mybren

SQL Server Error - The token supplied to the function is invalid

2008-03-30T15:57:00.000-07:00

I am in the process of updating one of my ASP .NET applications from .NET 1.1 to 2.0. During my testing, I received an error "A connection was successfully established with the server, but then an error occurred during the pre-login handshake (provider: SSL Provider, error: 0- The token supplied to the function is invalid) (Microsoft SQL Server)" while attempting to connect to my local SQL Server (2000 to be exact)

Thank you Microsoft, as that error was about as non descript as the classic "Object reference not set to an instance of an object"

Anyway, the problem I had with the error was that I wasnt connecting via SSL.. its my localhost for crying out loud!

The solution to "my" problem wasnt anywhere out there on the Internet, which is why I am posting this blog. For some reason, my local account no longer had the access required to properly start the SQL Server 2000 service. To fix I had to:

Go into services (right click "My Computer" and click manage, then click Services),
Find the SQL Server Service (since its 2000, it was "MSSQLSERVER")
Right click the service and click "Properties"
Click the "Login" tab
Under "Log On As", check "Local System Account"
Restart the service (if its already running)

Again, I don't know why all of a sudden my local account (which IS an admin account) cannot start the service properly. I didn't receive any errors on starting the service, so I assumed all was OK. The only thing I can think of is that recently I installed a new wireless adapter on my PC. Perhaps my system doesnt recognize my account properly because of this change? Anyway, if you aren't trying to use SSL for SQL Server auth, try the change described above.

Oh yeah, if you are trying to use SSL for your SQL Server authentication, check out this link - http://support.microsoft.com/kb/276553/ I wasn't trying to do this.. but it looks like it would be useful if I was ;)

Installing CyberSource on ASPDNSF ML 6.0

2008-02-01T09:27:00.000-08:00

A few years ago, I purchased the VB.NET version of the ASPDotNetStorefront ML 6.0. We had done some work on it, then put it on the back burner. Very recently, we picked it up again, and wanted to integrate CyberSource as the payment gateway. Unfortunately, support for ML 6.0 is not longer available, as ASPDotNetStorefront is up to version ML 7.0.

I had stumbled through how to integrate CyberSource into ML 6.0, but eventually figured it out. Considering ASPDNSF is a popular product, I thought I would document the steps to integrate.

Again, this is how to integrate CyberSource into ASPDotNetStoreFront ML 6.0

Step 1 - Install SDK

Install the CyberSrouce SDK onto the PC. Note: This install's dll's into the .Net Frameworks GAC, so this needs to be installed on every server that will host the application.
You can get the SDK here - http://apps.cybersource.com/cgi-bin/pages/dev_kits.cgi?kit=_.NET/_.NET2.0

Step 2 - Update Cybersource.vb
If you haven't already done so, open up your project with Visual Studio 2005.

Within the Gateways Project (AspDotNetStorefrontGateways) add a reference to Cybersource.Clients.dll
Within Cybersource.vb, uncomment top line
VB .NET does not have a #define statement
Rewrite top line to #CONST CYBERSOURCE = True
Comment out the existing section:
#If CYBERSOURCE Then
Imports CyberSource.Soap
Imports CyberSource.Soap.CyberSourceWS
#End If
Replace the commented section with:
#If CYBERSOURCE Then
Imports CyberSource.Clients.SoapWebReference
Imports CyberSource.Clients.SoapClient
#End If

This is because the SDK has been updated since ML 6.0 came out, so the libraries are different.
Update the methods "ProcessCard" Input Parms.
Change the types for UseBillingAddress and UseShippingAddress to use 'AspDotNetStorefrontCommon.Address'

Step 3 - Use WSE 3.0

http://www.cybersource.com/support_center/implementation/downloads/soap_api/SOAP_toolkits.pdf - Follow examples on Page 11 to setup WSE 3.0 within this project

Step 4 - Generate CyberSource Gateway Key:

Follow the steps to generate your CyberSource Gateway key, found here: http://www.aspdotnetstorefront.com/manual/html/cybersource_gateway.htm

An introduction to code sandboxing

2007-12-20T11:17:00.001-08:00

One of the latest buzz words surrounding application development is "sandboxing", and it's becoming a buzz word for a reason. Incase you haven't heard much about sandboxing your code, take a few minutes to get up to snuff.

Overview

Code Sandboxing is the idea that you can keep all application resources contained within one build. Look at it like this... if you don't sandbox your code, and if you share a web server for a variety of web applications, if one application is compromised, all are compromised... and beyond that, your server as well!

The idea behind sandboxing is that you can isolate the security permissions behind each build, so if there is a security leak behind one application, the rest of your server is still off limits. And incase you haven't figured it out, it's as if you put each application in its own.. say it with me.. sandbox.

How do I Sandbox?

Sandboxing is as simple as adding a value to your web config. In your web.config, add the following key:

<trust level="Medium" originurl="" processrequestinapplicationtrust="true" />

There are 5 Out-Of-The-Box values for the level, Full, High, Medium, Low, and Minimal.

Now, you have 2 choices here, sandboxing a new application, or an existing application. As you might have guessed, a new application is easier, and so we will start there. Therefore, go ahead and develop your project. What the key above does is only give you access to any processes that are configured for "Medium" trust. So, as you are developing, you will receive security permission errors if you go outside of your Medium trust. For example, with Medium trust, you have no File IO Permissions. So attempt to perform File IO, and you'll receive an error. In this instance, you have two options, remove your File IO Code and find a different method.. or add File IO to the security permissions (more on that later).

The tricky part is sandboxing an existing application. The whole idea behind sandboxing is giving your app partial-trust. So if you build an app on top of partial-trust, anytime you stumble upon a security issue, you can fix it accordingly. Therefore, when dealing with an existing app, you need to identify any area's that go outside the normal boundaries. How do you do that? Well, you can hire yourself about 10 interns and feed them coffee and peanuts until they identify/fix every issue... or you can use permcalc.

Permcalc is a Microsoft tool that analyzes an assembly of your application, and generates an XML document stating all the methods that need any type of security access. To use it, open up the Visual Studio Command Prompt, navigate to your applications bin directory, and perform the following command:

permcalc -show

A new browser window will load with each method that is used within the assembly, along with showing what security features are needed.

How do I resolve my security issues?

OK, so at this point you took my advice above and added a trust key to your web.config, but you get to a certain line of code and an error is thrown. Just because you receive a security issue doesn't mean that you give your application a higher privelage! You have two options, create a security policy that contains all of the access that you need (recommended), or grant temporary access (NOT recommended).

Remember up above when you assigned the level of trust to "Medium"? That references a policy file on the server that grants access to the different permissions. So you can copy/paste the existing Medium File, rename it, and reference the new file (yes, you can just update the Medium trust policy file... but c'mon.. lets not cut corners here).

So, to get started, navigate to the .Net Framework's config location (try C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG) and look for the config files. Namely, you'll be looking for web_mediumtrust.config. Copy/paste it, and rename it. Then, add the permission set you need. Next, in your global web.config, create a reference to your new policy file by adding an entry within the securityPolicy section, such as:

<trustlevel name="MyPolicy" policyfile="MyPolicy.config"/>

Finally, in your app's web.config, set the trust level to "MyPolicy", and now your code has access, while still running at partial-trust.

