the MetaModel metaclass, or the explicit instantiation of the model. This is also used to load server-wide module (i.e. it is also used when there is no model to register).

This method will find the path of module and imports it(See __import__ http://docs.python.org/2/library/functions.html(basically used to import modules whose name is known at runtime))

After importing this module this function will load all descriptions from manifest file(i.e.__openerp__.py or __terp__.py in old case), it will load all static files, xmls, demo files(all attributes of manifest file) by reading this file, after loading module and importing it it will appends it in loaded gloabl variable.

Here noticable thing is how Root class of Web module is called, from where web module and WSGI dispatching comes into picture ?

load_openerp_module will read description and will find post_load attribute in __openerp__.py(For reference see post_load in manifest file) and will call wsgi_postload method of http.py from server itself.

getattr(sys.modules['openerp.addons.' + module_name], info['post_load'])()

This will read manifest file of web module and reads its info 'post_load' attribute, 'post_load' has value "wsgi_postload" and wsgi_postload is method of http.py in web module which calls openerp.wsgi.register_wsgi_handler(Root()) and gives Root class instance as a argument, this way web application handler instance is added to module registery in server.

So root path request will have a handler available, there will be a serving thread which serves to each and every request(as discussed earlier that server thread calls make_server of werkzeug WSGI and that thread serves forever) as application as handler, application handler is Root instance, so server will call call method of this handler instance from where actual web WSGI dispatched.

So each and every request is handled by appliation handler that is Root class of http.py this class represent as application because each and every request pass through this common gateway, the __call_ method of this claaa will call dispatch where actual dispatching of WSGI happens.

Upto this we have seen basic server process, how web module comes into picture, how application hanlder got registered, so from here we will see Trace of Web-Client how web handles each request, how it call http_request, json_request etc.


Let me give little bit glimpse on directory structure of Web-Client 7.0




As we have seen whenever we request from browser application handler will call dispatch(Actual dispatcher of WSGI), dispatch will analyse the request, its path and will call find_handler for that path, say for example if request path is '/' so handler will be index method of Home class of main controller(Please refer directory structure of Web-Client 7.0), this index method will return html_template, html_template is :

html_template = """<!DOCTYPE html>
<html style="height: 100%%">
    <head>
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
        <title>OpenERP</title>
        <link rel="shortcut icon" href="/web/static/src/img/favicon.ico"
                 type="image/x-icon"/>
        <link rel="stylesheet" href="/web/static/src/css/full.css" />
        %(css)s
        %(js)s

        <script type="text/javascript">
            $(function() {
                var s = new openerp.init(%(modules)s);
                %(init)s
            });
        </script>

    </head>
    <body>
        <!--[if lte IE 8]>
        <script src="http://ajax.googleapis.com/ajax/libs/chrome-frame/1/CFInstall.min.js"></script>
        <script>CFInstall.check({mode: "overlay"});</script>
        <![endif]-->
    </body>
</html>
"""

and see signature of index method :

class Home(openerpweb.Controller):
    _cp_path = '/'

    @openerpweb.httprequest
    def index(self, req, s_action=None, db=None, **kw):
        js = "\n        ".join('<script type="text/javascript" src="%s"></script>' % i
                  for i in manifest_list(req, 'js', db=db))
        css = "\n        ".join('<link rel="stylesheet" href="%s">' % i for i in
                  manifest_list(req, 'css', db=db))

        r = html_template % {
            'js': js,
            'css': css,
            'modules': simplejson.dumps(module_boot(req, db=db)),
            'init': 'var wc = new s.web.WebClient();wc.appendTo($(document.body));'
        }
        return r

From here boot strap code is executed, see openerp.init method called from html_template, for better understanding refer boot.js, this boot.js has openerp function which is loaded on document ready (for terms specification of javascript refer http://www.w3schools.com/), this boot.js will load all other classes and all other files, it will load "pyeval", "corelib", "coresetup", "dates", "formats", "chrome", "data", "views", "search", "list", "form", "list_editable", "web_mobile", "view_tree", "data_export", "data_import".

Very important Note :- 

        JavaScript doesn't have concept of inheritance, doesn't terms related to class etc but we have followed  John Resig's inheritance architecure(Refer ejohn.org), each and every JS object will extends Widget class which in turn extends Class, the Class contains the core logic of constructor, extends, so if you extends Widget class so init method of that class will be automatically called(dummy constructor implementation),all this stuff is defined in corelib.js, so whenever we create any instance of object init method will automatically called, so init method is constructor in terms of OpenERP javascript framework, start method of class which extends openerp.web.widget will be called automatically, this is because of our implementation of corelib.

One more thing to note is that in JavaScript you can create an instance of function like:

helloWorld = function() {
        alert("Hello World");
}

var hw = new helloWorld();
console.log(hw) //will gives object type
hw.constructor.apply() // will apply function helloWorld


Note:- boot class that is openerp has initialized all other instance, now see html_template given above, we have called s.web.WebClient(); where s is instance of OpenERP(see chrome.js).

Now further we will see, what Webclient object does, as I already  described that when we create any instance of object it's init and start method automatically got called, and start method of Webclient(chrome.js) will check whether user is already logged in or not, if not then we render Login page otherwise will show application page.


For Weg-Client architecture(I'll update this post day by day) ---> To be continue .... 


