Monday, August 28
Good & tested RegularExpression for validating passwords?
Any sample tested and working Regular expression for validating the password?
I was using
RequiredFieldValidator
ErrorMessage="Please enter password" ControlToValidate="txtPassword" Display="none">
RegularExpressionValidator
ErrorMessage="Enter valid password" Display="None"
ControlToValidate="txtPassword" ValidationExpression="^\w{3,12}$">
for basic filtering
any better thoughts for allowing 8-12 char passwords with special characters too?
I found some scripts on the net but they didn't seem to work with
asp.net's RegularExpressionValidator
Thoughts welcome.
I was using
RequiredFieldValidator
ErrorMessage="Please enter password" ControlToValidate="txtPassword" Display="none">
RegularExpressionValidator
ErrorMessage="Enter valid password" Display="None"
ControlToValidate="txtPassword" ValidationExpression="^\w{3,12}$">
for basic filtering
any better thoughts for allowing 8-12 char passwords with special characters too?
I found some scripts on the net but they didn't seem to work with
asp.net's RegularExpressionValidator
Setting up SSL in ASP.Net 2.0
Today I was given the task of setting up SSL support for a ASP.Net website.
Here are the steps I had to take
1. Install IIS 6.0 Resource Kit,
http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en
which contains "Selfssl.exe".
2. Create a certificate for use, similar to this
selfssl.exe /N:CN=testMachine /K:1024 /V:7 /S:1 /P:443
where
4. Browse to your virtual directory under the "Default website" and right click for "Properties".Go to the "Directory Security" tab and under "Secure Communication" click "Edit".
Then check the "Require Secure Channel" checkbox.
Now the entire site will be under ssl and the url that would be needed to use will need "https" and not "http".
But we also need to take care of the default redirecting to the start page if someone uses "http" instead of "https". If this feature is not implemented then the user will see a 403;4 page and will have to manually change the "http" to "https".
The following steps are needed to enable default redirection to the secure start page.
Please refer
http://weblogs.asp.net/pwilson/archive/2004/12/23/331455.aspx
for details
1. In your project, create a basic html page "Redirect.htm" with the following code
2. Browse to your virtual directory under the "Default website" and right click for "Properties". Click the "Custom Errors" tab and select the "403;4" error. Then click "Edit Properties" and set the error page to "Redirect.htm" in you r project directory.
3. Browse to your virtual directory under the "Default website" and rightclick on "Redirect.htm" and in the "Directory Security" click "edit" and turn off "Require Secure Channel" for this page.
So now our Redirect.htm is the only page that is unsecured and all it does is to redirect the user to the sign in page.
Happy SSLing. ;)
Here are the steps I had to take
1. Install IIS 6.0 Resource Kit,
http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en
which contains "Selfssl.exe".
SelfSSL (SelfSSL.exe) can help you generate and install a self-signed SSL certificate. Because the SelfSSL tool generates a self-signed certificate that does not originate from a trusted source, use the SelfSSL tool only in the following scenarios:
• When you have to create a security-enhanced private channel between your server and a limited, known group of users • When you have to troubleshoot third-party certificate problems
2. Create a certificate for use, similar to this
selfssl.exe /N:CN=testMachine /K:1024 /V:7 /S:1 /P:443
where
/K:key size Specifies the key length. Default is 1024.3. Go to your IIS MMC-> "Default Website" and right click for "Properties". Go to the "Directory Security" tab and under "Secure Communication" associate the recently created certificate to the server certificate. Now all websites under the "Default Website" will have this Server certificate.
/V:validity days Specifies the validity of the certificate. Default is 7 days.
/S:site id Specifies the id of the site. Default is 1 (Default Site).
/P:port Specifies the SSL port. Default is 443.
4. Browse to your virtual directory under the "Default website" and right click for "Properties".Go to the "Directory Security" tab and under "Secure Communication" click "Edit".
Then check the "Require Secure Channel" checkbox.
Now the entire site will be under ssl and the url that would be needed to use will need "https" and not "http".
But we also need to take care of the default redirecting to the start page if someone uses "http" instead of "https". If this feature is not implemented then the user will see a 403;4 page and will have to manually change the "http" to "https".
The following steps are needed to enable default redirection to the secure start page.
Please refer
http://weblogs.asp.net/pwilson/archive/2004/12/23/331455.aspx
for details
1. In your project, create a basic html page "Redirect.htm" with the following code
body onload="Redirect()"Note: Replace javascript with script tags and put braces before and after "body" tag
[javascript]
function Redirect()
{
window.location = "https://testMachine/SllTest/SignOn.aspx";
}
[/javascript]
2. Browse to your virtual directory under the "Default website" and right click for "Properties". Click the "Custom Errors" tab and select the "403;4" error. Then click "Edit Properties" and set the error page to "Redirect.htm" in you r project directory.