Above was just an overview of sandboxing, but hopefully it provides you enough of an idea so you know how to do it, and the importance of sandboxing. For more information, I strongly recommend that you read about Partial-Trust - http://msdn2.microsoft.com/en-us/library/ms998326.aspx. And if that doesn't give you enough information to quench your thirst, check out Dominick Baier's book - Developing More-Secure Microsoft ASP.NET 2.0 Applications - http://www.amazon.com/Developing-More-Secure-Microsoft%C2%AE-Applications-Developer/dp/0735623317. Chapter 8 is devoted to this topic. Finally, the most recent cover story of Redmond Developer News was dedicated to sand boxing, and provides a nice overview.. probably better than mine was ;) http://reddevnews.com/features/article.aspx?editorialsid=2386

A Web Developers 2008 Technology Wishlist

2007-12-08T18:08:00.000-08:00

I try to do my best to not date any of my blog posts, but this is one of those that timing is everything! As Christmas, 2007 approaches, so does the inevitable feelings of a fresh start for all things we wish we could improve. Saving more money, losing weight, learning how to set a clock on a VCR... then again... getting rid of the VCR altogether!

As we approach 2008, we should also take stock of our development practices. We should start asking ourselves questions like "what are we developing with", "what are we offering", and "what are we doing better than our competitor's". However, I'm going to do you a favor... I'll answer some of those questions for you!

Below is a technology wish list. If we could ask Santa what to bring our web applications, below is a list of some of the technology/idea's that we should start making use of.

Web 2.0 Principles - Let's start the list with a generality, by focusing on embracing Web 2.0. I recently purchased an MP3 player, mainly because it was a great deal from woot. It's a Sansa e250, refurbished, holds 4 GB of data, plays music, video, shows pictures... and I got it for 50 bucks total. However, all of my friends call it my "fake iPod". Even though I love it, it works just as well as an iPod, was cheaper, and I don't need the dreaded iTunes to use it... I've been labeled an outsider.

Web 1.0 is on the way to the same stigma. Even though your web applications are working well, they're just not "cool" enough. Now, you may be asking yourself, "what's the ROI on making your web applications cool"? Excellent question! Look at upgrading your applications as more of an investment in the future of application design. It's the way of the future. Embrace it... challenge yourself.. understand what the movement is and hop on the wave of change! As you develop future applications, make use of the newer technologies that are getting released every day. These new technologies are meant to make your applications more dynamic, easier to use and understand, and more powerful. One of the most difficult challenges for a web developer is to stay ahead of new technologies. As a Microsoft .NET developer, I find myself working with beta releases... not because I'm bored, but because I need to be able to use the technology as soon as it hits an official release! However, using the newer ideas helps me not only broaden my horizons, it also helps me stay ahead of the competition.
AJAX - Microsoft did us a favor, they seceded on Microsoft ATLAS. Rather than getting into a software development war with the .NET army against the rest of the world, they embraced AJAX (Asyncronous JavaScript and XML) and standardized their development platform. Since that time, they have put much backing into it's capabilities. Along side of that, all the main web browsers support the XMLHttpRequest object... the key element in AJAX's behind-the-scenes web calls. The final piece is that web savvy users are using JavaScript. So, what does a recipe of AJAX, XMLHttpRequest support, and JavaScript enabled web browsers give you after 30 minutes in the oven at 375? How about 3 excellent reasons to give up on fighting AJAX?

Embrace AJAX. Use AJAX to create better applications for your customers, decrease network activity, and populate advanced metrics on your website. The pieces are in place, the community is there, active and waiting to use websites that are cutting edge, embrace them back!

So how can you use AJAX? Here's an example. I recently adopted Digg, to include on this blog. During the sign up process, as I filled in the input boxes with my information, it posted back to me real time information. I received a "This username is available, go ahead and take it!" after typing in my username and leaving the text area. I got a "Hey, your password looks great!" after providing my password.

Is this a good reason to adopt AJAX? Because it let's you give funky messages back to your user community? No... but think about what it took to present these messages. Upon providing the username I requested, and without submitting the form, the username was compared to usernames in the database and proactively returned a message to me. AJAX gives you server side control over data with a client side look and feel. Use AJAX in your applications to control, format, secure, and manipluate data.. and to bring your applications up to speed.
RIA's - The item above discusses AJAX and user adoption, and taking advantage of a user community who embrace and enjoy the idea of proactive server activity. How about taking advantage of a user community who embrace interactive design and creativity, AKA, Rich Internet Applications?

A few years ago, before I fell into web development, I acquired an educational version of Flash 4 (don't worry, I was a student at the time!). Within hours, my first Flash movie was made. It didn't have an user interaction, but it was cool, and easy to create! I gave it up because I lacked the programming skills at the time to give it some back end power.

Fast-forward 5 years, and we now have Microsoft Silverlight, their answer to the RIA Juggernaut Flash. What's more, it provides much more programming capabilities, something along the lines of VB/C# .NET than just script (Flash uses ActionScript, a pseudo JavaScript meant to interact with Flash elements).

When you think Silverlight, dont think of it as a design tool for a side project where the audience will only be teenagers, browsing your site at 2 in the morning and looking to stay awake by playing games. Silverlight can address an audience in your business setting as well. When I think of Silverlight, I think of Star Trek.. or any Sci-Fi show. Did you ever notice what the ship staff is using, while their busy zipping around the galaxy? It's not a standard web form, with a few text boxes and a plain-jane grey submit button. It's a screen with motion, things moving and updating on the fly (speaking of which, Silverlight is AJAX enabled.. think about that!). Why not give your end users within your business a flashier design, especially if it's little to no more extra work than it would be to create your traditional HTML forms?
CardSpace Adoption - If I've been a good web developer this year, and I'm on Santa's nice list, then the last thing I'm asking him for is CardSpace adoption. Very recently, Microsoft released their latest version of Visual Studio - VS 2008. With this release came .NET 3.5, which included support for programming with CardSpace.

If you haven't seen CardSpace yet, it's a personal data-store on a user's PC where an individual can store personal information within data cards. You can have several cards, each holding as little or as much personal information as you would like to provide to a website. When you arrive at a website that supports CardSpace, rather than typing in your information to either sign-up or login, you provide your card. It verifies you, and away you go!

So what's so special about CardSpace? Well, it's much more than saving end-users from typing in personal data. CardSpace is actually changing the infrastructure for end-user validation. Any malicious user, anywhere in the world, can type in a name, phone number, email address, etc. and pretend to be someone else. However, with CardSpace, no one else can take that card away from me. No one else can log into a website as me because they stole my password, because the password must be accompanied with my card!

CardSpace is providing a new structure for website validation. It's so cutting edge... not a lot of websites are using it! However, this is mostly because the programming capabilities recently came out of beta and were released with .NET 3.5

Thanks for reading, I hope you end up with more than just a lump of coal this holiday season!

Quick Blog: Architecting your applications - Avoid "All Tinsel with No Tree" pitfalls

2007-12-04T20:28:00.000-08:00

I recently met with a client of mine. He is a professor, and needs a grading/rollbook application, and this app will be for his eyes only. Being the web/database guru that I am, I recommended that we create a web application.. for the obvious benefits that the web provides us.