Note :- Kindly share your views/knowledge if you have better idea on topic described above


Thursday 22 November 2012

Connect OpenERP on PHP XMLRPC

XML-RPC Web services

XML-RPC is known as a web service. Web services are a set of tools that let one build distributed applications on top of existing web infrastructures. These applications use the Web as a kind of “transport layer” but don’t offer a direct human interface via the browser.[1] Extensible Markup Language (XML) provides a vocabulary for describing Remote Procedure Calls (RPC), which is then transmitted between computers using the HyperText Transfer Protocol (HTTP). Effectively, RPC gives developers a mechanism for defining interfaces that can be called over a network. These interfaces can be as simple as a single function call or as complex as a large API.
XML-RPC therefore allows two or more computers running different operating systems and programs written in different languages to share processing. For example, a Java application could talk with a Perl program, which in turn talks with Python application that talks with ASP, and so on. System integrators often build custom connections between different systems, creating their own formats and protocols to make communications possible, but one can often end up with a large number of poorly documented single-use protocols. The RPC approach spares programmers the trouble of having to learn about underlying protocols, networking, and various implementation details.
XML-RPC can be used with Python, Java, Perl, PHP, C, C++, Ruby, Microsoft’s .NET and many other programming languages. Implementations are widely available for platforms such as Unix, Linux, Windows and the Macintosh.
An XML-RPC call is conducted between two parties: the client (the calling process) and the server (the called process). A server is made available at a particular URL (such as http://example.org:8080/rpcserv/).
The above text just touches the surface of XML-RPC. I recommend O’Reilly’s “Programming Web Service with XML-RPC” for further reading. One may also wish to review the following links:

XML-RPC Architecture
OpenERP is a based on a client/server architecture. The server and the client(s) communicate using the XML-RPC protocol. XML-RPC is a very simple protocol which allows the client to do remote procedure calls. The called function, its arguments, and the result of the call are transported using HTTP and encoded using XML.


First to work with PHP install following packages.

PHP5
Apache2

Or either you can directly work with LAMP(Linux, apache, MySQL, PHP)  technology.

Please follow the following links for this.

http://connectwww.com/how-to-install-and-configure-apache-php-mysql-and-phpmyadmin-on-linux-mint/1443/

https://help.ubuntu.com/community/ApacheMySQLPHP

Now let me explain you with example which I have created with MVC architecture,  the directory structure is as follow.

var/www/
    index.php
    OpenERPPHPXMLRPC
        controllers
            xmlrpc.inc(The lib downloaded from http://phpxmlrpc.sourceforge.net/)
            login.php
            res_partner.php(a file to do partner operation)
        static
            css
                openerp_phpxmlrpc.css
            js
               openerp_phpxmlrpc.js
           lib
        views

Now when you write http://localhost in you browser then it will load your index.php file by default from var/www, you can configure settings of apache for loading files also you can change the directory for your project rather than var/www with apache configuration

for details settings of apache refer following link.

http://netbeans.org/kb/docs/php/configure-php-environment-ubuntu.html

Now let move onwards coding part.

My index.php file contains...

<html>
    <head>
        <link rel="stylesheet" type="text/css" href="OpenERPPHPXMLRPC/static/js/lib/jquery.ui/css/smoothness/jquery-ui-1.8.17.custom.css" />
        <link rel="stylesheet" type="text/css" href="OpenERPPHPXMLRPC/static/css/openerp_phpxmlrpc.css" />
        <script type="text/javascript" src="OpenERPPHPXMLRPC/static/js/openerp_phpxmlrpc.js"></script>
        <script type="text/javascript" src="OpenERPPHPXMLRPC/static/js/lib/jquery/jquery-1.6.4.js"></script>
        <script type="text/javascript" src="OpenERPPHPXMLRPC/static/js/lib/jquery.ui/js/jquery-ui-1.8.17.custom.min.js"></script>
        <script type="text/javascript">
            jQuery('document').ready(function() {
                var login = function(){
                    this.init();
                }
                login.prototype.init = function() {
                    jQuery("#login_button").click(this.submit_login);
                }
                login.prototype.submit_login = function() {
                    params = {};
                    params['db'] = jQuery("#db").val();
                    params['username'] = jQuery("#username").val();
                    params['password'] = jQuery("#password").val();
                    params['action'] = "login"
                    jQuery.ajax({
                        type: "POST",
                        url: "/OpenERPPHPXMLRPC/Controllers/login.php",
                        data: params,
                        success: function(result){
                            console.log("Result is inside success ",result)
                            alert(result)
                        },
                        error: function(result){
                            console.log("Result is inside fail ",result)
                            alert(result)
                        }
                       
                    });
                }
                login.prototype.success_login = function(result){
                    console.log("Result is inside success ",result)
                    alert(result)
                }
                login.prototype.fail_login = function(result){
                    console.log("Result is inside fail ",result)
                    alert(result)
                }
                login_obj = new login();
            });
        </script>
    </head>
    <body>
        <div id="app">
            <div id="header">
                <div>OpenERP PHP XMLRPC Small Application</div>
            </div>
            <div id="app_content">
                <div id="login">
                    <table>
                        <tr>
                            <td colspan="2">Login</td>
                        </tr>
                        <tr>
                            <td>Database</td>
                            <td><input type="text" id="db" name="db"/></td>
                        </tr>
                        <tr>
                            <td>Username</td>
                            <td><input type="text" id="username" name="username"/></td>
                        </tr>
                        <tr>
                            <td>Password</td>
                            <td><input type="text" id="password" name="password"/></td>
                        </tr>
                        <tr>
                            <td colspan="2"><button id="login_button">Login</button></td>
                        </tr>
                    </table>
                </div>
            </div>
            <div id="footer">
                <div>Experimented by Mohammed Shekha(MSH)</div>
            </div>
        </div>
    </body>
</html>

<?php
   
?>

So this file will send a request to login.php with action login, login.php is my controller which handles this request and fetch the action(i.e.login)  now based onaction it will call function, login.php contains...

