If you aren't a weblog reader, you might be interested to know there's been hubbub about comment spam lately, due to an increase in same. I could share my thoughts on comment spam as a whole, but it's a complex problem many others have written about better than I can hope to, and not what I want to write about right now. The two thoughts I will share are:
- The best way to almost completely eliminate comment spam is to authenticate all commenters, then authorize them individually with a manual whitelist.
- Because authenticating all commenters and authorizing them individually is such a complete and utter pain, other, less complete solutions can be worthwhile.
If you do want to use an authentication-authorization scheme, TypeKey is useful. There are two ways you can choose to read that, depending on what you think when I write "TypeKey:"
- TypeKey is a protocol defined by my employer, Six Apart, that you can use today to implement authentication against a third-party user database.
- TypeKey is a service provided by my employer, Six Apart, that you can use today to outsource your weblog's commenter authentication.
Right now I want to talk about the second reading. See Andre Torrez's Everything TypeKey wiki for more links, especially to Tim Appnel's Tiny Orwell, the shortest path to the first reading.
If you, like me and unlike many folks who have written copiously on the topic, don't mind the idea of outsourcing your commenter authentication to Six Apart, it's rather anticlimactic to then find the default templates' implementation has you drop an ugly hunk of JavaScript in to display logged-in state. If you also:
- don't want to use TypeKey authentication on a weblog on a different domain from your Movable Type installation, and
- use SSI instead of PHP (Neil Turner has some PHP code to do the same thing)
you can use this plugin I wrote to lose the JavaScript. I called it TypeKISS, for "TypeKey Included Server-Side" and some other acronyms you might imagine. With TypeKISS, your template code will become:
<MTIfSignedIn>
<p>Thanks for signing in, <MTSignedInName>. (<a href="<MTRemoteSignOutLink static="1">">sign out</a>)</p>
<MTElse>
<p><a href="<MTRemoteSignInLink static="1">">Sign in with TypeKey.</a></p>
<!-- name and email form fields -->
</MTElse></MTIfSignedIn>
You can see it in action here on my weblog where I've now added optional TypeKey authentication. See? No JavaScript!
Comments
comment
um, does it work with Typepad?
comment
You can’t use the TypeKISS plugin with TypePad, as you can’t use plugins at all. TypeKISS also depends on Movable Type’s existing support of TypeKey authentication, so you’d need TypePad to support TypeKey authentication itself. (As all TypePad sites do use SSI, I expect we would do something like this to not require JavaScript if/when we add TypeKey authentication for commenting on TypePad weblogs.)
You can use a TypePad account to sign in to any site that asks for a TypeKey account, if that’s what you mean.
comment
I would like to use TypeKey to allow only approved registered visitors to view my site. I was thinking of some kind of code that 1. checks to see if the visitor is logged into TypeKey and 2. checks to see if the visitor is on my “whitelist” of approved visitors. If requirements 1 & 2 are not met on any weblog page a visitor tries to view, the page will only show a please register message or will be taken to a please register page. I’m sure it can be done, but I don’t know how to do it and I can’t seem to find anyone that has done it.
I have a weblog about my son and ideally I would like for only family and friends to be able to view it. Also, my husband is a school teacher and I have (or rather, would like to continue to have) a personal weblog, but I want to try to prohibit my husband’s students from reading my personal blog.
comment
Unfortunately, I can’t find any completely canned software for doing that. :/
Someone who knows PHP should be able to build Daiji Hirata’s Auth_TypeKey PHP module into a weblog template for you, I think. This is probably the simplest option (which isn’t saying much, unless you happen to know PHP).
If you can run your weblog on a web server using Apache with modperl, Ben Trott’s Apache::AuthTypeKey perl module would let you use .htaccess protection with TypeKey accounts. This would be pretty easy to do if your server supports modperl, but the chance of a regular web hosting service providing mod_perl is vanishingly small. The PHP option is about a thousand times more likely to work for you.
comment
This is an excellent little plugin you’ve written. I, also, grew weary of the orgy of JS it took just to determine if they were signed in to TypeKey or not and display the notice. This definitely cleaned up my templates quite a bit! Thank you so much! :)