After some initial conversation... and some notes written on scraps of paper during a Chinese buffet lunch meeting... I was able to get to work. I began with a simple HTML mock-up. Nothing fancy, nothing dynamic, just a quick and dirty way to show the principles of how the system will perform. For example, I created a screen mockup of adding a student to the system, a separate screen on assigning grades to a student, etc. Nothing of a rocket scientry proportion...

After a few hours of work, we met again to discuss the status of the system: how it will work, what we need to do next, etc. I explained to him that the screens are very basic, but to focus on the functionality... not the design. What he said next was just... perfect... so perfect that I wanted to blog about it. He said "that's fine, I don't want to be given all tinsel with no tree". I immediately thought... perfect, I'm on track for writing this system. Fortunately, he felt the same.

The moral of the story is this. If you develop app's the way I do, you're in charge of some database design, some application development, and some web design as well.. just to name a few of the skills we must always sharpen! Sometimes it's easy to get caught up in how a system looks.. on mock drafts.. just avoid that. More importantly, have your clients avoid it on round 1 design sessions as well. The longer you think of system functionality, the better the application design is.. and the happier the client is.

I am not telling you to avoid making your app pretty, but pretty can come at a later time. Slap a CSS sheet while creating your mockups, and in a matter of an hour or two you can update the look and feel. System functionality is... obviously... a different animal, but worth the time to give it's full attention at the start of your project.

Custom Help Desk Workflow in Sharepoint 2007

2007-09-15T12:02:00.000-07:00

Several years ago, a developer at the company I work at wrote our Intranet. It's ASP based, and over the years the developer's been asked to add/modify/update various features on the site. One of the features he had implemented was a custom Help Desk System. In a general sense, its workflow is as follows:

Only specific users of the Intranet can submit Help Desk tickets
Help Desk ticket details are required
Help Desk tickets are assigned by the requestor to a 'group'
The Help Desk ticket groups contain individuals who receive the ticket - example, rather than request a particular person receive the ticket, the members of the requested group can own and close the ticket.
Help Desk Tickets are automatically owned by group members, members do NOT have to accept ownership.
Help Desk Tickets can be transferred from the owner to other individuals, regardless of the ticket group
Emails are sent to members of the group upon ticket submission.

There are a few other features of the current Help Desk ticket system, but for the most part those are the key features that we have been working with.

About 9 months ago, we migrated to a SharePoint 2007 Intranet. OK, I shouldn't say 'migrated', we've been using it, but we've been using our legacy ASP based Intranet as well to make use of necessary systems... such as the Help Desk system described above. We now have an end of life timeline on our legacy system, so we are pursuing options to migrate all systems. One option that I am particulary pleased with is the Sharepoint 2007 Helpdesk Application Template - download here.

Application templates are cool, they are customized lists, announcements, views, and libraries, all with enabled workflows. This means that trying to use a customized Sharepoint site to meet my requirements listed above would be difficult. However, with the Help Desk Application Template, we're in business!

So, how do we make use of the application template? For starters, you need Microsoft SharePoint Designer 2007. SD will let you modify existing templates and workflows.

Installing the Help Desk Application Template
On your SharePoint server, download the template from the link above, and extract the files to a local directory. If you haven't installed any application templates on your server yet, you must download and install the Core Templates first! A link to the Core Templates can be found at the site linked to above. As a local administrator, open up a new command line window, navigate to the stsadm.exe directory, and follow the instructions found in the link above.

Creating your new Help Desk Site
After installing the Help Desk template (and perhaps the Core templates as well), go into SharePoint, navigate to your appropriate site where you want to create your Help Desk site, and then click "Site Actions -> Create -> Sites and Workspaces", then create a new site, but select the Help Desk template.

Customizing your new Help Desk Site
To make the template fit into our existing workflow (given the requirements stated at the top of this blog post), I had to create an option for the new ticket request to allow someone to select a group. Sounds simple enough, right? Well, first we add our column, as a new help desk ticket is nothing more than a list item. Well, I need the group to also be a required field on the new ticket request. Finally, based on the group selected, we need to assign the ticket.

Adding our "Group":
On your help desk site, go to Site Actions -> Site Settings -> Site libraries and lists. Then, select "Customize Service Requests". Underneath the existing columns, click "Create Column", name your column "Service Group", make the column a "Choice" column, require the column have information, and add each "group type" for your choices. For example, "SharePoint issue" and "Website Down".
Making our group available on support tickets:
Adding a column to your list doesn't magically add the field to new requests. So, now we open up SharePoint Designer, and follow the instructions found here. This article shows you how to create a new web form, bring in your service requests fields.. which now include your "Service Group" field.. associate the SharePoint Master Page, and associate this new web form as your page that will be used when a new request is created.
Assigning tickets based on groups:
SharePoint has built in workflow capability, unfortunately it's difficult to manipulate using SharePoint. Fortunately, SharePoint Designer has a GREAT tool to help you unlock workflow. So, open SharePoint Designer and navigate to your helpdesk site. Next, select File -> New -> Workflow. Associate the workflow with your Service Requests List, and select the option to initiate the workflow based on a new item.

The next screen brings you to an "If/Then" wizard. It's simple, "If" a condition is met, "Then" run a series of events. So, its pretty simple. If a group is selected, assign the ticket item to an individual.

So, from the "Conditions" button, choose "Compate Service Requests field". Then, select the appropriate options so it states If Service Group equals . Next, for actions, choose "Send Email" to send an email to a particular individual stating that a call ticket has been entered. Then, select Actions again, and choose the "Set Field in Current Item". This option will let us specifically alter fields on the submitted service request, such as "Assigned To", so we can assign a ticket based on the Service Group".

So, after selecting "Set Field in Current Item", set the field to "Assigned To" and then assign your individual to receive the item.

When you're done, repeat the "If/Then" logic for each group you have.

I apologize there aren't an screen shots, but I was in a bit of a rush to get this blog post live. I just wanted to get something out here on the Internet as I had to stumble through the steps above to get my Call Ticket system working.

I hope this blog post helps, below are a list of some helpful links that can guide you as you manipulate the Application Templates:

ASP .NET Security - Stopping scripting attaXSS in their traXSS

2007-06-26T10:03:00.000-07:00

As of May 2007, the top security vulnerability on the web is Cross Site Scriping (XSS) attacks. And why shouldn't they be? Theyre extremely easy to use and potentially lethal to the credibility of your site, fortunately the kind people at Microsoft made it simple to prevent these attacks.

The culprit

Here's the situation: You have a web form where the user can post data for others to see. For example, you're writing a custom blog application and you want users to write comments. On your site, you have a textbox that allows users to post comments, lets call this textbox "txtUserComments".

When your user clicks your submit button on the form, your code will look something like this:

If Page.IsPostBack

'Some Code Up Here

Dim UserComment as String = txtUserComments.Text

'Some More Code Here

End If

Yep, thats all it takes to have an XSS Vulnerability. If input validation is turned off on your page/site, an end user can post some bad stuff, and all future users will be affected.

For example, if <script>alert('ha')</script> is posted, all future users will enter the page and see the alert box. I'll let your imagination run wild with the other possiblities here...

The fix

So, what's the fix to this solution? Well for one, you probably noticed that I said above that "If input validation is turned off", which is turned on by default. So... don't turn off validation! But there's much more to this post than that. What about query string values, HTTP Header Information, or other Form POST data?

The nice people at Microsoft developed an Anti XSS library... and it's cake to use. You can get the library here.