<?php

    $db = $_POST['db'];
    $username = $_POST['username'];
    $password = $_POST['password'];
    $action = $_POST['action'];
    require_once('xmlrpc.inc');
   
    if($action == 'login') {
        connect($db, $username, $password);
    }
   
    function connect($dbname, $user, $password) {
        $server_url = 'http://localhost:8069/xmlrpc/';
        if(isset($_COOKIE["user_id"]) == true)  {
            if($_COOKIE["user_id"]>0) {
            return $_COOKIE["user_id"];
            }
        }

        $sock = new xmlrpc_client($server_url.'common');
        $msg = new xmlrpcmsg('login');
        $msg->addParam(new xmlrpcval($dbname, "string"));
        $msg->addParam(new xmlrpcval($user, "string"));
        $msg->addParam(new xmlrpcval($password, "string"));
        $resp =  $sock->send($msg);
        $val = $resp->value();
        $id = $val->scalarval();
        setcookie("user_id",$id,time()+3600);
        if($id > 0) {
            echo $id;
        }else{
            echo -1;
        }
    }

?>

What this will do it retrieves the data and send request to OpenERP Server if login got success it will redirect to Home view(which is resided in view folder) otherwise a message popup will returned.

For PHP XMLRPC detail please follow

http://doc.openerp.com/v6.0/developer/6_22_XML-RPC_web_services/index.html

http://phpxmlrpc.sourceforge.net/doc-2/



Wednesday 15 August 2012

Python Tricks

Python Tricks

Here, I am collecting python snippets that I find enlightening and/or just useful. On a subpage, you find a JPype-using hack to access Weka's Java classes from Python.
Additionally, I want to share some interesting links:
  • When working with files or directories (using os.path), you can make your live much easier if you check out the path Python module. It is very simple, but incredibly useful!
  • Another great python module is BeautifulSoup, which can be used to parse real-world HTML (or XML) files. It offers a very simple API for traversing the resulting parse tree, and one of its main features is that it also groks non-conformant HTML code (as good as possible) without choking.
  • Whenever you want to parse anything more complex than what regular expressions support (i.e., sth. beyond regular languages), e.g. expressions that need to be properly quoted or with nested parentheses, I propose to use pyparsing, another real gem which allows you to write parsers in the most intuitive way possible. (Incidentally, it is similar to the boost::spirit C++ library.)
  • In the Python Wiki, you can find some hints on speeding up your programs in the PythonSpeed page, and its PerformanceTips sub-page.
  • Concerning speed, I found Psyco particularly interesting, which is an easy-to-use extension module that can speed up the execution of any Python code (I purposely stripped the "massively" from this description, but still think it's cool, since you basically get the speed "for free").
  • In general, I don't like these code snippet-websites (especially if you have to register only to discover ugly code), and this is not very different for ASPN, but I like this function for pretty-printing a table. It's self-contained, just don't look at the code but give it a list of rows (lists of column contents), and it will give you a layouted string for printing a table.
  • Andrew Kuchling has written a tutorial on Unicode in Python which was recommended on the IPython mailing list.
  • http://codespeak.net/py/current/doc/ - XP Testing framework

Uncluttered, Clean Imports

I tend to write code in an unordered way, usually copy-pasting stuff from and to IPython. However, eventually I clean up the code and want to make it reusable as a module, and for a .py file to be importable, it is often necessary to add a number of missing imports. Due to dynamic binding, Python does not complain about missing imports until the code in question is actually run, which can be a problem if e.g. you have a function that outputs an error via sys.stderr only in a seldom error case, but you have not imported sys.
pyflakes is the solution to this problem. It neatly checks whether you have imported everything you use, and also whether you have imported something twice or are not using an imported module at all, which lets you quickly clean up your module - as a side note: Of course, from foo import * makes problems (since the code is not run at all), but I would not recommend its use anyway. It's usually better (and more zen-ish) to explicitly import all names you're using, and pyflakes perfectly helps with that, too: simply comment out the import and fix the warnings that appear. Also recall that you can do things like import numpy as np and then explicitly prefix all numpy usage with "np.".

Completion in the Python Console

It is handy to be able to tab-complete properties of python objects at the python prompt. Nowadays, I am always using IPython, a significantly enhanced interactive python console which is really worth the installation. (It helps you with completion, indentation, syntax highlighting, macros, input/output caching, session management, improved history, debugger, and tracebacks. And more. ;-) )
However, I find it interesting to note that it is possible to have completion in the standard python console (if compiled with readline, which it really should be)! The following code can be used to activate it:
# .pythonrc.py
import readline, rlcompleter
readline.parse_and_bind("tab: complete")
Put this code in a file ~/.pythonrc.py or similar, and use the variable PYTHONSTARTUP to point python to it! (I.e., I put "export PYTHONSTARTUP=$HOME/.pythonrc.py" into my shell environment setup.)
Now, go check out IPython. ;-)

Removing Duplicates from Lists

If you want to remove duplicates from a list, just put every element into a dict as a key (e.g. with None as value) and check dict.keys(). I found this optimized version in the WWW:
from operator import setitem
def distinct(l):
    d = {}
    map(setitem, (d,)*len(l), l, [])
    return d.keys()
This makes use of the fact that map fills up shorter lists (in this case the empty one) with None. Newer Python versions allow for an even more concise formulation of the above:*
def distinct(l):
    return dict.fromkeys(l).keys() # works with python 2.3+

def distinct24(l):
    return list(set(l)) # needs python 2.4 or later
These are clearly concise enough to be used in-place. Note that all variants so far have two limitations:
  • The elements are returned in arbitrary order.
  • Lists with unhashable elements (e.g. sub-lists) may not be processed.

