Ever felt like you're working like crazy, but getting nothing of value done? Yep, me too. It happens more often than I'd like to admit. There are plenty of ways you can go down a "rabbit hole" and be busy all day yet get nothing productive done.

Last week, it happened yet again. Here's a quick summary of what happened, and how I put an end to spinning my wheels while achieving nothing:

  • I was looking up the best way to generate a random session ID for ZitaFTP Server's web-based GUI. I read that session IDs were old, and I should be using JSON Web Tokens (JWT) instead. They're more flexible, and have an advantage on high traffic servers because the user ID and other data is embedded in the token. This eliminates at least one database lookup per browser request
  • So, I started researching JWTs, discovering how they work, and what I needed to use them
  • I found C++ libraries for generating and checking JWTs
  • But, I thought that JWTs might be susceptible to Cross-Site-Scripting XSS attacks (they recommend sending them in the Authorization header instead of as a cookie). XSS is an attack where malicious Javascript manages to steal the token, giving attackers access to someone else's user account. Sure enough, yes, it's a problem
  • JWT's also involve cryptography, and are inherently more complicated
  • I could put the JWT in an "HTTP only" cookie to prevent XSS, but where's the advantage over standard session IDs?
  • Hmm, I could...


  • At this point, I took a step back. ZitaFTP Server is designed for private use (both individual & business). It's unlikely to serve high volumes of users any time soon. Moreover, it's highly unlikely that the configuration GUI will need to serve thousands of administrators simultaneously
  • As a result, there's zero advantage for using JWTs, and they aren't worth the added complexity
  • Conclusion: session IDs are ideal. They've been battle tested and used since the 90's. So, I chose to stick with them
  • Problem solved, and back to being productive...

Lesson: Recheck What You're Doing Against Your Goals

My eagerness to use the latest and greatest techniques and to "get it perfect first time round" got the better of me, leading me down a rabbit hole of wasted effort. Once I realized I was burning through time and getting nowhere, a quick comparison of what I was doing to what my goals were quickly put me back on the right track.

The key here is to ask yourself: "Is what I'm currently doing bringing me closer to my goals? Or, is there a better way?"

ZitaFTP Server Update

With the session ID handling code out of the way, I'm now close to having an administrator login form working. It's looking good, even though it'll always tell you that you got your username and/or password wrong.

ZitaFTP Login Form ScreenshotI still need to implement the form POST processing code, and also add a Cross-Site-Request-Forgery (CSRF) prevention token, to stop CSRF attacks. I'm getting there, bit by bit, step by step.

Once the login form is done, then I can start on the configuration GUI. I think I'm at that point in this project, where I've written enough low-level code that the lines of code I write now can do more (because they call the low-level functions). It's a great place to be, because progress is faster.