Tuesday, 30 October 2012

The Joy of Forms Authentication, IIS7 and Device Profiles

We’re setting up a thing called PRTG Network Monitor to add monitoring and logging to one of our new MVC3 web applications, and I spent this morning scratching my head and wondering why an app that works just fine when you view it in a browser was consistently failing when I tried to attach an HTTP monitor to it.

A little digging with Wireshark later, and it turns out that IIS/ASP.NET isn’t sending the FormsAuthentication cookie in the response to requests made via the PRTG monitoring software. Which is… odd. We haven’t explicitly configured cookieless authentication or anything – although we’re doing some funky stuff with cross-domain auth cookies, the PRTG monitor is as simple as it gets – POST credentials to the login handler, get a response, check the response includes a cookie. Not rocket surgery.

After a fun hour of comparing TCP traces and HTTP headers, it turns out it’s the HTTP User Agent that’s controlling this behaviour – if ASP.NET running under IIS7 sees particular user agents, it just doesn’t set any cookies. And this is where it gets interesting. Here’s some real-world HTTP user agents that work just fine:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0);

Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.289 Version/12.02

Here’s the PRTG monitoring software’s default user agent. Now this looks to me like a completely sensible user agent for a piece of monitoring software – but IIS7 clearly believes this to be a client that can’t handle HTTP cookies, and so won’t set any:

Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)

But the really fun part – here’s a bunch of user agents that work absolutely fine:

Bozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)

Batman/1.2 (compatible; spiderman; vigorous jazz-hands)


CookieHater1.2 (incompatible; does not accept cookies; no cookies; cookies are evil)

This doesn’t work:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML)

But these do:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like a BOSS)

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like anyone cares)

In short - it looks like any string that starts with “Mozilla” triggers some sort of complicated parsing algorithm that looks for magic values in the user-agent string and decides that means they’re cookie-capable. I have this horrible, horrible feeling that somewhere in the bowels of the IIS team there’s somebody who still thinks browscap.ini was a good idea – and I’m amazed that something as fragile and idiosyncratic as determining device capabilities based on user agents would be the default behaviour in IIS7 and ASP.NET 4.

The good news is that this bizarre behaviour is easily fixed – just add cookieless="useCookies" to the system.web/authentication/forms element of your web.config file. The default is apparently “useDeviceProfile”, and there’s more details in the IIS documentation on Microsoft Technet.

This is also another classic example of how easily you can lose an entire day of developer time to something that should have taken about ten minutes. We have an app that uses HTTP and out-of-the-box cookie-based authentication. We’ve got something approaching 500 tests verifying the behaviour of this app under every scenario we could think of. We have a mature, stable monitoring platform that hundreds, if not thousands, of people are using to monitor HTTP applications every day. And yet BANG! you connect them together, everything falls apart and next thing you know you’re up to your elbows in network packets and wondering if it’s too early in the week to start drinking…

UPDATE: Thanks to @duncansmart for pointing me at this article on Scott Hanselman’s blog where he discusses this very problem.

Tuesday, 23 October 2012

Rocksmith for Guitar Players

OK, having finally convinced those necrotic turbinates at Ubisoft that I'm not a dirty filthy pirate (yarrr!) I have an install key for Rocksmith. And I've installed it. And I've played it. Now, I'm not a gamer. I've played around with Guitar Hero and gone "meh"... But I have been playing guitar for 25 years and wasted more hours than I care to recall plugging assorted guitars into various kinds of computer gear to try and make them do interesting things, so I was really curious to see how Rocksmith did it.

First impressions?

It looks fantastic. Lovely atmospheric visuals, stylistically quite beautiful. Second impression? Lag. Seriously. The folks telling you you won't notice 30ms of latency aren't musicians - they're marketing shills who work for the computer games industry. Having 30 milliseconds of delay between your fingers and your ears is horrible - after ten minutes, it was actually making me feel ill. Kinda like when you're on a roller-coaster and your eyes are disagreeing with your inner ear about which way is up - the same kind of slightly nauseating sensory disconnect. Yuck.