Flattening Lists

I guess one reason why there is no built-in flatten function in Python is that there are several open semantic questions which are not intuitively answered:
  • What is flattened, e.g. all lists within a list? Or tuples, too? What about other sequence types (sub-classes of the above, home-brewn vectors, ...)? For my version of flatten below, I assumed that all iterable types (except strings) should be flattened. It is straight-forward to change that, e.g. by uncommenting the isinstance-check.
  • Does the function work recursively or not? I feel that most people would expect the function to really return a flat list, i.e. recursivly flatten all contained sequences.
But talking about python tricks, I should first mention my solution to the most common instance of the flattening problem:
# pass all elements from all lists within someLists to someFunc:
someFunc(sum(someLists, []))
Actually, this is precisely the only flattening which I regularly need, and it's a neat in-place solution. But anyhow, here's the complete, recursive variant:
 
def flatten(x):
    """flatten(sequence) -> list

    Returns a single, flat list which contains all elements retrieved
    from the sequence and all recursively contained sub-sequences
    (iterables).

    Examples:
    >>> [1, 2, [3,4], (5,6)]
    [1, 2, [3, 4], (5, 6)]
    >>> flatten([[[1,2,3], (42,None)], [4,5], [6], 7, MyVector(8,9,10)])
    [1, 2, 3, 42, None, 4, 5, 6, 7, 8, 9, 10]"""

    result = []
    for el in x:
        #if isinstance(el, (list, tuple)):
        if hasattr(el, "__iter__") and not isinstance(el, basestring):
            result.extend(flatten(el))
        else:
            result.append(el)
    return result
 

Float Formatting

Somehow, I often don't find the right formatting flags for nice output of floating point numbers. Thus, I created this "little" table demonstrating many of the available options with some simple numbers:


 
Alas, I still did not find the optimal formatting. What I am looking for, is a quick way to
  1. display pi as 3.14159 (i.e. have 5 fractional digits)
  2. display 3.1 as 3.1 (no trailing zeros)
  3. display 1.234e-13 as 0 and 2.3e+02 as 230 (no exponential display)
  4. ideally, display -1.234e-13 as 0, too (not as -0)
Obviously, there is no single format specification that produces the desired output in all these cases, but I would like to be taught otherwise. The closest thing seems to be %s, which only uses exponential display for extreme cases, but defaults to too many decimal digits for my taste. %g is better with the latter, but already uses exponential notation for smaller exponents.

Reverse Iteration of Lists / Generators

The following handy little function fulfills two purposes. First, it lets you conveniently write
for el in reviter(somelist):
    do_something(el)
following the iter(somelist) example, and second, it reminds you of the incredibly useful yield-construct (which is new since 2.3), which lets you define generators. This is the most natural way of defining complicated iterators IMO:
def reviter(x):
    if hasattr(x, 'keys'):
        raise ValueError("mappings do not support reverse iteration")
    i = len(x)
    while i > 0:
        i -= 1
        yield x[i]
The first yield will store the entire state of the function in an object that serves as an iterator which returns all yield`ed values and throws a StopIteration when the original function returns.
Note that Python 2.4 already brings "reversed" for this exact purpose.
It's even possible - and very useful indeed - to have several yields in one generator function. E.g., the following code is from my fig.py module and is used for writing coordinate pairs of open/closed polygons in rows of 6 points / 12 coordinates each (beyond yield, it also demonstrates a clever use of map for grouping N=12 iterated elements per row):
class PolylineBase(Object):
    # ...

    def _savePointIter(self):
        # flatten a point list into x1, y1, x2, y2, x2, ...
        for p in self.points:
            yield p[0]
            yield p[1]
        # of course, yields can also be conditional,
        # here for repeating the first coordinate pair of closed polygons:
        if self.closed():
            yield self.points[0][0]
            yield self.points[0][1]

    def __str__(self):
        # ...
        i = self._savePointIter()
        # multiply (i, ) with 12 to get 12 references of the same iterator,
        # and exploit the fact that map(None, ...) "fills up"
        # exhausted iterators with None:
        for linePoints in map(None, *(i, )*12):
            # linePoints now contains 12 coordinates (or None values at the end):
            result += "\t" + " ".join(*[str(p) for p in linePoints if p is not None]) + "\n"
        # ...

Substitute for Missing ?: Operator

If you are used to programming in C-like languages, and you are working with Python versions before 2.5, you probably missed an if-then-else operator. There is something that can fill the gap in many cases, just not in all: You can use the boolean operators' short-circuiting property by writing:
something = condition and true_value or false_value
If condition has a value that counts as ''False'', the and-operator will not evaluate true_value but return ''False''. Actually, it will not simply return ''False'', but it will return the value of condition which is known to be some kind of False. This special way in which the boolean operators work, that they simply return one of their arguments and not just True or False, is used to assign true_value or false_value to the variable something.
Caution!
true_value must be __nonzero__ for the above to work, otherwise you'll get strange results:
this_will_be_two = cond and None or 2 # WRONG!
Since None will be like False to the operators, the result will be 2 regardless of the value of cond. (You could use not cond and 2 or None instead.)
So, this is actually an unreadable, confusing, and possibly dangerous syntax, but nevertheless handy sometimes. ;-)
You will also occasionally find the variant
something = (false_value, true_value)[condition]
which exploits the fact that bool is in fact derived from int and False/True is 0/1, too (write bool(condition) if condition is not 0/1). However, there is no short-circuiting here but both false_value and true_value will be evaluated, which is another big caveat for many applications.
If you wonder why this operator is missing, and whether you're the first to miss it; you're of course not, but for a long time, the Python community could not agree on a syntax for the ternary operator, see the discussion in PEP 308. Nevertheless, Guido himself at last decided to integrate it into the language, choosing the syntax true_value if condition else false_value from the most popular variants (this is finally included in Python 2.5).

