Visual Studio 2008 & .Net 3.5 SP1 Released

August 14, 2008

The anticipated service pack 1 releases for Visual Studio 2008 and the .Net Framework 3.5 are here.

aa700831.VS08_v(en-us,MSDN.10)

Visual Studio 2008 SP1 delivers:

  1. Improved WPF designers
  2. SQL Server 2008 support
  3. ADO.NET Entity Designer
  4. Visual Basic and Visual C++ components and tools (including an MFC-based Office 2007 style ‘Ribbon’)
  5. Visual Studio Team System Team Foundation Server (TFS) addresses customer feedback on version control usability and performance, email integration with work item tracking and full support for hosting on SQL Server 2008
  6. Richer JavaScript support, enhanced AJAX and data tools, and Web site deployment improvements

The .NET Framework 3.5 SP1 delivers:

  1. Performance increases between 20-45% for WPF-based applications – without having to change any code
  2. WCF improvements that give developers more control over the way they access data and services
  3. Streamlined installation experience for client applications
  4. Improvements in the area of data platform, such as the ADO.NET Entity Framework, ADO.NET Data Services and support for SQL Server 2008’s new features

No Comments » | Development Tools | Tagged: , , , , , | Permalink
Posted by liamb

Detect if client browser has cookies enabled?

July 16, 2008

Cookie One of the issues facing web developers that rely on cookies for user identification on a web site is whether the user has enabled cookies on their web browser or if their web browser supports cookies at all.

A solution to this problem is to test for cookie support by creating a cookie and sending it to the web browser. You then have to test if the cookie can be retrieved from the client and check if its value has not been modified.

If the cookie can not be found, you can redirect to a page informing the user that they need to enable their cookies or use a browser that supports cookies to access the feature of your web site that is dependant on cookies.

You can add the following code to the landing page of your web site -

   1: if (!Page.IsPostBack)
   2: {
   3:     if (Request.QueryString["AcceptsCookies"] == null)
   4:     {
   5:         // Create a new coookie to test with.
   6:         Response.Cookies["TestCookie"].Value = "Testing";
   7:         Response.Cookies["TestCookie"].Expires = DateTime.Now.AddMinutes(1);
   8:         Response.Redirect("TestForCookies.aspx?redirect=" + Server.UrlEncode(Request.Url.ToString()));
   9:     }
  10:     else
  11:     {
  12:         Response.Write("Client accepts cookies = " + Request.QueryString["AcceptsCookies"]);
  13:     }
  14: }

Create a TestForCookies.aspx web page that will be redirected to, to perform the actual test for the cookie -

   1: if (!Page.IsPostBack)
   2: {
   3:     string redirect = Request.QueryString["redirect"];
   4:     int acceptsCookies;
   5:  
   6:     if (Request.Cookies["TestCookie"] == null)
   7:     {
   8:         acceptsCookies = 0;
   9:     }
  10:     else
  11:     {
  12:         acceptsCookies = 1;
  13:         // Remove cookie from the client by setting it's expiry to a day
  14:         // before.
  15:         Response.Cookies["TestCookie"].Expires = DateTime.Now.AddDays(-1);
  16:     }
  17:  
  18:     Response.Redirect(redirect + "?AcceptsCookies=" + acceptsCookies, true);
  19: }

1 Comment | Web Development | Tagged: , , , , , , | Permalink
Posted by liamb

ASP.Net Web.config Security

July 16, 2008

padlock

We have been focusing on security lately and especially how to secure ASP.Net web applications that are hosted on the internet and available to anyone that comes across your web site.

I will be creating a number of posts with regards to web site security but I thought I would start with ASP.Net and how to configure settings in your web.config file to assist with securing your web site / web application.

  1. Custom Errors Node

    Malicious users will start to interrogate your web site by attempting to see what sort of errors they can produce by exploiting your web site’s input such as the url, form fields and cookies.

    Based on the type of errors that are produced, they will be able to determine the type of technologies you are using, the web site’s structure or even database table names from the un-handled exceptions that are produced.

    By adding a custom errors node under the system.web section of your web.config file, you will prevent malicious users from gaining access to sensitive web site information when an un-handled exception occurs. The default redirect property of this node will redirect a user to your custom support page that displays a friendly message informing the user that an exception occurred and that they were redirected to the support page.

    <    customErrors mode=OndefaultRedirect=support.aspx/>

  2. HttpCookie Node

    One of the more common security problems plaguing web servers is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when rendering user input as html. Cross-site scripting attacks can expose sensitive information about the users of a web site.

    Internet Explorer 6 SP1 introduced a new attribute for cookies that prevented them from being accessed through client side script. A cookie with this attribute is called an http only cookie and any information contained in these types of cookies is less likely to be disclosed to a malicious user or web site.

    To enable http only cookies via your web.config file use the http cookie node under the system.web section of your web.config file to implement the http only cookies feature. The require ssl property of this node should be set if your web site uses a secure connection.

    <httpCookies httpOnlyCookies=truerequireSSL=false/>

  3. Session State Node

    Session hijacking is a form of identity theft where a malicious user impersonates a legitimate user by stealing his session token and gaining access to a web site.

