When I announced I was going to write my own Google Reader front-end, I also mentioned I might put the Google Reader API specs on this website. I haven’t done this so far, so this might be a good time to start.
I’m not going to put up a page with it just yet, but I am going to document some of the things as blog entries.
One of these things is how to get the Google SID of the logged on user.

Before I can cover the obtaining itself, I must first tell you how Google Reader knows if you are logged in or not. While others, like NewsGator, might use a username and password combination in the API calls, Google Reader works through cookies. At least, far as for as I know it does, there might be another way, but I don’t know it. One of the things I’ve seen people say is to just add the username and password in the URL when doing an API call, much like you would when accessing FTP from your browser. However, one of the security updates for IE included removing the ‘@’ as valid input when entering an URL in IE. This makes it impossible to add the username/password to the URL. FeedME uses the WinInet functions from Windows and these might not share the same URL cracker that IE does, but I just want to be sure I don’t shoot myself in the foot when Windows Vista comes out and they also secured the WinInet DLL there.
So cookies it is. Since I use WinInet it’s actually pretty easy. It shares the cookies with IE, so if you’ve logged into Google from IE, FeedME can use that cookie. If I used the .NET HttpWebRequest class (and its related classes) I wouldn’t share the cookies, but there is a work-around. Why don’t I use the standard .NET classes? Read this and you’ll understand.

Okay, so if you have the right cookie, you’re logged in, if you son’t, FeedME sends you to the login page using the embedded browser and allows you to log in from there. FeedME doesn’t even know your username and password!
But being logged in isn’t enough, some of the stuff I want to do, like download your list of feeds requires me to know your user ID, or as I’ve begun to call it, your Google SID. And that’s where I ran into a problem.

At first I would just ask for your reading-list, which basically is all the articles from all the feeds you are subscribed to. This call was based on the cookie and didn’t need to Google SID. In one of the XML nodes that came with that list, even if it was empty, was a string with the Google SID in it. So I parsed it and I was done. However, now the XML changed and now I need to find a new way.

My first try was to see if maybe the Google SID moved somewhere else, but the only place I could see it was in the ID of the list. I think the ID can change very easily, so I don’t want to be dependent on that.
The only other place I saw the Google SID was in the labels and states of articles. You see, every article can have labels and states. These are just text strings that have a special meaning within the Google Reader. These labels or states have your Google SID in them. So I can parse then and be done, but I figured that maybe sometimes you don’t have a single article on your reading list.
To test this I created a new Google account and lo’-and-behold, no articles and no Google SID. Damn!

But the webbased Google Reader interface appears to know my Google SID. So into the javascript I went.
Unfortunatly the Javascript from Google is compressed. And rightly so! I read somewhere it saves them bandwidth in the order of several GB per day. But the compression made the javascript indecipherable, so another dead end. Time to Google!

I found a lot of info on Google and the cookies, but nothing which helped me. I found someone else who had run into the same problem as me and had resorted to request the Google Reader UI page first and parse that for the Google SID. This was something I already considered, but only as a last alternative.
And I also found a Ruby script by Ben Ferrari, with which to delete all your Google Reader subscriptions. He used the SID value of the Google cookie, but this is encrypted. I thought he might know how to decrypt it, so I read the source. No decryption, but I did notice that he did some API-calls for which he would need the Google SID, but instead of the Google SID he would use a hyphen (’-'). Intrigued by this I tried it and it worked!!

Thank you Ben!!

Ofcourse _now_ I look at the Google Reader blog en see that one of their tips also uses a hyphen instead of a Google SID. Ah well…

[Last played: Lacuna Coil - The Game]