Do-While Loops

Since python has no do-while or do-until loop constructs (yet), the following idiom has become very common:
while True:     
    do_something() 
    if condition():
        break
 Stick to it, and it'll soon become very familiar to you.

Thursday 12 July 2012

Running Multiple OpenERP Server on proxy on different port.

Create two proxy configuration as follow in user defined file like here i have created web-client61

<VirtualHost *:80>
    ServerName webclient6
    ServerAdmin webmaster@localhost
    LimitRequestLine 16384

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyRequests Off
    ProxyPass / http://127.0.0.1:8069/
    ProxyPassReverse / http://127.0.0.1:8069/
    SetEnv proxy-nokeepalive 1
    ErrorLog /var/log/apache2/webclient-error.log
    CustomLog /var/log/apache2/webclient-access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName webclient67
    ServerAdmin webmaster@localhost
    LimitRequestLine 16384

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyRequests Off
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
    SetEnv proxy-nokeepalive 1
    ErrorLog /var/log/apache2/webclient-error.log
    CustomLog /var/log/apache2/webclient-access.log combined
</VirtualHost>

Now add this two server name as a domain in /etc/hosts
Your IP domain(webclient1)

Now enable this webclient61 file for apache using following command.

sudo a2ensite webclient61

The above command will enable the file webclient61, hence the configuration will be available to apache.

Now restart the apache with init.d and run your two servers on different port, and run the URL web-client1 and web-client2, this way you can access two different OpenERP server in same browser's two different tab.

Purpose of doing this.

If you run two server on different port and login with your webclient localhost:8069 so automatically you will be loggedin to localhost:8000 because the session id for domain localhost is already set in cookies, so when your just type localhost:8000 in which you still not logged, so you will be redirected to home page because when you send a request for localhost:8000 so browser will look up in cookies for domain localhost browser never take port into account, so it will find session_id in cookies for the domain localhost and will show you logged in.

Yes we can set cookies for specific patch using set_cookies path, but  in web-client when we send a request from localhost:8000 so it's request path will be "/" so the cookies are set for the path "/"

So I did't found any other way to fix this but using proxy we can have an alternative way to use two server on different port with different domain name, so for two different domain two different cookies are set.

For further information about cookies see the post 
http://mishekha.blogspot.in/2012/07/cookies.html

And for Apache reverse proxy for OpenERP see the post http://mishekha.blogspot.in/2011/11/connect-openerp-using-reverseproxy.html

Thanks & Regards,
Mohammed Shekha.

Wednesday 11 July 2012

Cookies

History


The term "cookie" was derived from "magic cookie", which is the packet of data a program receives and sends again unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in Web communications in June 1994.[6] At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. The customer was MCI and the application was the "MCI Mall". Vint Cerf and John Klensin represented MCI in technical discussions with Netscape Communications. Not wanting the MCI Mall servers to have to retain partial transaction states led to our request to Netscape to find a way to store that state in each user's computer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.[7][8]
Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape, released on October 13, 1994,[9][10] supported cookies. The first use of cookies (out of the labs) was checking whether visitors to the Netscape website had already visited the site. Montulli applied for a patent for the cookie technology in 1995, and US 5774670 was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.[11]
The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. The general public learned about them after the Financial Times published an article about them on February 12, 1996[citation needed]. In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by Brian Behlendorf and David Kristol respectively, but the group, headed by Kristol himself and Aron Afatsuom, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.
At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.
A definitive specification for cookies as used in the real world was published as RFC 6265 in April 2011.


Terminologies


Session cookie

A session cookie[12] only lasts for the duration of users using the website. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided at cookie creation time.

Persistent cookie

A persistent cookie[12] will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason persistent cookies are also called tracking cookies.

Secure cookie

A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

HttpOnly cookie

The HttpOnly cookie is supported by most modern browsers.[13][14] On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via cross-site scripting (XSS).[15] This feature applies only to session-management cookies, and not other browser cookies.

Third-party cookie

First-party cookies are cookies set with the same domain (or its subdomain) in your browser's address bar. Third-party cookies are cookies being set with different domains from the one shown on the address bar (i.e. the web pages on that domain may feature content from a third-party domain - e.g. an advertisement run by www.advexample.com showing advert banners). (Privacy setting options in most modern browsers allow you to block third-party tracking cookies).
For example: Suppose a user visits www.example1.com, which sets a cookie with the domain ad.foxytracking.com. When the user later visits www.example2.com, another cookie is set with the domain ad.foxytracking.com. Eventually, both of these cookies will be sent to the advertiser when loading their ads or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites this advertiser has footprints on.