To use it, download and install the library. In your web project, add a new project reference, and get your dll from your program files\Microsoft Corporation\Anti-Cross Site Scripting Library V1.5\Library\.Net 1.1 | .Net 2.0. That's right folks, the library is available for both 1.1 and 2.0!

Now that you added your reference, import the namespace into your page:

Imports Microsoft.Security.Application

Finally, make use of the library! For example, remember our example above with the textbox input? Well, now we would use the following code:

Dim UserComment as String = AntiXss.HtmlEncode(txtUserComments.Text)

The magic behind it all

Some of the best things in life are simple, and this is no variation of that rule. The HtmlEncode function takes the input characters and encodes them for HTML output. For example, the '<' in a script tag is converted to a '<'.

The library has multiple functions available, so you can use the best encoding for your application. There is "JavaScriptEncode" for any JavaScript input, or even "UrlEncode" for passing values via querystring.

Hopefully this blog post gave you some insight into how easy it can be to compromise your site with an XSS attack, but more importantly you also saw how easy it can be to fix such attacks.

References

Microsoft Anti-Cross Site Scripting Library v1.5 Download

MSDN Anti-Cross Site Scripting Article - Kevin Lam - November 2006

OWASP Top-10 Security Vulnerabilities

Site Designs - Pittston Graphics

2007-06-23T20:23:00.000-07:00

I was fortunate enough to commission a website for a local and well established company, Pittston Graphics Inc. Their primary business deals with printing and supplying goods with company logo's... coffee mugs, hats, business cards, frisbee's.. all of that good stuff.

As with any website I do, I look at the new website as an opportunity to erase existing issues with the company's current website. For example, they wanted to keep things with the website simple. Therefore, the site won't be ASP.NET driven, instead it will be flat HTML, allowing me to generate the site quicker than usual, and they can keep their existing hosting provider. Additionally, the site will only be a few pages, making it easy to track and make changes to the site. After all, what good is a website if it's hard to update, right?

Anyway, here are my designs for the site.

In IE 7, the window.open function isn't what it used to be

2007-06-20T07:57:00.000-07:00

So here's the scenario. You have a website with a link that opens a new window. When opening this new window, you use the javascript:window.open() function, and you specifically state "location=no, statusbar=no" within the open function. When you test it locally, it works wonderfully. Then, you make your push to production, and users see the location and statusbar in the new window. What's the deal!?

IE 7, Firefox, and Safari have all preached user security for quite some time, so it may not be much of a shock to you to hear that the address and status bars are always visible, no matter what parameters you feed it via window.open(). Granted, the address bar in the above scenario cannot be used for navigation as it is "greyed out", but these toolbars are always visible to ensure that user's aren't sent to Phishing sites, etc.

So why did my window.open() function work when I tested it?

Simple, when testing on your development PC, or internal network, you're withing your "Intranet" group according to your browser. The Intranet group has lower level security permissions that allow such functions to work. However, when you make your push to production, the site is now in the "Internet" group, which obviously has higher level security.

This FAQ here states how IE 7, Firefox, and Safari take to the window.open() parameters.

This post, albeit brief, hopefully saves you some time and energy on not only troubleshooting the scenario above, but also saves you in development time as you can no longer rely on this technique to open new windows with total control over their look and feel.

ASP .NET - Viewstate and Sessions... they're much more than strings

2007-06-07T11:17:00.001-07:00

In ASP .NET, whenever you make use of data storage techniques, sometimes you're confined to using string datatypes. For example, whenever you store information in cookies, the data transmitted is a string. However, ASP .NET provides a lot more variety than just strings. Using Sessions and the ASP .NET ViewState the data may look like a string, but it is in fact much more than that.

Note to the reader: This article will discuss in some detail how to store data into the ASP .NET Session State and ViewState. Like most things in the programming world, just because you can do it, doesn't mean you should do it. Session and ViewState are powerful data transfer mechanism's, but keep in mind that the larger these objects are, the more taxing your applications are against your server's. Therefore, take great care of how liberally you use such objects.

Sample Data

For Session and ViewState Objects, let's create an example. Let's say you have a Hashtable carrying your user data:

Dim hashUserData As New System.Collections.Hashtable
hashUserData.Add("FName", "John")
hashUserData.Add("LName", "Jones")
hashUserData.Add("EmployeeID", "00123456")

The data above is the data you need carried across page views.

Session Objects

Read the above line slowly... it's not Session "Strings", it's Session "Objects". If we have an object of data, such as our HashTable, we can store such data in a Session Object

Dim hashUserData As New System.Collections.Hashtable
hashUserData.Add("FName", "John")
hashUserData.Add("LName", "Jones")
hashUserData.Add("EmployeeID", "00123456")

Session("ourUserData") = hashUserData

Now, if you want to carry this employee data to another page and reference this data, just set this data to a Hashtable and use at will...

If Session("ourUserData") <> "" Then
Dim userData As New System.Collections.Hashtable = Session("ourUserData")
Dim FName as String = userData.Item("FName")
...
...And So On...
...
End If

ViewState Objects

Another handy feature of ASP .NET is the ViewState. For those of you who aren't familiar with this concept, view the source of an ASP .NET webpage. In there, you will see a hidden field called "__ViewState", and its value will look something like this "AHGIE6AFDFGEDSFG%...". The ViewState data looks like that because it hold the current state of the page, encrypted, for form postback's that the application may incur. In other words, if you have ever used the "AutoPostBack" feature on ASP .NET Web Controls, and wondered how the data remains intact on the page.. this is the magic behind all of it. (Or to quote the movie Swingers: "This is the guy, behind the guy, behind the guy").

Much like Session Objects, which we discussed above, the ViewState also stores data as Objects. Meaning, of course, that if we wanted to store our HashTable in our pages ViewState, we can.

For some basic logic, we'll say that our logic to get/receive user info is all within the Page_Load procedure of our ASP .NET page:

If Not Page.IsPostBack Then

Dim hashUserData As New System.Collections.Hashtable
hashUserData.Add("FName", "John")
hashUserData.Add("LName", "Jones")
hashUserData.Add("EmployeeID", "00123456")

ViewState.Add("ourUserData", hashUserData)

Else

Dim ourUserData As New System.Collections.Hashtable
ourUserData = ViewState.Item("ourUserData")
Response.Write(ourUserData.Count.ToString)

End If

As you can see in the example above, the data is stored into the ASP .NET ViewState for the page, and on all subsequent page requests, the data is available.

In Conclusion

In conclusion, hopefully the 2 brief and simple examples give you some idea as to how you can carry enhanced datatypes from page view to page view with some simplicity.

SQL Server 2005 - What's the XML Data Type For?

2007-06-01T11:45:00.001-07:00

If it wasn't for ingenuity, horses would still be the best way to travel, bread wouldn't be sliced, and every datatype we would ever programatically need would be an int or a string. Fortunately, life is much more advanced than that, and that includes everything techie.

SQL Server 2000 was (and still is) an absolutely solid database platform. In comparison to its previous versions, it was the first time, in a long time, for Microsoft to have a stable, strong, and respectable database platform to market to the IT community (and market they did!). In fact, it's part of the reason they had so many years in between releases, it allowed them to re-write any mistakes, as well as take advantage of newer concepts that entered the technological realm.

