Has anyone tried to
I've read Avi Sanjey's article and other similiar approaches and have used them successfully but always in ASP.Net 2.0+. I now have an old ASP.NET app (that I'd rather not convert) and guess what they want a little constant contact form in the sidebar which now breaks the app.
Any ideas?
Monday, September 14, 2009
Tuesday, August 11, 2009
IE8 shares his (session) cookies...
Recently I have been noticing quite a few little odd login issues with sites. Now, as an aside, I'm a Microsoft .Net guy and as such generally an IE guy (forgive me my design friends). Several of these issues I have had work fine in Firefox but fail to login properly in IE8 (IE7- are fine).
Today I was implementing a "remember me" checkbox for my login page. I tested the functionality in Firefox and it worked fine. I tested it in IE8 and found that it "remembered me" even when I had not checked that box. It turns out that IE8 now keeps session cookies (i.e. a cookie with no expiration that normally leaves when you close your browser window) beyond the browser session.
Have you ever opened the same site in one browser session and logged in as "x" and then opened another browser window and logged in as "y"? If so, forget that now. The cookie you set in one session now screws up another session and you'll only be logged in as "y" in both places.
See this simple example: http://www.enhanceie.com/test/sessions/
Here is another good discussion: http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/346079-ie-8-release-version-sharing-session-cookies-across-browsers.html
The Microsoft MVP above claims that this behavior is by design. I certainly hope this is not true. Think of all the "remember me" checkboxes you've seen across the web. If you uncheck them when you visit your local library and it doesn't log you out, you're going to have a fit and rightfully so.
ATTENTION LIBARIES: Hold off on going to IE8 or make sure your browser shortcuts all utilize the "iexplore.exe -nomerge" syntax discussed in the post above.
UPDATE...
IE8 does seem to delete all session cookies when all iexplore.exe sessions go away. This could solve your issue at a public kiosk situation.
Today I was implementing a "remember me" checkbox for my login page. I tested the functionality in Firefox and it worked fine. I tested it in IE8 and found that it "remembered me" even when I had not checked that box. It turns out that IE8 now keeps session cookies (i.e. a cookie with no expiration that normally leaves when you close your browser window) beyond the browser session.
Have you ever opened the same site in one browser session and logged in as "x" and then opened another browser window and logged in as "y"? If so, forget that now. The cookie you set in one session now screws up another session and you'll only be logged in as "y" in both places.
See this simple example: http://www.enhanceie.com/test/sessions/
Here is another good discussion: http://www.vistaheads.com/forums/microsoft-public-internetexplorer-general/346079-ie-8-release-version-sharing-session-cookies-across-browsers.html
The Microsoft MVP above claims that this behavior is by design. I certainly hope this is not true. Think of all the "remember me" checkboxes you've seen across the web. If you uncheck them when you visit your local library and it doesn't log you out, you're going to have a fit and rightfully so.
ATTENTION LIBARIES: Hold off on going to IE8 or make sure your browser shortcuts all utilize the "iexplore.exe -nomerge" syntax discussed in the post above.
UPDATE...
IE8 does seem to delete all session cookies when all iexplore.exe sessions go away. This could solve your issue at a public kiosk situation.
Thursday, July 09, 2009
My case against stored procs...
OK. I am sure this will generate some debate and discussion but I believe I can make the case that SQL stored procedures are not the best approach.
What I Hear
I am constantly told by people that calling SQL statements or using ADO.Net datasets is "old school" and "not the best approach". "Straight SQL is a security risk and not safe." "You should be using stored procs because they compile in the database and thus run faster". etc etc etc...
First let me address the "security risk" issue. I am not suggesting that we write code to construct the entire SQL string including the embedding of parameters. This is what leads to the traditional SQL injection attack.
Imagine "ShowCustomers.aspx?id=27;select * from sysobjects" or worse.
ADO.Net from at least version 2+ has included the ability to do parameterized queries with the dataset object and @CustomerId parms embedded in your sql. You then have to set the parameters manually before executing the SQL and this is where your type-checking would catch the SQL injection attack above. This is what I am suggesting!
My case against...