Supercookie

A "supercookie" is a cookie with a public suffix domain, like .com, .co.uk or k12.ca.us.[16]
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting www.example.com can have a cookie set with domain www.example.com or .example.com, but not .com.[17] A supercookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a supercookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com. The Public Suffix List is a cross-vendor initiative to provide an accurate list of domain name suffixes changing.[18] Older versions of browsers may not have the most up-to-date list, and will therefore be vulnerable to certain supercookies.
The term "supercookies" is sometimes used for tracking technologies that do not rely on HTTP cookies. Two such "supercookie" mechanisms were found on Microsoft websites: cookie syncing that respawned MUID cookies, and ETag cookies.[19] Due to media attention, Microsoft later disabled this code:
In response to recent attention on "supercookies" in the media, we wanted to share more detail on the immediate action we took to address this issue, as well as affirm our commitment to the privacy of our customers. According to researchers, including Jonathan Mayer at Stanford University, "supercookies" are capable of re-creating users' cookies or other identifiers after people deleted regular cookies. Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.
—Mike Hintze[20]

Zombie cookie

A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.

Uses


Session management

Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a "shopping cart" (or "shopping basket"),[7][8] a virtual device into which users can store items they want to purchase as they navigate throughout the site.
Shopping basket applications today usually store the list of basket contents in a database on the server side, rather than storing basket items in the cookie itself. A web server typically sends a cookie containing a unique session identifier. The web browser will send back that session identifier with each subsequent request and shopping basket items are stored associated with a unique session identifier.
Allowing users to log in to a website is a frequent use of cookies. Typically the web server will first send a cookie containing a unique session identifier. Users then submit their credentials and the web application authenticates the session and allows the user access to services.

Personalization

Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a website so that it may be filled in for future visits.
Many websites use cookies for personalization based on users' preferences. Users select their preferences by entering them in a web form and submitting the form to the server. The server encodes the preferences in a cookie and sends the cookie back to the browser. This way, every time the user accesses a page, the server is also sent the cookie where the preferences are stored, and can personalize the page according to the user preferences. For example, the Wikipedia website allows authenticated users to choose the webpage skin they like best; the Google search engine once allowed users (even non-registered ones) to decide how many search results per page they want to see.

Tracking

Tracking cookies may be used to track internet users' web browsing. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision. This can be demonstrated as follows:
  1. If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user; the server creates a random string and sends it as a cookie back to the browser together with the requested page;
  2. From this point on, the cookie will be automatically sent by the browser to the server every time a new page from the site is requested; the server sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.
By analyzing the log file collected in the process, it is then possible to find out which pages the user has visited, and in what sequence.

Implementation


Cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.
Cookie specifications[14][21][22] suggest that browsers should be able to save and send back a minimal number of cookies. In particular, a web browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.


Setting a cookie

Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request. For example, to access the page http://www.example.org/index.html, browsers connect to the server www.example.org sending it a request that looks like the following one:

 The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:


 The server sends lines of Set-Cookie only if the server wishes the browser to store cookies. Set-Cookie is a directive for the browser to store the cookie and send it back in future requests to the server (subject to expiration time or other cookie attributes), if the browser supports cookies and cookies are enabled. For example, the browser requests the page http://www.example.org/spec.html by sending the server www.example.org a request like the following:


This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.
The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.
The term "cookie crumb" is sometimes used to refer to the name-value pair.[23] This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique, however, may be implemented using cookies.
Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name temperature and value 20.[24]

Cookie attributes

Besides the name–value pair, servers can also set these cookie attributes: a cookie domain, a path, expiration time or maximum age, Secure flag and HttpOnly flag. Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.

Domain and Path

The cookie domain and path define the scope of the cookie—they tell the browser that cookies should only be sent back to the server for the given domain and path. If not specified, they default to the domain and path of the object that was requested. An example of Set-Cookie directives from a website after a user logged in:



The first cookie LSID has default domain docs.foo.com and Path /accounts, which tells the browser to use the cookie only when requesting pages contained in docs.foo.com/accounts. The other 2 cookies HSID and SSID would be sent back by the browser while requesting any subdomain in .foo.com on any path, for example www.foo.com/.
Cookies can only be set on the top domain and its sub domains. Setting cookies on www.foo.com from www.bar.com will not work for security reasons.[25]

Expires and Max-Age

The Expires directive tells the browser when to delete the cookie. It is specified in the form of “Wdy, DD Mon YYYY HH:MM:SS GMT”[26], indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 6265 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie. An example of Set-Cookie directives from a website after a user logged in:


The first cookie lu is set to expire sometime in 15-Jan-2013; it will be used by the client browser until that time. The second cookie made_write_conn does not have an expiration date, making it a session cookie. It will be deleted after the user closes his/her browser. The third cookie reg_fb_gate has its value changed to deleted, with an expiration time in the past. The browser will delete this cookie right away – note that cookie will only be deleted when the domain and path attributes in the Set-Cookie field match the values used when the cookie was created.

Secure and HttpOnly

The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.
The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. Naturally, web servers should set Secure cookies via secure/encrypted connections, lest the cookie information be transmitted in a way that allows eavesdropping when first sent to the web browser.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. (This includes HTTPS; HttpOnly is not the opposite of Secure.) An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[27]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.

Browser settings

Most modern browsers support cookies and allow the user to disable them. The following are common options:[28]
  1. To enable or disable cookies completely, so that they are always accepted or always blocked.
  2. Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser.
  3. By default, Internet Explorer allows only third-party cookies that are accompanied by a P3P "CP" (Compact Policy) field.[29]
Most browsers also allow a full wipe of private data including cookies. Add-on tools for managing cookie permissions also exist.