What new concepts, you ask? For example, how about XML? Yes, I know, XML was included in SQL Server 2000. But, let's be honest, how useful did you find T-SQL to be when you used the "FOR XML" statement? Personally, it caused me to shudder at the thought of its use. Fortunately, XML adoption has increased dramatically over the past several years, and truly has become a standardized method of data analysis and delivery for all the latest platforms. This adoption allowed for the XML datatype to become a very important piece to SQL Server 2005.

Why should I use XML?

Good question! SQL Server is a high impact database platform, and, especially for .NET developers, it's a piece of cake to work with. However, software should be used for its strengths, not its weaknesses. For example, if you're a pro at Microsoft Excel, would you write a document with it? Just because it can doesn't necessarily mean you shouldn't use Microsoft Word instead.

XML and SQL Server are the same way. SQL Server is an excellent transactional database. Need to Insert/Update/Delete records, bring it on! Create and blow away TEMP tables because your bored... it's ok, SQL Server likes it.

Now, not that SQL Server isn't an excellent analytical platform as well, but if simplicity is what you're looking for, XML takes the cake. XML is perfect for data storage that you need to perform lookups on, or for application configuration files (yes ASP .NET developers, I'm referring to none other than the web.config file).

Bottom line, you can use SQL Server for your data storage needs, and there's obviously nothing wrong with doing so, but it certainly doesn't hurt to extend your data manipulation abilities.

So what good is the XML Datatype?

The idea behind this article is to explain the purpose of the XML Datatype in SQL Server 2005. Given all the information and drabble above, imagine storing analytical data in a field in your favorite database table. You get the relational power of data storage for your XML, while using minimal database resources when performing analytics.

The SQL Server XML Datatype allows users to directly reference an XML Data Document, stored within the XML typed field, and perform queries against this data.

Additionally, SQL Server 2005 is much more accomodating with its "FOR XML" T-SQL statements. For one, there are more options to shape and format its output. Secondly, with this "more usable" XML, you can now perform SELECT INTO statements to populate your XML datatype fields.

Finally, the XML-type fields come inherently built in with XPath and XQuery, keeping traditional XML querying tools alive, while providing the backend power of SQL Server.

Hopefully this article gets your mind churning towards idea's how how to make more use of XML, and the XML datatype, in your next applications.

Congrats to Grads! - A few tips to those starting their careers in IT

2007-05-20T20:11:00.000-07:00

This blog, especially as of late, has been dedicated to idea's revolving around the .NET environment. However, this past weekend my cousin graduated from the Pennsylvania State University (Congratulations Nick!), reminding me that it was only 4 years ago that I received my undergraduate degree, and it is only now that I can truly start to look back on the past couple of years of my career and pinpoint what I did, didn't do, and will do over the next several years of my career to stay sharp. Therefore, I decided to blog about some items for those of you that are beginning your career's.

1 - Earning a degree does not equal "Bye Bye Books!"

Let's face it, no matter what institution you attend, you cannot learn everything you need to know in 4-5 years, and there's nothing wrong with that. College level educations are designed to give you a concentration, not an expertise, in a specific subject matter. So how does this information help you? Simple... read!

Go online and read white-papers
Subscribe to 'free' magazines like CIO, eWeek, and InformationWeek
Purchase books (employers usually pay for them, so they're free, AND it shows dedication and maturity on your part!).

As you are well aware of by now, the stuff you learn now is old-news in 18 months. Everything you learned as a Freshman (or Freshwoman ;) is outdated, it was merely meant to teach you the concepts... nothing more. At this point, it's on you to continue your learning path, and the best way to do that is to read, read, and read some more. The good news is this, making it a habit to read not only keeps you fresh on the latest technology, but it gives you fresh idea's as well. Don't rely on management to push direction, have input to where you want technology to go.

2 - Set Your Career Path

When given a project at work, the first step isn't "Finish Project" (and if it is, look for a new job!), the first step is to create a list of steps. "First we meet with the project sponsor to get an idea on what the users need. Next, lets meet with the users and gather requirements. Then we can document our information and..." In other words, you create a plan, with specific goals, and systematically move from step to step. Treat your career the same way!

It's early in life, but it's no excuse to work day-to-day, year-to-year, without having a light at the end of the tunnel. Define where you want to be in 10 years, then down to 5 years, then 3, 2, and 1 year. You don't become an expert overnight, and nobody expects you to, but set goals for yourself so you can become an expert sooner rather than later. Life's too short to just roll with the punches, you have to throw some punches along the way!

That being said... yes... your career path with take short-cuts and long-cuts along the way. You never know what the future will hold. Perhaps you start out as a PC hardware technician, only to find 2 years later you want to do systems administration instead. The good thing is that you recognize that you have aspirations, the next step is to not be afraid to do what it takes to meet those aspirations. The bottom line is this, make your sacrifices now so you don't have to make them later.

3 - Ask for Training

I have a secret for you. There are these things called "Conferences". They usually take place in attractive locations and/or warm-climates, have scheduled meetings to discuss trends in technology, give away free stuff, and sometimes even have events with unlimited alcohol and food. And here's the best part, your employer will send you for free!

Believe it or not, sometimes we feel that work is not meant to be fun, and that you only receive perks from a job when you become a CIO with stock options... this is not the case. Going to conferences helps you keep up with current technology, get fresh idea's (just like in step 1!!!), network, and break the monotony of going to work week-to-week. This is all common sense, but it is also overlooked by both employee's as well as supervisor's on how beneficial it can be to send someone away.

Your employer will always have a budget for such conferences. Sometimes you get to go... sometimes you dont... and sometimes you have to travel with the geeky guy in the back of the office that goes to conferences for nothing more that SWAG.. but begger's can't be choosers! However, it never hurts to ask, and sooner or later you will invariably be told 'yes'.

4 - Surround Yourself with the Best

In the past several years you attended school, you learned many things. For example, how many glasses of "jungle juice" you can consume before the room starts to spin, how difficult it is to clean "jungle juice" off of your gracious host's bathroom floor, and how difficult it can be to take an exam while hungover from "jungle juice." However, the key thing is that you learned!

And all the while you were in the classroom, you learned from your professors, the resident subject experts on campus, the individuals who learned, tried, failed, learned again, and succeeded... and then taught you what they learned. Your career is much the same way. The individuals you surround yourself with should be well-skilled and well-experienced in what they do before they try to teach you what to do. Learn from those around you on how they have been successful, and more importantly how they have failed, to help you become successful as well. I know, it's difficult, you have that pretty piece of paper stating that you just went through several years of partying, while stopping by some classrooms along the way. However, your learning experiences have truly just begun. Stay strong, stay confident, and most importantly...

5 - Stay Positive!

Yes, I know, very cliche.. I'm sorry, but it really is an important point to make. Work a couple of years with a downer, someone who is always negative and pessimistic, and see how you view that person. More importanly, see how you view that person's career.

Life goes on whether or not you're in a good mood or a bad mood, feel sick or healthy, happy or sad, etc. The thing is, if you approach each challenge you encounter as an opportunity, you will be successful. If you approach each challenge as the latest pain in your rear-end, you will fail. End of story, do not pass go, do not collect 200 dollars.

Keep in mind, when you're positive, people like you! If people like you, they work with you! Working with people, not against them, is a key part to your career. It's how you become networked and essential to helping your business or organization grow.