First Point: I have maintained many applications built by people convinced that stored procedures are a "best practice" and must be used as much as possible. On the web, this becomes problematic because when a new parameter is added (as is often the case for something like sp_insert_customer or sp_update_contact) it requires your code and database to be updated. During deployment of a web app this forces you to break the application for the amount of time in between deploying your code and deploying your database changes or visa-versa. If your SQL is constructed or pulled by the application it can be deployed in the same XCOPY without incident.
Second Point: SQL Stored Procedures are easy to change outside of source control. Because the stored procedures reside in the database and not with your code they are vulunerable to "change without change control". It is very easy for a DB admin to hear about an issue and fix it without ever knowing there should source control surrounding that change. This means a key portion of your application is not source-controlled, potentially not backed up (especially in staging environments), if backed up you only have a single copy (no rollback) and you constantly ask the question is this the most current copy of the stored proc. I have seen people export the stored procs and keep them in their Visual Studio project but this still leaves you asking the question "Is this the master copy?"
Third Point: Stored procedures in a finished application tend to contain lots of logic. This logic is not portable anywhere! This means that if your company is purchased and requires a MS-SQL conversion to Oracle, or you are forced to run at a web host using mySQL, you have a major rewrite instead of a connection string change plus some rather minor SQL syntax adjustments to make.
Fourth Point: This is another language to learn and follow. SQL is very comfortable and relatively portable. KISS!
Fifth Point: I hear you saying "what about the extra network traffic". I'll grant you that point but in most intelligently developed web environments the db server is very close to the web server and usually on a high-speed backbone. I don't believe there is a significant enough boost in performance for anything except the most high-activity sites. Feel free to disagree on this point - especially if you have some numbers to share.
Conclusion:
I am not saying that Stored Procedures are wrong in every case. I find some situations where utilizing the stored proc is the best and fastest way to pull together the data that I need. I am simply suggesting that they should be the exception and not the rule especially for add/update/delete situations.
What I Hear
I am constantly told by people that calling SQL statements or using ADO.Net datasets is "old school" and "not the best approach". "Straight SQL is a security risk and not safe." "You should be using stored procs because they compile in the database and thus run faster". etc etc etc...
First let me address the "security risk" issue. I am not suggesting that we write code to construct the entire SQL string including the embedding of parameters. This is what leads to the traditional SQL injection attack.
// NOT secure...and NOT what I'm suggesting!
string sSQL = "";
int CustomerId = Request.querystring("id");
sSQL += " SELECT * FROM contacts c "
sSQL += " WHERE c.Id = " + CustomerId.tostring();
Imagine "ShowCustomers.aspx?id=27;select * from sysobjects" or worse.
ADO.Net from at least version 2+ has included the ability to do parameterized queries with the dataset object and @CustomerId parms embedded in your sql. You then have to set the parameters manually before executing the SQL and this is where your type-checking would catch the SQL injection attack above. This is what I am suggesting!
My case against...
First Point: I have maintained many applications built by people convinced that stored procedures are a "best practice" and must be used as much as possible. On the web, this becomes problematic because when a new parameter is added (as is often the case for something like sp_insert_customer or sp_update_contact) it requires your code and database to be updated. During deployment of a web app this forces you to break the application for the amount of time in between deploying your code and deploying your database changes or visa-versa. If your SQL is constructed or pulled by the application it can be deployed in the same XCOPY without incident.
Second Point: SQL Stored Procedures are easy to change outside of source control. Because the stored procedures reside in the database and not with your code they are vulunerable to "change without change control". It is very easy for a DB admin to hear about an issue and fix it without ever knowing there should source control surrounding that change. This means a key portion of your application is not source-controlled, potentially not backed up (especially in staging environments), if backed up you only have a single copy (no rollback) and you constantly ask the question is this the most current copy of the stored proc. I have seen people export the stored procs and keep them in their Visual Studio project but this still leaves you asking the question "Is this the master copy?"
Third Point: Stored procedures in a finished application tend to contain lots of logic. This logic is not portable anywhere! This means that if your company is purchased and requires a MS-SQL conversion to Oracle, or you are forced to run at a web host using mySQL, you have a major rewrite instead of a connection string change plus some rather minor SQL syntax adjustments to make.