Eliminating Latency

So... just when I was about to give the whole thing up as a failed experiment, I had a daft idea. I plugged in an electro-acoustic and turned the guitar volume in the game right down - I figured the game can play the backing track and the guitar can look after itself, sonically speaking. The experience was instantly transformed - the game engine itself doesn't seem to suffer from any kind of latency, and suddenly I was jamming along to the Stones with a big stupid grin on my face. So I started thinking - maybe there's some way I could link up my existing guitar gear so I can get the same zero-latency experience but with an electric guitar and all the tones and presets in my trusty Line6 PodXT... easy. All you need is something to split the signal as it leaves the guitar. Now although I've not tried, I suspect an ordinary jack splitter would do the trick - plug it into your guitar, then plug the Rocksmith jack-USB cable into one output, and connect the other to your amp or effects rig using a normal guitar lead.

Problem is, I didn't have anything as simple as a splitter amongst my boxes of audio gear... so I ended up doing this instead:


The UA25EX is a really good USB audio adapter, but here I'm just using it as an active splitter, piping one output into the PC via the Rocksmith lead and then running the other one into the PodXT; the Pod's outputs are wired to the PC line-in, and then I've tweaked the Windows volume control so that the line-in is mixed back into the playback signal. Finally, remember to turn the guitar volume in Rocksmith down to zero, and voila - Rocksmith does the backing, Pod does the guitar sound with zero latency, and I'm back to grinning like an idiot. (Yes, I realise I'm using about £1500 worth of gear as a glorified gamepad... but hey, it's not like I bought this gear just to play computer games like Jeff Atwood over at CodingHorror did...) One more thing I changed - under Options ->  Game Settings -> String Layout - set this to inverted. It wasn't obvious at first, but the standard setting mimics the physical layout of guitar strings (i.e. treble at the bottom, bass at the top) while guitar tab and normal notation are written the other way up - things suddenly got a lot more fun once I tweaked this.

So... latency solved, is the game any good?

Well, yeah. It is. And I'm really impressed at how well it equates improvement in guitar technique with in-game progress. Using a combination of training exercises, arcade mini-games and full band backing tracks, it'll take you from tuning up, to playing simple one-note riffs, to slides, bends and hammer-ons. If you can already play, you'll be amazed at how quickly it exposes your weak spots and bad habits - and if you can't, I suspect you'll be really surprised at how quickly you progress. The techniques are clearly demonstrated on-screen, there's a built-in tuner that pops up at regular intervals to make sure your guitar's still in tune, and even following the on-screen color-coded notation isn't too hard - as a guitarist who never learned to sight-read, I was surprised how quickly I started to recognise patterns and phrases as they flew down the screen towards me at 140bpm. It also has distinct guitar and bass modes - including an "emulated bass" mode if you want to learn to play basslines but you've only got a six-string guitar. No five-string bass support, though... here's hoping we get that in Rocksmith 2.

The Guitarcade mini-games deserve a special mention, if only for the stupid amount of time I've spent playing Super Slider. Coloured blocks fall down the grid... you move them left and right by playing slide notes on the guitar. It is stupidly addictive and - because it requires you to change strings and positions without taking your eyes off the screen - it's also great for improving fretboard technique.


My one frustration is that the game constantly adjusts the difficulty, so there's no way - that I've found, anyway - to just bring up a song on "accurate" difficulty setting and keep practising it until you get it right. A couple of times I actually managed to move up a level just by noodling around and throwing in notes that weren't on the screen - turns out I was getting it right (?) and so the difficulty increased accordingly. I can imagine this being great fun if you already know the tune and you're working on your guitar technique, but it'd be nice if you could just switch it off and dive in at the deep end, so to speak.

In conclusion: great visuals, great gameplay, great implementation. And it actually *works* - once I'd solved the lag problem, I never once felt like I'd hit a note and the game had missed it, which is really impressive when you consider it's analysing the ragged mess of waveforms coming off a six-string guitar in real-time. Sure, the lag sucks and the missing CD keys and crappy attitude really sucks, but neither of those problems is insurmountable with a little patience and ingenuity. And once you get up and running, it's great fun. I can't wait to hear what happens when a generation of kids who grew up on this move onto GarageBand and start recording demos.