As I stated in the beginning of this post, it's only been a couple of years since I graduated. I'm certainly no expert in IT, and certainly no expert in journalism either! However, I've taken the time in my life to stop, albeit only for brief moments, to reflect, identify where I am, and where I am going. Do the same! If you don't like where your life is at, change it. If you receive a challenge, accept it and defeat it. If you fail at a challenge, learn from it and move on. When you commit to something, it's amazing what you can accomplish. To end with a quote from one of my very dear friends:

Remember how to eat an elephant... one bite at a time...

5 Minutes to Forms Authentication

2007-05-17T08:45:00.000-07:00

In case you couldn't tell by the last few posts I've made... I really like Forms Authentication! I wasn't very organized and just threw some random posts out here to share some idea's, but sometimes all you need in life is simplicity... so that's what this post will be, a simple Forms Authentication setup.

I recently had to add some type authentication to an existing web application, nothing fancy at all, bare-bones, just a username, a password, and no database connectivity. That's where this post comes in... when all you need is something quick.

We'll cover this in 3 steps. The first is creating your login form, second being your form's code behind, and the third being your web.config setup.

Step 1 - Create Your Web Form

We won't do anything fancy here, all you want is:

A Username Textbox
A Password Textbox
A Button to submit your form
A placeholder to display error messages

Let's get to it!

Create a new web form in your project. In our case, we will call our form "login.aspx". Next, go to the login.aspx page and create your form. We want to create elements for each of the items above, so our end result is this:


Please login to use this application
Username:
Password:

Our HTML to create our web form is:

<table>
<tr>
<td colspan="3" id="tdMessage" runat="server"></td>
</tr>
<tr>
<td colspan="3">Please login to use this application</td>
</tr>
<tr>
<td>Username:</td>
<td> </td>
<td><asp:TextBox ID="txtUsername" Runat="server" /></td>
</tr>
<tr>
<td>Password:</td>
<td> </td>
<td>
<asp:TextBox ID="txtPassword" Runat="server"
TextMode="Password" /></td>
</tr>
<tr>
<td colspan="3"><asp:Button ID="btnSub" Runat="server"
Text="Login"></asp:Button></td>
</tr>
</table>

Above we have 5 rows in our table. Row 1 is our TD tag (named tdMessage) that will house our error messages. Row 2 is static text asking the user to log in. Row 3 contains our Username textbox (named txtUserName), Row 4 has our Password textbox (named txtPassword), and Row 5 has our button (named btnSub)That's it, our HTML is built!

Step 2 - Your Code-Behind

Ahh yes, our almighty code-behind... an ASP.NET page is almost useless without it! Our code-behind will remain very simple, as there is no database connectivity needed (as you'll see in step 3)!

For starters, Import the System.Web.Security NameSpace into your login.aspx.vb file:

Imports System.Web.Security

Next, we want to handle all login events in our btnSub Click events. So, within the btnSub click event handler, we place the following code:

If Me.txtUsername.Text = "" Or Me.txtPassword.Text = "" Then
Me.tdMessage.InnerHtml = "<font color=""red"">Please enter proper login
credentials</font><br>"
Else
If FormsAuthentication.Authenticate(Me.txtUsername.Text, Me.txtPassword.Text) Then
FormsAuthentication.RedirectFromLoginPage(Me.txtUsername.Text, True)
Else
Me.tdMessage.InnerHtml = "<font color=""red"">Invalid Login, please try again</font><br>"
End If
End If

Just like everything else in this project, the logic is simple. If a username or password isn't supplied, set the error message to ask for proper login credentials. If both a username and a password are supplied, hand-off the username and password values to the FormsAuthentication.Authenticate function, which returns a true/false value on the credentials. If the username/password authenticates, call RedirectFromLoginPage, which sets the the Forms Authentication cookie, and let's the user go on their merry little way. Otherwise, the login credentials were invalid, so we display an error message asking the user to try again.

Step 3 - Setup Forms Authentication in your Web.Config

Last but not least, we need to setup Forms Authentication in our Web.Config, otherwise all that cool code you wrote above is worthless.

So, open your web.config file in your project, within the system.web node, add the following XML to the Authorization section:

This means that all users who are not authenticated are denied, and therefore are sent to be authenticated.

Secondly, in our Authentication section, add the following XML:

And that's all it takes! We set our authentication mode to "Forms", meaning that now our app expects a form on the website to authenticate our user. The Forms XML has a name attribute, which is the name of the cookie, the path of where the cookie is stored, the Url of the login form (in our case login.aspx), our protection mode (set to "All" to validate and encrypt the data), and our timeout of the cookie, in minutes). And, if you wish, you can add additional user credentials:

Now when you run your project, a login form will appear, asking you for proper credentials. If you dont enter a proper combination of what you entered in the "credentials" section, it doesn't let you in. As I stated in the beginning of this post... pretty simple!

Creating Excel Reports with ASP.NET 2.0

2007-05-10T07:07:00.000-07:00

Someone recently stumbled across this article on creating excel reports with ASP.NET 2.0, and they were king enough to forward it my way. It's nice because it makes use of the inherent COM objects from Microsoft Office and Excel, and much of the magic is actualy based around creating your appropriate DataSet, and the Excel piece is kind of just the whipped-cream topping...

Latest Site Designs - OASIS Animal Sanctuary

2007-05-08T19:12:00.000-07:00

One of my latest side project's is for the OASIS Animal Sanctuary, a friendly, no kill, animal farm based in New Jersey. They are in the process of going through a re-design, and I was lucky enough to get commissioned to do their website.

Their website, like most that I do, will by dynamic and interactive. It will have an administrative login for users to update content, an RSS feed for news, and a location for volunteer information... among other features.

I wasn't sure how to attack the site design. One alternative is to have something business oriented, something small and simple... nothing too flashy, just to the point. The other alternative was something a little more colorful, something that wasn't too playful but not too serious either. In the long run, it looks as if their final decision was... well.. the one marked "Final Design."

OASIS Animal Sanctuary Website Designs - By MyBren Technologies

Creating a Time control in .NET

2007-05-06T16:44:00.000-07:00

Recently I was working on an ASP.NET application that required the end user to enter and submit a time on the web form. I wasn't comfortable leaving it up to a textbox, since I would need both an hour, a minute, and an AM/PM. Leaving this to a textbox entry would require validation for both the user to use a ":" as well as enter an "AM" or "PM" If you ask me... this sounds like a pain in the rear-end.

When I thought about my options a little more thoroughly, I realized that I could use drop down lists for the user to enter their time, and I can convert it to a date type, and in essence with only a little effort. If we add a calendar control to our form (which this example will assume you did already), you can get a specific date and time.

1. Create our drop down lists

Our end result is to have the following:

Select Class Start Time:

To do so, create three ASP drop down lists, the first for your hours, the second for your minutes (I only needed 15 minute intervals), and the third for your "AM" or "PM" selection.

2. Create your function

How does that song go, "conjunction junction, what's your function?" Sorry, got a little off track there ;)

Converting our selections into a specific time, there is some logic to consider. First of all, keep in mind that the default time to a date datatype is 12:00 AM, so that is your time to start with. So, with that in mind, the way you handle a selection of "12:30 AM" is very different than how you would handle "4:15 PM".

