Kai Ramuenke

In my last post i explained, how to test session protected resources with selenium rc and ruby. While we were migrating to Rails 2.3 all such tests suddenly stopped working because the JavaScript didn’t return the session cookie anymore. After some research we found out that you can control accessibility to the session cookie through the browser by sending a little flag in the HTTP response header for Set-Cookie.

response.setHeader("Set-Cookie", "cookie_name=cookie_value; HTTPOnly=");

By setting this flag you basically prevent any JavaScript from accessing the session cookie. Rails now sets this flag by default which makes it less vulnerably against cross scripting attacks.
You can find all information you need including a list of supporting browsers here

Consider the following scenario: We book or buy some stuff through a web application and at the end of the process the application generates a receipt in form of a pdf for us. The pdf contains personal information so we make it only accessible to the current session.
We’d like to test the success scenario end-to-end, making sure that whatever we enter through the web application appears in the pdf. How to access the pdf from our Selenium RC test?

Grab the session cookie by calling:

session_cookie = @selenium_driver.get_eval('window.document.cookie')

Then grab the resource through a http request within the selenium rc test:

resource = Net::HTTP.new(host, port).start { |http|
   get = Net::HTTP::Get.new(path_to_resource)
   get['Cookie'] = session_cookie
   response = http.request(get)
   response.body
}

It works fine for a Rails app and i guess this principle should be applicable for any other server with cookie based session handling.

In most of the project i’ve been working in we used a light-weight database like HSQLDB or H2 in the local development environment. It’s easy to set up in the build and you make yourself independent from the setup of the dev machines. Just check out the trunk and off you go.
It’s usually fine to run a file-based database but in case you have to do your development on a windows machine a file based database is really annoying. Once a process has a connection to the database it locks the file. Can’t run the app in the web server and inspect the database with squirrel at the same time.
The good thing is that HSQLDB allows you to run a memory-only database in server mode (haven’t checked H2). Start your server like this:

java -cp ./hsqldb.jar org.hsqldb.Server -database.0 mem:mydb -dbname.0 aliasdb

Instead of passing the database setup as parameters you can put them into a server.properties file which has to be in the same directory where you execute the command.

Then use this url to connect to your database:

jdbc:hsqldb:hsql://localhost/aliasdb

From discussions over the last few months i realized that quite a lot of agile teams have a high emphasis on task estimation. So far i am very much in doubt of the benefits task estimations will give to a team. In fact i come to believe that a high emphasis on task estimation will do more harm than good and is the first step into micromanagement. Especially if your team does full blown task estimation including reporting on time spent on task and estimating the time remaining. That does not mean teams shouldn’t do task estimations but they should have a clear idea why they are doing it and what they want to get out of it. Teams usually try to get out two things from task estimation: capacity (velocity) of the team and tracking iterations (eg. iteration burn down charts). But both things can be achieved by other agile concepts which an agile team (should) apply anyways: velocity through story estimation and iteration tracking through a physical story wall. Hence it is questionable if task estimation is needed at all.
Deriving team velocity out of task estimation is very dangerous and gives a wrong impression of real velocity over all iterations. The concept of velocity only works if the team sticks with the initial estimates and has a common base line and scale for all iterations. Estimating in time does not give the team a common base line regardless if the team uses hours, days or ideal days. What is an ideal day? Did i really spend the same amount of hours for the last four-hour-task? How do i take pairing or pair swapping into account? Estimating in time is flawed and is raising many questions as people interpret time quite differently.
In addition there is a hidden effect when estimating with time. As the team progresses through the project it acquires more and more knowledge. This knowledge is reflected in better estimates which is of course positive. But it also means that velocity from iteration N is not comparable with iteration N-1 because there is no common base line. What is achievable in one ideal day/hour shifts with the increasing knowledge of the team. This effect does not happen if estimation is done relatively and the team sticks to the base line from the first estimation session of the project. Estimation still gets more accurate with gained knowledge but with a relative scale a task will be inserted more accurately within this scale.
Would it help to estimate your tasks relatively by size like stories (and call it gummy bear points)? It might work if you stick to the base line you created in your first iteration. A one gummy bear point task from iteration one is always the same size as a one gummy bear point task from any other iteration. I’ve never been on a team where tasks were estimated relatively so i can’t really tell if this approach would work.
The other purpose of task estimation is tracking the progress of an iteration. Though it is important to track iteration progress it is much more important to track project progress. A completed story is the unit that delivers value to the product. Hence the focus should be to find out how much stories a team can finish in one iteration instead of tasks (the real velocity). Tracking completed stories on a project scale (via a story burn down chart) together with story velocity will give a team the ability to predict the projects end date. Task estimation simply fails to add visibility of progress on a project scale. Don’t get me wrong here. I still think that breaking down stories into tasks in iteration planning can still be valuable. But why putting in the extra effort to estimate tasks when the stories are already estimated? Especially if the team operates in short (and prefered) two week iterations.
A key success factor for task estimation to become redundant is to follow the INVEST principle for all stories by heart. Teams can introduce N-1 analysis iterations to have stories as close as possible to INVEST before they are played in an iteration.
For iteration tracking a physical story wall including all current tasks is absolutely sufficient. With a short look every team member can see if progress of the current iteration is healthy or not.
One very bad thing i experienced when emphasizing to much on tasks is that the team loses sight of stories as a whole. Particularly if tasks are split into the horizontal architectural layers of the software. There is a high risk that integration problems will arise and tasks will bounce more often between “test ready” and “testing failed” then they need to. Every team member should understand the vertical slice of the system which the story represents and see it as a whole.

I strongly believe we can live very well without task estimation in agile projects. Most of the estimation effort should be put into story estimation to enable project tracking. Thus in alignment to the pattern of the agile manifesto:

Project and story tracking over iteration and task tracking