Fourth Point: This is another language to learn and follow. SQL is very comfortable and relatively portable. KISS!
Fifth Point: I hear you saying "what about the extra network traffic". I'll grant you that point but in most intelligently developed web environments the db server is very close to the web server and usually on a high-speed backbone. I don't believe there is a significant enough boost in performance for anything except the most high-activity sites. Feel free to disagree on this point - especially if you have some numbers to share.
Conclusion:
I am not saying that Stored Procedures are wrong in every case. I find some situations where utilizing the stored proc is the best and fastest way to pull together the data that I need. I am simply suggesting that they should be the exception and not the rule especially for add/update/delete situations.
Wednesday, June 03, 2009
Help me find the person who using me!
Hey Microsoft -
How about telling me something useful; like which process is using the blinkin' file/folder?? Perhaps, you can call your SysInternals group and find out how to do this and put it into Windows.
With all the junk that ends up running in my tray it's needle in the haystack time trying to figure out who to shut down to get a file freed up. Help!!
Thanks,
A defender for now...
Error Deleting File or Folder
Cannot remove folder xyz: It is being used by another person or program.
Close any programs that might be using the file and try again.
How about telling me something useful; like which process is using the blinkin' file/folder?? Perhaps, you can call your SysInternals group and find out how to do this and put it into Windows.
With all the junk that ends up running in my tray it's needle in the haystack time trying to figure out who to shut down to get a file freed up. Help!!
Thanks,
A defender for now...
Tuesday, September 23, 2008
'CreateResourceBasedLiteralControl' is not a member of...
ERROR:
'CreateResourceBasedLiteralControl' is not a member of 'ASP.Customer_OrderForm' error was occuring on a new form that I created by copying one form to a new form.
RESOLUTION:
My mistake was that this form was part of a Web Application Project but this copy did not have a "...designer.vb" file associated. I right clicked on the form and selected "Convert to Web Application".
'CreateResourceBasedLiteralControl' is not a member of 'ASP.Customer_OrderForm' error was occuring on a new form that I created by copying one form to a new form.
RESOLUTION:
My mistake was that this form was part of a Web Application Project but this copy did not have a "...designer.vb" file associated. I right clicked on the form and selected "Convert to Web Application".
Wednesday, August 13, 2008
Do you want to run UrlRewriting on IIS5 for WinXP?
I have been testing the UrlRewriting framework and loving it. Unfortunately, it has been on Win2003 Server boxes and now I want to test some things on my local box. Here's how to set it up...
STEPS
1) Open IIS Manager
2) Right click on your website, select Properties
3) Select the "Home Directory" tab and click the Configuration button
4) Under "mappings", copy the path to your .net framework to the clipboard. The easiest way to do this is to double click the ".ascx" line and copy the whole path from the "Executable" box.
5) Still under "Mappings", click "Add"
6) Paste the path into the "Executeable" box, set the extension to ".*" and UNcheck the "Check that file exists" box.
7) OK, OK, OK and you're done.
STEPS
1) Open IIS Manager
2) Right click on your website, select Properties
3) Select the "Home Directory" tab and click the Configuration button
4) Under "mappings", copy the path to your .net framework to the clipboard. The easiest way to do this is to double click the ".ascx" line and copy the whole path from the "Executable" box.
5) Still under "Mappings", click "Add"
6) Paste the path into the "Executeable" box, set the extension to ".*" and UNcheck the "Check that file exists" box.
7) OK, OK, OK and you're done.
Tuesday, July 15, 2008
RequiredFieldValidator and DropDownList
At first glance it seemed that using a RequiredFieldValidator against a DropDownList control with a "Select one..." option in it was not viable. I have used CompareValidators in place of this as well.
Turns out you can set InitialValue="" (assuming your Select one... item has a Value="") and everything works like a champ.
Turns out you can set InitialValue="" (assuming your Select one... item has a Value="") and everything works like a champ.
Subscribe to:
Posts (Atom)