Privacy and third-party cookies


Cookies have some important implications on the privacy and anonymity of Web users. While cookies are sent only to the server setting them or the server in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies. The standards for cookies, RFC 2109 and RFC 2965, specify that browsers should protect user privacy and not allow third-party cookies by default. But most browsers, such as Mozilla Firefox, Internet Explorer, Opera and Google Chrome do allow third-party cookies by default, as long as the third-party website has Compact Privacy Policy published.
In this fictional example, an advertising company has placed banners in two websites. Hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites.
Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
Website operators who do not disclose third-party cookie use to consumers run the risk of harming consumer trust if cookie use is discovered. Having clear disclosure (such as in a privacy policy) tends to eliminate any negative effects of such cookie discovery.[34]
The possibility of building a profile of users is considered by some a potential privacy threat, especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.
The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising. In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers which had visited its website. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them.[35] On December 25, 2005, Brandt discovered that the National Security Agency (NSA) had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the National Security Agency immediately disabled the cookies.[36]
The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies.[37] In particular, Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if:
  1. the user is provided information about how this data is used;
  2. the user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule. This directive was expected to have been applied since October 2003, but a December 2004 report says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia, Latvia, Greece, Belgium, and Luxembourg) did not even implement the provision in national law. The same report suggests a thorough analysis of the situation in the Member States.
The P3P specification includes the possibility for a server to state a privacy policy, which specifies which kind of information it collects and for which purpose. These policies include (but are not limited to) the use of information gathered using cookies. According to the P3P specification, a browser can accept or reject cookies by comparing the privacy policy with the stored user preferences or ask the user, presenting them the privacy policy as declared by the server.
Many web browsers including Apple's Safari and Microsoft Internet Explorer versions 6 and 7 support P3P which allows the web browser to determine whether to allow third-party cookies to be stored. The Opera web browser allows users to refuse third-party cookies and to create global and specific security profiles for Internet domains.[38] Firefox 2.x dropped this option from its menu system but it restored it with the release of version 3.x.[39]
Third-party cookies can be blocked by most browsers to increase privacy and reduce tracking by advertising and tracking companies without negatively affecting the user's Web experience.[40] Many advertising operators have an opt-out option to behavioural advertising, with a generic cookie in the browser stopping behavioural advertising.

Cookie theft and session hijacking

Most websites use cookies as the only identifiers for user sessions, because other methods of identifying web users have limitations and vulnerabilities. If a website uses cookies as session identifiers, attackers can impersonate users’ requests by stealing a full set of victims’ cookies. From the web server's point of view, a request from an attacker has the same authentication as the victim’s requests; thus the request is performed on behalf of the victim’s session.
Listed here are various scenarios of cookie theft and user session hijacking (even without stealing user cookies) which work with websites which rely solely on HTTP cookies for user identification.

Network eavesdropping

A cookie can be stolen by another computer that is allowed reading from the network
Traffic on a network can be intercepted and read by computers on the network other than the sender and receiver (particularly over unencrypted open Wi-Fi). This traffic includes cookies sent on ordinary unencrypted HTTP sessions. Where network traffic is not encrypted, attackers can therefore read the communications of other users on the network, including HTTP cookies as well as the entire contents of the conversations.
An attacker could use intercepted cookies to impersonate a user and perform a malicious task, such as transferring money out of the victim’s bank account.
This issue can be resolved by securing the communication between the user's computer and the server by employing Transport Layer Security (HTTPS protocol) to encrypt the connection. A server can specify the Secure flag while setting a cookie, which will cause the browser to send the cookie only over an encrypted channel, such as an SSL connection.[14]

Publishing false sub-domain – DNS cache poisoning

Via DNS cache poisoning, an attacker might be able to cause a DNS server to cache a fabricated DNS entry, say f12345.www.example.com with the attacker’s server IP address. The attacker can then post an image URL from his own server (for example, http://f12345.www.example.com/img_4_cookie.jpg). Victims reading the attacker’s message would download this image from f12345.www.example.com. Since f12345.www.example.com is a sub-domain of www.example.com, victims’ browsers would submit all example.com-related cookies to the attacker’s server; the compromised cookies would also include HttpOnly cookies.[clarification needed]
This vulnerability is usually for Internet Service Providers to fix, by securing their DNS servers. But it can also be mitigated if www.example.com is using Secure cookies. Victims’ browsers will not submit Secure cookies if the attacker’s image is not using encrypted connections. If the attacker chose to use HTTPS for his img_4_cookie.jpg download, he would have the challenge[42] of obtaining an SSL certificate for f12345.www.example.com from a Certificate Authority. Without a proper SSL certificate, victims’ browsers would display (usually very visible) warning messages about the invalid certificate, thus alerting victims as well as security officials from www.example.com.

Cross-site scripting – cookie theft

Scripting languages such as JavaScript and JScript are usually allowed to access cookie values and have some means to send arbitrary values to arbitrary servers on the Internet. These facts are used in combination with sites allowing users to post HTML content that other users can see.
As an example, an attacker may post a message on www.example.com with the following link:



When another user clicks on this link, the browser executes the piece of code within the onclick attribute, thus replacing the string document.cookie with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the attacker.com server. If the attacker’s posting is on https://www.example.com/somewhere, secure cookies will also be sent to attacker.com in plain text.
Cross-site scripting is a constant threat, as there are always some crackers trying to find a way of slipping in script tags to websites. It is the responsibility of the website developers to filter out such malicious code.
In the meantime, such attacks can be mitigated by using HttpOnly cookies. These cookies will not be accessible by client side script, and therefore the attacker will not be able to gather these cookies.