3. Browse to your virtual directory under the "Default website" and rightclick on "Redirect.htm" and in the "Directory Security" click "edit" and turn off "Require Secure Channel" for this page.
So now our Redirect.htm is the only page that is unsecured and all it does is to redirect the user to the sign in page.
Happy SSLing. ;)
Friday, August 25
Cool Collaboration
If you don't want to plunk down the money for Microsoft Sharepoint, you can get by with TikiWiki for some quick and easy collaboration among members of a project team. Tiki is an open-source Wiki software that I installed yesterday on my work laptop (A Dell XPS Pentium-M 2.0 GHz machine with 1GB RAM).
Tiki is powered by PHP4 and needs a web server and a database. I went with IIS 6 and MySQL 5.
The installation procedure is similar to something like Wordpress--it is possible to buy Tiki hosting space from an ISP, or install it locally.
First, download and install PHP. You can register PHP with IIS either as an ISAPI extension or as a CGI module. ISAPI is faster and more secure, but I went with CGI (which is simpler to install).
Next, you need to create a database user and a database schema in MySQL for Tiki. I used MySQL Administrator which comes with MySQL 5. You can use phpMyAdmin also if you like administering your MySQL over the web.
Next, extract the Tiki software in a directory on the local file system, and create a virtual directory (I called it "tiki") in IIS that points to the location of your Tiki installation.
Next, point your browser to http://[your web server]/tiki/tiki-install.php and setup of your Wiki will commence.
I loved the features offered by this software. I hesitate to call it simply "Wiki" software because it offers much more out of the box. I am still exploring, but it offers, in addition to the Wiki capabilities:
(1) Blogs, which is a nice touch if a particular member wants a soapbox of his/her own.
(2) Articles (by topic)
(3) Quizzes
(4) Forums (They included a complete forum/BB software??)
(5) Surveys (I have yet to toy with this)
(6) A group calendar
(7) Group chat
(8) FAQs
(9) Newsletters
(10) A workflow engine.
Whew!
The Wiki software allows your site to be customized with themes and menus. And there is mail notification for changes. As if all this wasn't enough, Tiki is extensible with custom modules written in PHP. For example, there is a calculator mod, a world clock mod, a mod for WebDAV access to your Wiki, a mod that imports some cool avatars, etc.
I like.
Tiki is powered by PHP4 and needs a web server and a database. I went with IIS 6 and MySQL 5.
The installation procedure is similar to something like Wordpress--it is possible to buy Tiki hosting space from an ISP, or install it locally.
First, download and install PHP. You can register PHP with IIS either as an ISAPI extension or as a CGI module. ISAPI is faster and more secure, but I went with CGI (which is simpler to install).
Next, you need to create a database user and a database schema in MySQL for Tiki. I used MySQL Administrator which comes with MySQL 5. You can use phpMyAdmin also if you like administering your MySQL over the web.
Next, extract the Tiki software in a directory on the local file system, and create a virtual directory (I called it "tiki") in IIS that points to the location of your Tiki installation.
Next, point your browser to http://[your web server]/tiki/tiki-install.php and setup of your Wiki will commence.
I loved the features offered by this software. I hesitate to call it simply "Wiki" software because it offers much more out of the box. I am still exploring, but it offers, in addition to the Wiki capabilities:
(1) Blogs, which is a nice touch if a particular member wants a soapbox of his/her own.
(2) Articles (by topic)
(3) Quizzes
(4) Forums (They included a complete forum/BB software??)
(5) Surveys (I have yet to toy with this)
(6) A group calendar
(7) Group chat
(8) FAQs
(9) Newsletters
(10) A workflow engine.
Whew!
The Wiki software allows your site to be customized with themes and menus. And there is mail notification for changes. As if all this wasn't enough, Tiki is extensible with custom modules written in PHP. For example, there is a calculator mod, a world clock mod, a mod for WebDAV access to your Wiki, a mod that imports some cool avatars, etc.
I like.
Thursday, August 24
ViewState, SessionState and Application State 101
Here are a few things I learnt about ViewState, SessionState and ApplicationState today.
ViewState property is used to save data in a hidden field on a page. Because, ViewState stores data on a page, it is limited to items that can be serialized. Complex items have to converted to & from strings.
ViewState info from one webform isunreadable to other webforms
Property
ICollection ViewState.Values
Method:
ViewState.Add(string key, object value)
One should limit the access points to Application & Session State and basically create page level variables to store data from these and write back to them at the end.
Maintaining Session state affects performance.
Application state variables are available throughout a current process but not accross processes. If an app is scaled to multiple servers or multiple processors within a server, each process has its own application state.
