WimpyProgrammer's questions

I'm building a distributed widget that is comparable to Google Analytics. Users will add a <script> tag to their site that references my widget's JavaScript file.

The Google Analytics tracking code looks like this:

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXXXXXXX-X']);
_gaq.push(['_trackPageview']);
(function () {
    var ga = document.createElement('script');
    ga.type = 'text/javascript';
    ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(ga, s);
})();

Can anyone explain the reasoning behind separate HTTP and HTTPS hostnames? My instinct is to just secure the www address and then use the protocol-less syntax, like //www.google-analytics.com/ga.js. But I'm sure the Google Analytics architects put a lot of thought into this approach. I'd love to understand their logic before I follow/ignore their model.

I am installing the latest version of PHP onto IIS 7.5 via FastCGI, and all of the instructions say that FastCGI should impersonate the calling client by setting

 fastcgi.impersonate = 1

If my website will have this configuration

• dedicated application pool
• application pool identity of ApplicationPoolIdentity
• anonymous authentication only (as IUSR)

why do I want to impersonate?

I come from an ASP.NET background, where the IUSR gets read-only permissions and the application pool identity gets any write permissions. Giving write access to the IUSR usually opens the door for WebDAV vulnerabilities. So I hesitate to let PHP run as the IUSR.

I can't find many people asking this question (1 | 2) so I think I must be missing something. Can someone clarify this for me?

I work Tech. Support at a web design company. Many of our past clients are hosted by another company ("Company X") but they renew their SSL certificates through us. We sell QuickSSLs from GeoTrust. We develop in .NET so all hosting is IIS.

Company X has gone downhill since we started (then stopped) recommending them and now it's a pain to renew SSL certificates with them. For a while they charged us $50/renewal to cover their time (export CSR, install CER). They frequently move sites to new servers and say the SSL can't transfer with it (and occasionally try to sell their own SSLs). It's impossible to explain to our clients why we can't just resend the certificate to use on the new server (we only have the CSR and CER).

So instead I want to order these SSL certificates from start to finish on one of our internal IIS servers, then export a PFX and send it to Company X. If they lose it we have a copy on our end, and there are fewer steps to go wrong.

I can't find anyone else who is doing this. Is it a bad idea or just a desperate one? Is there a technical limitation I'm missing (like IIS6 to IIS7)? If your SSL vendor did this would you be put off? I can't decide if this is a bad idea or an obvious one.

Thanks SF!

We use a centralized SQL Server 2005 server for web development. The server has a maintenance plan to take a full backup each Sunday and incremental backups on all other nights. All databases use the Simple Recovery Model, so transaction logs are not a factor.

Additionally our programmers are asked to manually save a full backup whenever they make considerable changes to the database. The full backup is checked in to our source control repository.

It occurs to me that a manual backup will affect the daily incremental backups done by the maintenance plan. If I understand correctly, a programmer could take a manual full backup on Wednesday and the automated incremental on Thursday will be dependent on Wednesday's full backup instead of Sunday's. Not good.

Is it possible to save a full backup that does not affect the maintenance plan? My research suggests that a database snapshot might be appropriate, but I'm just looking for a backup without spawning a new database on the server.

We'll assume that the programmer can run/tailor a script if the functionality is not in SQL Management Studio.

Thanks!