I know, I know.. less talky more codey.. ok, here's your function:

Function ConvertToDate(ByVal HrCtrl As System.Web.UI.WebControls.DropDownList, _
ByVal MinCtrl As System.Web.UI.WebControls.DropDownList, _
ByVal AMPMCtrl As System.Web.UI.WebControls.DropDownList, _
ByVal StartDate As Date) As Date

'Set the date of the class, StartDate is passed in from the selected date from our Calendar control, which is NOT depicted in this example!
Dim ourDate As Date = StartDate
'Get the hour selected
Dim Hour As Double = CDbl(HrCtrl.SelectedValue)
'Get the Minutes selected
Dim Min As Double = CDbl(MinCtrl.SelectedValue)
'A boolean value for AM/PM... remember, by default the time is 12:00 AM
Dim PM As Boolean = False
'Is our selected AM/PM value PM?
If AMPMCtrl.SelectedValue = "PM" Then PM = True
'If the selected time was 12:00 AM, we do nothing with the hours
If (Hour = 12 And Not PM) Then
'Just add any minutes.. if any
ourDate = ourDate.AddMinutes(Min)
Else
'Add any hours selected in the hour select box
ourDate = ourDate.AddHours(Hour)
'Now add any minutes
ourDate = ourDate.AddMinutes(Min)
'If the selected AM/PM is PM, we MAY have to add 12 hours to the current time
If PM Then
'If the selected hour is NOT 12, then we add 12 hours, otherwise adding 12 hours to
'the additional 12 hours would cause the time to be incorrect
If Hour <> 12 Then
ourDate = ourDate.AddHours(CDbl(12))
End If
End If
End If

Return ourDate

End Function

As you can see, the function above isn't very complicated. It's parameters are your ASP.NET controls you created in step 1, so it's a little more sophisticated and flexible than just accepting plain text values.

It starts out by converting your hours and minuted to double precision values. The reason for this is because the AddHours and AddMinutes functions both accept a double datatype. Next, we check to see if both the hour "12" and "AM" was selected. If so, all we want to do is add any minutes selected, since adding 12 hours to the default time of 12 AM would make the time 12 PM, which is obviously incorrect. If 12:xx AM wasn't selected, we add any hours and minutes to our time. Finally, we check if "PM" was selected. If it was, and "12" wasn't selected, we add 12 additional hours to our time, making it a "PM" time.

3. Call our function

The hardest part is done, all we have to do now is call our function above. You can do so by using code similar to the following.

Dim ourSelectedDate As Date = ConvertToDate(Me.OurHourControl, Me.OurMinuteControl, _
Me.OurAMPMControl, Me.OurCalendarControl.SelectedDate)

As stated throughout this example, we assume that you have a Calendar control on your page, and we pass the date as our last parameter. If you don't need a Calendar control, then just pass a date in for that parameter instead. With this function created, if you have a need to create a date/time range from select boxes, you can use one function for all of your needs. And, it's fairly efficient to boot!

Besides that, that's all you need to return a date/time from a series of drop down lists. Pretty simple, eh???

Easing into XML - An easy way to work with XML, Datasets, and .NET

2007-05-02T13:31:00.000-07:00

.Net has a lot of built in support for XML as a data structure, and they provde some pretty direct methods to traverse nodes and attributtes with XML. However, especially as of late, I've been sharing data to-from other applications via XML. During this process, sometimes I just want to get at the data... I don't want to loop through any nodes, I just want my data... either to throw at a datagrid, or perhaps just to check a value of something. Additionally, I already have my XML data sitting in a string, its not saved anywhere in a file, it's already accessible in my application.

In my travels, I was able to eventually figure out this formula for success. It accepts a string of XML (properly formed... of course) and reads it into a dataset, which in turn is read into a datatable, which in turn can be accessed via a datarow.

'I know it wont exactly win any awards, but here's some sample XML
Dim xmlText As String = "<OurData><customerID>08459684</customerID></OurData>"

'a datatable to hold our data
Dim dt As New DataTable
'a dataset to convert our xml into a datatable
Dim ds As New DataSet
'a datarow to read our datatable
Dim dr As DataRow

'Datasets can read XML in via a StringReader. If we already have our XML, and
'its not being provided to us via an external document, we can create a new
'StringReader on the fly, supplying our XML when it is instantiated
ds.ReadXml(New System.IO.StringReader(xmlText))

'Now that we have a dataset, use our datatable to receive our "table", which
'in this case is "OurData" based on the sample XML above

dt = ds.Tables(0)
'Now we can read in any "rows" from our XML. We only have one row, so I'll
'for-go writing any logic to loop through the rows...
dr = dt.Rows(0)

'Finally, we can directly reference our node and get our value based
'on the current row
Dim custID as String = CStr(dr.Item("customerID"))

Yes... it IS that simple...

Custom Forms Authentication - Cleaning up

2007-05-01T05:46:00.000-07:00

My last few posts revolved around custom forms authentication. After stumbling and bumbling through the process, I had to go back and perform some minor cleanup. So lets grab a mop and bucket, a few cold ones, and get our hands dirty...

Why is my Global.asax's Application_AuthenticateRequest called multiple times?

I ended up "googling" a similar question to the one above, and it's one of those things that if you take the time to think about it, you know the answer. The Application_AuthenticateRequest routine is used on every page request. So even though your user may attempt to go to Default.aspx, this can actually invoke two or three page requests.

So to circumvent this "problem" (I hate to call something a problem when it's doing what it's supposed to do), we just check if the current user is known at the beginning of every request, like so:

if (HttpContext.Current.User = null)
{
We dont know who they are, so authenticate
}
else
{
We know who they are
}

What good is Custom Forms Authentication if I dont show a login form?

The reason I like doing Custom Forms Authentication is because it's tweaking an existing security principle from Microsoft. They built in all code, functions, classes, and settings to globally authenticate a user. If we make the proper entries in our web.config to use Forms Authentication, we can make use of the Global.asax's Application_AuthenticateRequest to perform our authentication routine for our end-user.

For example, let's say you authenticate your user into your application by performing a Form POST of data from your host site, and this is the only way you want your users to enter your app. If your Application_AuthenticateRequest doesn't recognize the user, your authentication routine can check for a Form POST of data from your host site. If it's there... authenticate them, if it's not.. dont authenticate them, it's that simple.

And the coup de grace, you can make use of the "loginForm" parameter in your web.config's Forms Authentication settings to actually make your "You are not authorized page". Therefore, if the user enters, and the user is not authorized to be on the site, the user is still redirected to page referenced in the loginForm parameter.

How can I keep my users authenticated without a login form?

I wanted my users to eventually timeout, unless they remained active within the site. To perform this, I made use of the slidingExpiration parameter. Place this in your web.config's Forms Authentication settings, like so:

forms name="foo" loginUrl="notAuthorized.aspx" protection="All" timeout="30" path="/" slidingExpiration="true"

With sliding expiration, everytime a request is made, the clock "resets" on the forms authentication cookie. So, with my settings above, that means that every time the user uses my site, their identity ticket's expiration is set to the current time+30 minutes.

I hope you enjoyed my last few posts regarding Forms Authentication. It is certainly a well-built tool for ASP.NET that requires nothing more than comfort with using cookies on your site.

Custom Forms Authentication - Pass User Data using userData!