In Visual C#, be sure to test whether the state variable is null or not before using methods like ToString() on it.
Mechanisms for communication between webforms
ViewState property is used to save data in a hidden field on a page. Because, ViewState stores data on a page, it is limited to items that can be serialized. Complex items have to converted to & from strings.
ViewState info from one webform isunreadable to other webforms
Property
ICollection ViewState.Values
Method:
ViewState.Add(string key, object value)
One should limit the access points to Application & Session State and basically create page level variables to store data from these and write back to them at the end.
Maintaining Session state affects performance.
Application state variables are available throughout a current process but not accross processes. If an app is scaled to multiple servers or multiple processors within a server, each process has its own application state.
In Visual C#, be sure to test whether the state variable is null or not before using methods like ToString() on it.
Mechanisms for communication between webforms
- Context.Handler object (Use this object to retrieve public members of one webform's class from a subsequently displayed web form.
- Query strings
- Cookies
- ViewState
- Session state
- Application State
SqlDataSource Vs ObjectDataSource
Here are the arguments
From: http://www.theserverside.net/news/thread.tss?thread_id=29919
I think as a best practice, one should always use ObjectDataSource since it allows us to seperate the business layer logic from the UI and follows the MVC.
I came accross this because I wanted to sort a GridView. I was assigning a DataTable returned by a method to the GridView's datasource. If we create a explicit DataSource object and bind the GridView to it then the gridview is able to talk to the datasource and takes care of the sorting/paging.
The object datasource helped me to grab data from a stored procedure and hence with zero sql code in the UI and kep it clean.
From: http://www.theserverside.net/news/thread.tss?thread_id=29919
Unsuspecting programmers, it is claimed, will use the SqlDataSource control and unknowingly commit the unforgivable architectural sin of mixing their user interface, business logic, and data access layers.
The SqlDataSource control enables you to represent a database connection, and common database commands, declaratively. Simply by declaring an instance of the SqlDataSource control in a page, you can represent SELECT, INSERT, UPDATE, and DELETE commands which can be executed against a database.
SqlDataSource control is considered "really, really bad" is that it encourages programmers to flatten what should be many into one. The SqlDataSource control mixes business logic and data access layers into the user interface layer.
Mixing the data layer with the UI is a BAD idea, period. Sure there may be times when you can get away with it, but the eventual unmanageability of it will greatly outweigh the short-term productivity gain. Creating logical layers of abstraction doesn't require physical separation of layers. Just moving the DAL into a separate class is a good idea because it gives you a single place to look for code dealing with the database. In the SqlDataSource scenario, if you change a stored procedure that is used on more than one page, you have to track down every page to make the change. This is bad design incarnate.
Behind the scenes the SqlDataSource control generates the ADO.NET classes (Datasets, SqlCommand, etc.) that is necessary to access the data defined in the control's markup. But what about reuse? If I'm calling a stored procedure with several parameters through a series of page requests, it would be nice to get some reuse from the parameter collection ala Data Access Application Block's parameter caching.
The ObjectDataSource control however does provide an architecturally sound way to bind web page controls to a middle-tier (logical, not necessarily physical) layer. So, for those web developers out there who want the ease of use that comes with declarative data binding, I recommend they use the ObjectDataSource control and forego the SqlDataSource control altogether.
I think as a best practice, one should always use ObjectDataSource since it allows us to seperate the business layer logic from the UI and follows the MVC.
I came accross this because I wanted to sort a GridView. I was assigning a DataTable returned by a method to the GridView's datasource. If we create a explicit DataSource object and bind the GridView to it then the gridview is able to talk to the datasource and takes care of the sorting/paging.
The object datasource helped me to grab data from a stored procedure and hence with zero sql code in the UI and kep it clean.
Wednesday, August 23
HTML::Embperl
Perl is a powerful language. And it can be terribly concise. I believe there are competitions that award prizes for the most concise (and most illegible, of course) Perl programs.
Perl also fits a niche. If you are a sysadmin-type scripting sort of person, it is the tool for you. The core language has powerful text-processing facilities; and packages exist for everything else such as database access, XML parsing, whathaveyou.
But if you thinking of programming-in-the-large, forget about it. Object oriented support is available from Perl 5, but the syntax is clumsy and looks tacked on as an afterthought. CGI programming? You are probably better off with PHP.
But I digress.
I recently saw and played with HTML::Embperl, which is a Perl package that lets you insert Perl code snippets in your HTML. Think JSP, but with Perl instead of Java. On the surface, seems like a good thing. The power of Perl directly from your Web pages, without having to worry about having to explicitly program to a CGI interface. But "the surface" often misleads.