Cross-site scripting

If an attacker was able to insert a piece of script to a page on www.example.com, and a victim’s browser was able to execute the script, the script could simply carry out the attack. This attack would use the victim’s browser to send HTTP requests to servers directly; therefore, the victim’s browser would submit all relevant cookies, including HttpOnly cookies, as well as Secure cookies if the script request is on HTTPS.
For example, on MySpace, Samy posted a short message “Samy is my hero” on his profile, with a hidden script to send Samy a “friend request” and then post the same message on the victim’s profile. A user reading Samy’s profile would send Samy a “friend request” and post the same message on this person’s profile. Then, the third person reading the second person’s profile would do the same. Pretty soon, this Samy worm became one of the fastest spreading worms of all time.
This type of attack (with automated scripts) would not work if a website had CAPTCHA to challenge client requests.

Cross-site scripting – proxy request

In older versions of browsers, there were security holes allowing attackers to script a proxy request by using XMLHttpRequest. For example, a victim is reading an attacker’s posting on www.example.com, and the attacker’s script is executed in the victim’s browser. The script generates a request to www.example.com with the proxy server attacker.com. Since the request is for www.example.com, all example.com cookies will be sent along with the request, but routed through the attacker’s proxy server, hence, the attacker can harvest the victim’s cookies.
This attack would not work for Secure cookie, since Secure cookies go with HTTPS connections, and its protocol dictates end-to-end encryption, i.e., the information is encrypted on the user’s browser and decrypted on the destination server www.example.com, so the proxy servers would only see encrypted bits and bytes.

Cross-site request forgery

For example, Bob might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references an action on Bob's bank's website (rather than an image file), e.g.,


If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.


Drawbacks of cookies

Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are often at odds with the Representational State Transfer (REST) software architectural style.[43][44]

Inaccurate identification

If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.
Likewise, cookies do not differentiate between multiple users who share the same user account, computer, and browser.

Inconsistent state on client and server

The use of cookies may generate an inconsistency between the state of the client and the state as stored in the cookie. If the user acquires a cookie and then clicks the "Back" button of the browser, the state on the browser is generally not the same as before that acquisition. As an example, if the shopping cart of an online shop is built using cookies, the content of the cart may not change when the user goes back in the browser's history: if the user presses a button to add an item in the shopping cart and then clicks on the "Back" button, the item remains in the shopping cart. This might not be the intention of the user, who possibly wanted to undo the addition of the item. This can lead to unreliability, confusion, and bugs. Web developers should therefore be aware of this issue and implement measures to handle such situations.

Alternatives to cookies

Some of the operations that can be done using cookies can also be done using other mechanisms.

IP address

Some users may be tracked based on the IP address of the computer requesting the page. The server knows the IP address of the computer running the browser or the proxy, if any is used, and could theoretically link a user's session to this IP address.
IP addresses are, generally, not a reliable way to track a session or identify a user. Many computers designed to be used by a single user, such as office PCs or home PCs, are behind a network address translator (NAT). This means that several PCs will share a public IP address. Furthermore, some systems, such as Tor, are designed to retain Internet anonymity, rendering tracking by IP address impractical, impossible, or a security risk.

URL (query string)

A more precise technique is based on embedding information into URLs. The query string part of the URL is the one that is typically used for this purpose, but other parts can be used as well. The Java Servlet and PHP session mechanisms both use this method if cookies are not enabled.
This method consists of the Web server appending query strings to the links of a Web page it holds when sending it to a browser. When the user follows a link, the browser returns the attached query string to the server.
Query strings used in this way and cookies are very similar, both being arbitrary pieces of information chosen by the server and sent back by the browser. However, there are some differences: since a query string is part of a URL, if that URL is later reused, the same attached piece of information is sent to the server. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by e-mail, those preferences will be used for that other user as well.
Moreover, even if the same user accesses the same page two times, there is no guarantee that the same query string is used in both views. For example, if the same user arrives to the same page but coming from a page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string.
Other drawbacks of query strings are related to security: storing data that identifies a session in a query string enables or simplifies session fixation attacks, referrer logging attacks and other security exploits. Transferring session identifiers as HTTP cookies is more secure.

Hidden form fields

Another form of session tracking is to use web forms with hidden fields. This technique is very similar to using URL query strings to hold the information and has many of the same advantages and drawbacks; and if the form is handled with the HTTP GET method, the fields actually become part of the URL the browser will send upon form submission. But most forms are handled with HTTP POST, which causes the form information, including the hidden fields, to be appended as extra input that is neither part of the URL, nor of a cookie.
This approach presents two advantages from the point of view of the tracker: first, having the tracking information placed in the HTML source and POST input rather than in the URL means it will not be noticed by the average user; second, the session information is not copied when the user copies the URL (to save the page on disk or send it via email, for example).
This method can be easily used with any framework that supports web forms.

window.name

All current web browsers can store a fairly large amount of data (2–32 MB) via JavaScript using the DOM property window.name. This data can be used instead of session cookies and is also cross-domain. The technique can be coupled with JSON/JavaScript objects to store complex sets of session variables[45] on the client side.
The downside is that every separate window or tab will initially have an empty window.name; in times of tabbed browsing this means that individually opened tabs (initiation by user) will not have a window name. Furthermore window.name can be used for tracking visitors across different websites, making it of concern for Internet privacy.
In some respects this can be more secure than cookies due to not involving the server, so it is not vulnerable to network cookie sniffing attacks. However if special measures are not taken to protect the data, it is vulnerable to other attacks because the data is available across different websites opened in the same window or tab.

HTTP authentication

The HTTP protocol includes the basic access authentication and the digest access authentication protocols, which allow access to a Web page only when the user has provided the correct username and password. If the server requires such credentials for granting access to a web page, the browser requests them from the user and, once obtained, the browser stores and sends them in every subsequent page request. This information can be used to track the user.