2007-04-30T06:52:00.000-07:00

My last post shared some information on custom forms authentication. I was able to use the information I shared to create a custom authentication scenario where I didn't necesarily have a login form, but I was able to still centralize all authentication in my web application's Application_AuthenticateRequest module in the Global.asax code behind.

One of my struggles with this method, however, was my attempt to pass any supplemental User Data I may need for the user's web experience. In other words, if I need the users customer number, where can I store this information? Well, you can store user's data in userData!

This wasn't immediately apparent to me, as any examples I came across talked about storing "Roles" in the userData field, but from what I have gathered, it really is an open ended field that you can store any supplemental data into.

So, when creating our FormsAuthenticationTicket, in two of our overloaded functions we have the ability to add userData. Here is one example:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(version, name, issueDate, expiration, isPersistent, string userData, cookiePath);

So, when we create our ticket, and store it as a cookie, later we can retrieve the ticket from the cookie and make use of the userData property to get our user's data.

Finally, let's say we have a variety of information we want to store, such as customer number, address, and ZIP code. You can always just store this information as a delimited string:

Customer Number:12345678|Address:123 Foo Lane|ZIP Code:98765

Now, when you retrieve the authentication ticket, throw your delimited data into an array, parse the array into a HashTable, and then request your information as you need it. (By the way, if the forms auth ticket code looks familiar, it's because I made use of Dr. Bromberg's example from my last post!)

//Get our users identity
FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
//Get all user info from the Forms Auth Ticket
FormsAuthenticationTicket ticket = id.Ticket;
//Get our user data, from the UserData property of the Forms Auth Ticket
string userData = ticket.UserData;
//Our data in userData is pipe delimited, so split it into an array
string[] info = userData.Split('|');

//Create a new HashTable to store our information
System.Collections.Hashtable ht = new Hashtable();
//Loop through our array
foreach(string s in info)
{
//Split each string at the ":", to give us a key/value pair
string[] splitme = s.Split(':');
//Now add our key/value pair to the HashTable
ht.Add(splitme[0].ToString(),splitme[1].ToString());
}

//Finally, our data is available to us as we need it!
string CustNum = ht["Customer Number"].ToString();
string CustAddress = ht["Address"].ToString();
string CustZIP = ht["ZIP Code"].ToString();

Custom Forms Authentication

2007-04-27T04:59:00.000-07:00

Forms Authentication in .NET is a great feature and easy to implement. Its an automatic, site-wide, mechanism to ensure that your user's are authenticated on your site. If they're not authenticated, theyre sent to a login form to authenticate... hence Forms Authentication.

But lets say, for example, that you want to make use of all of the benefits of Forms Authentication, without having a login form. This article below gives an excellent example of how to implement Custom Forms Authentication.

Custom Forms Authentication - Egghead Cafe - Author: Peter A. Bromberg, Ph.D.

Exceptional Exception Handling

2007-04-20T07:51:00.000-07:00

Here's some new guidelines from MSDN regarding Exception Handling in .NET

http://msdn2.microsoft.com/en-us/library/ms229005.aspx

Creating X509 Certificates for WSE or WCF

2006-09-04T17:36:00.000-07:00

Heres some info on how to create your own X.509 Certificates.

Additionally, heres a TechNet link directly to where, in IIS on Windows Server 2K, you install and Manage Windows Certificate Services.

Enjoy, 'n be sure to tel 'em that Eric sent ya! ;)

MCP!

2006-08-05T10:46:00.000-07:00

Ahhh, I feel just as refreshed now as when I walk indoors from being outside on a hot day, cut a wedge of lime (not too large... but not to small...), and crack open a Corona.

After 4 months of reading, waking up early, staying up late, step-by-step practices, and pot after pot of coffee (literally, I must have drank about 4 pounds of coffee during these last 3 weeks alone...), I finally took, and passed, my first MCP (Microsoft Certified Professional) Exam.

Ladies... ladies, please step back, for I am a taken man. I know that my proven superior genius in developing ASP .NET web applications befuddles you.. befuddle, thats a funny word!

But seriously, I feel very fortunate to have the friends and family that I have who continually support me in any ways they can. In particular my wife-to-be has been so unbelievably patient and understanding as I consitently came home from work every night, ate dinner, and locked myself in my office. Studying for this exam took alot of patience, but she definately has more than I do... I'm the luckiest guy alive, I truly am...

Oh... youre still reading... well I guess I'll get on with the dirty details! I took the 70-305 exam, which is developing web apps with VB .NET. The exam was 43 questions total, passing mark was 700 (Microsft never states that the total is '1000', but everyone kind of assumes that, so you can say that a 70% here was roughly 30 out of 43). To study, I read the Que Certifications Exam-Cram book, this particular book was written by Mike Gunderloy. In hind-sight, Im impressed with how accurate the format of the study questions were to the actual exam, along with the skill level required. If you can get approximately 10-11 out of 15 on each of the chapters end questions, you should do just fine on the actual exam. (Note: notice I stated that i was impressed with the books study questions, the book also comes with a cd from prep-logic to help you study... those questions were WAY too hard, and not as comparable to the actual exams questions.)

In the past, I had heard that the exam was very ADO.NET intensive... almost 60% some people had claimed. I cant say it was that much... perhaps about half of that in fact. The other 70% was a good mix of testing/debugging, application deployment and maintenance, and application configuration. User services/controls, and component management was mixed in there... but only a little compared to the other topics mentioned.

In the end though I'd have to say that Microsoft makes the exam as tricky as possible... without being crude about it. In other words, they'll offer proper syntax in the answers to questions and not make stuff up, but they throw in just enough options to make the answer tricky. Basically, atleast have the exam I had to work down the answers to a 50/50, before comparing and making a selection.

Well, thats about it.. I had a few other blogs to publish recently, but I just saved them as drafts and never went back to them. Gee, maybe someday, when this blog is the most popular and best blog in all the land, maybe ill sell the unpublished blogs. Maybe future generations will study my blogs... and maybe they'll go for their certification on what I wrote! Yes, I like it! They can go for their MyBren Certified Professional Certification! It can be their MCP... what, thats already taken? Damn you Microsoft!

G'nite folks ;)

Eric James' SHEET OF INTEGRITY

2006-03-15T11:05:00.000-08:00

Well, its that time of year... behold the Eric James SHEET OF INTEGRITY

The Ultimate Flash Cartoon

2006-03-07T06:49:00.000-08:00

Looking for a few good laughs!? Why Not!? C'mon, click the pretty link... do it! Now!Enter fantastic voyage recommended by eric

Ok, apparently some people dont want to trust me anymore, damn internet. Fine, I'll tell you what it is. Its probably the best flash cartoon I've even seen, and definately the best in a long time. Come with me friends, as I take you on a fantastic voyage...

So my family is over Saturday nite, and my cousin says 'dude, wanna see something cool on the internet?'. thinking this is weird, because were family, i say 'sure!', because my curiosity is heightened.

And so he took me to the super duper cool website which i linked to above, and played the video, and i laughed. and i was so touched, i thought i had to share, so i did.

OK, so youre wondering what it is before you go to the link? OK, i wont tell you what it is, but i'll tell you that it involves, chuck norris, the batmobile, and a catchy tune that you'll be humming for years and years to come...

why are you still reading? just go to it already...!Enter fantastic voyage recommended by eric, and enter it here since youre a lazy lil bitch and dont want to scroll all the way to the top of this post