    ASP.Net supports cookie free session state which instead of creating cookies for the session on the client, will add the session state information to the url of the web page. This will allow a malicious user a much easier way of obtaining identity and hidden information when added to the session and is not secure if left unencrypted.

    Ensure that you specify the cookieless attribute of the session state node to use coookies under the system.web section of your web.config file.

    <sessionState cookieless=UseCookies/>

  4. Trace Node

    The trace feature of ASP.Net is one of the most useful tools that you can use to ensure web application security by debugging and profiling your web applications.

    Unfortunately, it is also one of the most useful tools that a malicious user can use to attack your web applications if it is left enabled in a production environment. A malicious user can view an incredibly detailed list of recent requests to the web application by simply browsing to the page’s trace.axd file.

    The best way to prevent a malicious user from obtaining trace data from your web application is to disable the trace viewer completely by setting the enabled attribute of the trace node to false. If you have to have the trace viewer enabled, either to debug or to profile your web application, then be sure to set the local only attribute of the trace node to true under the system.web section of your web.config file. That allows users to access the trace viewer only from the web server and disables viewing it from any remote machine, increasing your web application security.

    <trace enabled=falselocalOnly=truepageOutput=false/>

  5. Debugging Node

    A common mistake for ASP.Net developers to make is releasing web applications into a production environment with the debug attribute of the compilation section in the web.config file set to true.

    This common mistake is well known for causing performance degradation in web applications because of the debug symbols that are created when a web page is requested, can cause overhead.

    It is not so well known that if you have enabled debugging and disabled custom errors in your web application, then any error message displayed to an end user of your web application will include not only the server information, a detailed exception message, and a stack trace, but also the actual source code of the page where the error occurred.

    <compilation debug=false></compilation>

The above mentioned information and settings is just a start to securing your web application and ensuring that malicious users are going to have a hard time when attempting to attack, break or gain access to your web application. Security is an ongoing process and needs to be constantly reviewed, discussed, tested and improved when developing web applications. Even more so when the information you are collecting, storing and displaying on your web site is sensitive and or confidential.

No Comments » | Security | Tagged: , , , , , , | Permalink
Posted by liamb

Brad Abrams Visits South Africa

June 23, 2008

Brad Abrams I attended a Silverlight 2 presentation this evening hosted by SA Developer .Net and Brad Abrams, the Group Program Manager for the UI Framework and Services Team at Microsoft in Seattle.

Brad kicked off the presentation with an overview of Silverlight 2 and some of the new features that will be included in the RTM version to be released later this year. He then moved onto a demonstration of a few really amazing implementations of the new version. I really enjoyed the Microsoft Health Common User Interface demo which was the most relevant to the type of software applications we build.

Once we had seen all of the user interface demos, we then got down to the more technical side of things as Brad showed us the versatility of Silverlight 2 by building a simple data access application that relied on a WCF Service and LINQ to SQL for data retrieval and modifications.

Silverlight 2 controls are unable to access a database directly and do not have any data access attributes, hence the need for a proxy for data access. Another important aspect to remember when building applications using Silverlight 2 is that all service calls made by Silverlight 2 are asynchronous and need to be handled accordingly.

I am really looking forward to using the various types of Silverlight controls that have been included in the next release of the Silverlight series, they really make web based applications look great and give them desktop like functionality.

It was really great meeting Brad Abrams and catching up with developers and friends from the community and I am already looking forward to the next event which is at Monte Casino tomorrow with Brad Abrams at Mix Essentials.

1 Comment | Community | Tagged: , , , , , | Permalink
Posted by liamb

Version Control Exclusions

June 10, 2008

We use Subversion and Tortoise for source code version control and management. Recently I was asked by a fellow software developer about excluding file types from their version control system and thought I would post about the easy and effective way of achieving this with the aforementioned technologies.

  1. Right click on any one of your version controlled folders.
  2. Navigate to the TortoiseSVN menu so that the submenu opens.
  3. At the bottom you will see a settings option. Click it once.
  4. Enter the file types or folder pattern to be ignored into the field called “Global ignore pattern”.

TortoiseSVN Settings

Once you have completed this operation, file types or folders matching the pattern listed in this field will be ignored when importing or commiting files and folders to the source code repository.

If you have used ReSharper in conjunction with Tortoise and Visual Studio, you will know how important it is to exclude all of the files generated by ReSharper!

No Comments » | Project Management | Tagged: , , , , , , | Permalink
Posted by liamb

New Blog Launched

June 9, 2008

I have started my new blog today and if you are reading this, I would like to say welcome! I will be mainly publishing technical articles with expert advise relating to the entire software development cycle which I have excelled in over the past few years.

I will also be adding links to tools, blogs, articles and useful websites that assist me in my work on a day to day basis and that I think should be shared with everyone that is developing software.

I hope that you will find my posts and links as useful as I have and I look forward to discussing and assisting with the content contained in my blog.

1 Comment | Blog | Tagged: | Permalink
Posted by liamb