Friday, 19 October 2012

Ripping Off Paying Customers the Ubisoft Way

I got into work this morning to find Dave excitedly waving a box containing something called Rocksmith - which, it turns out, is a "Guitar Hero"-type game, but you play it using a real guitar. Now, whilst I'm not a serious gamer, I am a tech nerd, and a guitar geek, and this sounded like the best thing ever. If nothing else, for the first time in 15 years, it might actually be a computer game I could beat my brother at... So, this lunchtime, I left the office, wandered to HMV on Piccadilly, and bought it. No download, no Steam, no piracy or dubious torrenting, just good, old-fashioned law-abiding retail. I walked into a physical store, picked up a boxed product, paid £39.99 for it, and left.

Now, here's what the guy in HMV did NOT say when I bought it. He didn't say "Keep the receipt because you'll need to send a copy of it to Ubisoft in order to install your game". He DID offer to sell me "game protection" for a pound, which sounded like (a) a way of charging me money for my own statutory rights, and (b) the biggest rip-off I'd ever heard - ha, maybe he knew something I didn't. But no, after I'd paid for my game, he wished me a pleasant weekend and off I went. The receipt went in the bag, along with the game, and, by the time I returned to work, some samosas and a Chinese pork bun. When I got back to the office, I put the game in my rucksack, the samosas and the pork bun in my belly, and stuck the carrier bag in a drawer. Why am I mentioning this? Ah, just wait and see...

So I get home around nine this evening and open it - look at all the things! It even comes with a jack-USB cable to plug your guitar into your PC - that's cool! OK, and a sheet of rather lame-looking fret stickers. I shudder at the thought of someone sticking these on a '57 Les Paul Standard that they've only dragged out from under the bed because they think Rocksmith might FINALLY get them playing it...

Anyway, I digress. I go to install it, and I'm asked to enter a CD key. This is pretty normal.


OK... on the jewel case? No. Manual cover? No. Disc insert? Under the disc? No. Oh dear. This is invariably where things get unpleasant. I Google rocksmith CD key and - wow, it looks like I'm not the only one. The top link is to a Ubisoft support article published 4 days ago:


Which links to this article, which says:


I try giving them a call, but "unfortunately [their] offices are now closed". So it looks like that support article is all I've got until Monday morning. I love the "encountering problems during installation". No, it's not a "problem during installation", it's that the manufacturer screwed up and omitted to include an essential part of the product in the retail packaging. And they'd like a copy of the receipt. Which, as I've mentioned, is in a bag eight miles away.

So, leaving aside that little detail, let's see how far we get. First I have to submit a request. I can't do this without signing in, I can't sign in without creating an account. Of course, this doesn't work first time because their sign-up/login system has 'issues'. Eventually I get as far as submitting a support request:


OK, question submitted at 21:52 UK time. And now, I guess, I wait and see what happens. They aim to respond to me "within 24-48 hours, although response times may be longer." Looks like I won't be playing Rocksmith this weekend.

Let's just recap. So far, I've gone out in the rain to purchase a product because it looks like fun. I've spent £39.99. I've spent ten minutes searching through packaging for a non-existent key. I've had to create an account in order to politely request that the manufacturer allow me to use the product. Ubisoft have effectively accused me of having stolen the game assumed I'm not a legitimate customer and I therefore can't install it until I prove otherwise. This isn't a minor manufacturing defect affecting a single unit, like a cracked picture frame or a corked bottle of wine - this looks like they've just deliberately excluded the installation key from boxed retail copies of the game.

What's completely ridiculous is that this is one of the few games in recent history that requires a physical component - the aforementioned USB-guitar cable. They could so easily have encoded a unique key in the cable and used that as a copy protection dongle - after all, you can't download a cable from the Pirate Bay. But no, instead they go for a CD key and don't bother to include one. I appreciate game development is a hugely involved and expensive exercise, and that piracy has the potential to seriously undermine the commercial viability of game development - but treating your customers like criminals to compensate for your own short-sightedness and lack of imagination is not the answer.

Next time I want to spend £40 on something fun to do over a rainy weekend, I'll forgo the delights of proving my innocence to the games industry and just buy some more Lego. At least I've never had to grovel to the manufacturer for permission to start building a Lego set.

UPDATE: E-mail from Ubisoft on Saturday afternoon saying they can't/won't help until I send them the original purchase receipt:


Oh well.

UPDATE 2: I e-mailed them a photo of the receipt on Monday morning at 10am; they e-mailed me a CD key at noon. I wonder whether they actually verify the proof-of-purchase details against the retailers’ records or are just under instructions to give out CD keys to anyone with a convincing-looking receipt…