Quite frankly, the philosophy (not to mention the syntax) of Embperl made me cringe. Over the years, I have come to appreciate the good things that happen when you separate concerns. Embperl--not unlike carelessly programmed JSP--throws seperation of concerns out the window.
Frameworks are often derided. Frameworks like Struts or Wicket try to separate concerns and this leads to a steep and complex learning curve. Embperl goes in the opposite direction and this makes it tempting for some, especially for smaller projects. But if there is one thing that I have learned, it is this: There *are* no small projects. Even the smallest project has a way of growing and bloating past its original intent.
I would personally put my money on the frameworks.
Perl also fits a niche. If you are a sysadmin-type scripting sort of person, it is the tool for you. The core language has powerful text-processing facilities; and packages exist for everything else such as database access, XML parsing, whathaveyou.
But if you thinking of programming-in-the-large, forget about it. Object oriented support is available from Perl 5, but the syntax is clumsy and looks tacked on as an afterthought. CGI programming? You are probably better off with PHP.
But I digress.
I recently saw and played with HTML::Embperl, which is a Perl package that lets you insert Perl code snippets in your HTML. Think JSP, but with Perl instead of Java. On the surface, seems like a good thing. The power of Perl directly from your Web pages, without having to worry about having to explicitly program to a CGI interface. But "the surface" often misleads.
Quite frankly, the philosophy (not to mention the syntax) of Embperl made me cringe. Over the years, I have come to appreciate the good things that happen when you separate concerns. Embperl--not unlike carelessly programmed JSP--throws seperation of concerns out the window.
Frameworks are often derided. Frameworks like Struts or Wicket try to separate concerns and this leads to a steep and complex learning curve. Embperl goes in the opposite direction and this makes it tempting for some, especially for smaller projects. But if there is one thing that I have learned, it is this: There *are* no small projects. Even the smallest project has a way of growing and bloating past its original intent.
I would personally put my money on the frameworks.
Saturday, August 19
Asp.Net Session timeout about to happen Warning?
Any idea about how to implement the autoclose Session timeout windows that some bank websites imlement?
I have been playing with giving the user an alert before a session timeout in a secure website.Here is a basic method that I found.
/*************************************************************************/
string str_Script = @"
function Reconnect()
{
alert('Session is about to Timeout in 2 minutes.\n Please complete work and submit');
}
window.setInterval('Reconnect()'," + int_MilliSecondsTimeOut.ToString() + @");
";
Page.RegisterClientScriptBlock("Reconnect", str_Script);
/*************************************************************************/
This javascript method gets called 2 minutes before a Session timeout but it needs user attention and doesn't autoclose (render useless after timeout period expires) and log the user out.
One way could be using Form Authentication in Asp.Net.
Ideas welcome.
P.S.
javascript Script tages seems to be banned in blogger, while yahoo 360 blogs allow it. ;)
I think applying HtmlEncode() solves the security and page beaking issue. I think that what nneeds to be done whenever projects which use FCKeditor have to do in order to allow users to create text with html tags in it.
I have been playing with giving the user an alert before a session timeout in a secure website.Here is a basic method that I found.
/*************************************************************************/
string str_Script = @"
function Reconnect()
{
alert('Session is about to Timeout in 2 minutes.\n Please complete work and submit');
}
window.setInterval('Reconnect()'," + int_MilliSecondsTimeOut.ToString() + @");
";
Page.RegisterClientScriptBlock("Reconnect", str_Script);
/*************************************************************************/
This javascript method gets called 2 minutes before a Session timeout but it needs user attention and doesn't autoclose (render useless after timeout period expires) and log the user out.
One way could be using Form Authentication in Asp.Net.
Ideas welcome.
P.S.
javascript Script tages seems to be banned in blogger, while yahoo 360 blogs allow it. ;)
I think applying HtmlEncode() solves the security and page beaking issue. I think that what nneeds to be done whenever projects which use FCKeditor have to do in order to allow users to create text with html tags in it.
ASP.NET Custom Error Pages
I came across this article about ASP.NET custom error pages while trying to trap exceptions before the user sees them. I needed to implement a global exception handler plus a way to redirect the user to a generic error page in case of uncaught exceptions.
http://www.aspnetresources.com/articles/CustomErrorPages.aspx
This helped in trapping uncaught application, Page exceptions
Point to Note
ctx.Server.ClearError();
should be commented in
global.asax
OnError event of base page
in case we want the user to be redirected to a custom error page as set in web.config
http://www.aspnetresources.com/articles/CustomErrorPages.aspx
This helped in trapping uncaught application, Page exceptions
Point to Note
ctx.Server.ClearError();
should be commented in
global.asax
OnError event of base page
in case we want the user to be redirected to a custom error page as set in web.config
Wednesday, August 9
Test
Test Post. Nothing here to see.
Subscribe to Posts [Atom]