______________________________________________________________________ Tip of the Day! Basic Authentication is an insecure method of authentication It is important to note that Basic Authentication, though virtually universal to most HTTP application platforms, is an insecure method of authentication. Username and password credentials obtained via Basic Authentication are transmitted between the client and server as clear text. The data itself is encoded (not encrypted) into a Base-64 string that intruders can easily hijack and decode. For this reason, Basic Authentication should only be used in conjunction with an HTTP wire encryption tool such as Secure Socket Layers (SSL). In this way, the data that would otherwise be clearly visible to any network sniffing utility will be encrypted using complex algorithms. Today's tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! Why Not To Use Passport Authentication NET Passport is subject to the usual pitfalls of any centralized service: * If the Passport server crashes or is subject to malicious attacks then users can no longer log into our site. * There is a trust issue: are we prepared to trust Microsoft to manage our user data in a way that we would wish? * Should we lock ourselves into a particular vendor's authentication mechanism? * Will our users be prepared to submit personal information to a central repository? Today's Tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! Why Use Passport Authentication? Why Use Passport Authentication? * Microsoft becomes responsible for the management and storage of usernames and passwords, so we have one less issue to worry about in the creation and maintenance of our site * Our site immediately inherits all .NET Passport holders as potential users * We would immediately know who our users are (so long as they elected to share information with us). Information sharing can allow the web site to get the user profile without the user having to enter information, or can enable pre-pouplation of web forms. * Our site would inherit the benefit of being able to deliver .NET Alerts via Windows Messenger, or to a mobile device using Microsoft's provided gateway Today's tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! Why Use Forms Authentication? Cookie authentication is an attractive option for web developers for a number of reasons: * It keeps all code for authenticating users within the application * We have full control over the appearance of the login form * It works for users with any browser * It allows us to decide how to store user information Today's Tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! The <authentication> element can only be used in the web.config that is in the root folder of an application The element can only be used in the web.config that is in the root folder of an application. Attempting to use it in subfolders will cause an error. This means that only one authentication type can be defined for each application. If we want to use a different authentication type in a subfolder, we will have to define it as a separate application. Today's Tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! The SQL SELECT command can be case insensitive In SQL Server, the behavior of matching and sorting is determined by the collation that is active for the column involved. The default collation for text columns is case insensitive. Today's Tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! State Caching Application state contains state information that is to be shared among all users. Session state contains state information related to the specific user. ViewState contains short term state information that is specific to an individual page, but also unique to the specific user session. It is important to understand these unique differences so the different state caching objects can be optimally used. ______________________________________________________________________ Tip of the Day! ASP.NET Caching Solutions Page caching is useful for content related performance issues. Data caching is useful for data retrieval related performance issues. State caching is useful for short term or user specific related performance issues. ______________________________________________________________________ Tip of the Day! Think carefully before tying Forms authentication into Windows credentials Think carefully before tying forms authentication into Windows credentials. It is usually a good idea to keep the two separate, so that Windows credentials are used as little as possible. The more we use the Windows credentials, the higher the risk of them being compromised. Today's Tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! decryptionKey length Some versions of the .NET Framework and Visual Studio .NET documentation incorrectly state that the decryptionKey can have a length of between 40 and 128 characters. This does not make sense, as it is a DES or 3DES key and thus needs to have either 16 or 48 characters. Today's Tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! The security of an application that uses forms authentication depends upon the security of the keys held in <machineKey> The security of an application that uses forms authentication depends upon the security of the keys held in . Using the same key across multiple applications increases the risk of the keys being stolen. Think very carefully before you use the same keys, particularly on systems with different levels of security. Today's tip is taken from Professional ASP.NET Security: (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! Advantages of Data Caching * Retrieving cached objects is faster than creating individual objects. * The Cache object supports automatic internal locking using a multi-reader and single-writer lock. * The Cache object provides automatic resource management. * The Cache object provides support for callbacks to indicate when objects are removed. * The Cache object provides support for object dependencies. * The Cache object provides support for setting expiration priorities for objects. ______________________________________________________________________ Today on ASPToday Developing A Flexible And Pluggable Logging And Tracing Infrastructure http://www.asptoday.com/content.asp?id=2155 An efficient logging and tracing infrastructure is vital for the manageability of your applications along their lifetime. No matter how skilled programmers are, there are hundreds of external conditions that can make your code fail. In pre-.NET days, implementing proper logging and tracing in VB6 or classic ASP was not easy without resorting to third-party tools. Even with .NET, the built-in Tracing support isn’t as flexible as it should be. Fortunately the .NET Class Library provides us with all the tools to quickly set up our own implementation of a flexible and pluggable logging and tracing framework. Read on to know how... ______________________________________________________________________ Tip of the Day! Take extreme caution to avoid granting code access security permissions to unmanaged code if not absolutely required Take extreme caution to avoid granting code access security permissions to unmanaged code if not absolutely required. When a .NET assembly is allowed to call into unmanaged code it can potentially bypass any code access security checks and thus do whatever it likes on your system. Today's Tip is taken from Professional ASP.NET Security (http://www.wrox.com/books/1861006209.htm) ______________________________________________________________________ Tip of the Day! Cut down on variables When working within a function, always try to make use of the local variable of the same name and data type instead of creating an additional "result" variable. Today's tip is taken from "Building an ASP.NET Intranet" (http://www.wrox.com/books/1861007493.htm) ______________________________________________________________________ Tip of the Day! Triggers should be used judiciously Triggers should be used judiciously, as inefficient or unnecessary code in a trigger can have a major impact on the performance of an application. Today's Tip is taken from Building an ASP.NET Intranet (http://www.wrox.com/books/1861007493.htm) ______________________________________________________________________ Tip of the Day! BLOB or Binary Large Object is a term used to describe binary documents that are stored as an array of bytes within a DB column BLOB or Binary Large Object is a term used to describe binary documents that are stored as an array of bytes within a DB column. In SQL Server the image datatype is normally used to store BLOBs. Today's tip is taken from Building an ASP.NET Intranet (http://www.wrox.com/books/1861007493.htm) ______________________________________________________________________ Tip of the Day! Pages are not guaranteed to stay in the cache for the cache duration Pages are not guaranteed to stay in the cache for the cache duration If resources are low, the ASP.NET framework will remove some information from the cache. Today's Tip is taken from Building an ASP.NET Intranet (http://www.wrox.com/books/1861007493.htm) ______________________________________________________________________ Tip of the Day! Retrieving the Physical Path of A File Resource in an ASP.NET Application If you need to get the physical path of a folder near the application root, you could use something like this: Server.MapPath(HttpRuntime.AppDomainAppVirtualPath) but there is a more simple and elegant way to achieve the same. The result of the above method is directly available in: HttpRuntime.AppDomainAppPath property For example, try the following in a web form: Response.Write(HttpRuntime.AppDomainAppPath+"
"+HttpRuntime.AppDomainAppVirtualPath+"
"); Response.Write(Server.MapPath(HttpRuntime.AppDomainAppVirtualPath)); The first and the third would give the physical path of the resource, while the second one gives the virtual path, as referred to by the IIS webserver. This will ensure elegant referencing of any files or resources in the application, instead of '.' and '..' like in (./../../templates/file.aspx) and would be more friendly to any reader/developer. ______________________________________________________________________ Today on ASPToday Confessions of a Modeling Bigot Part V: Toward Modelable and Testable http://www.asptoday.com/content.asp?id=2149 While writing this column's subtitle I had to add the word "modelable" to the Microsoft Word dictionary. Evidently, no one has seriously thought about this adjective, until now. Testable software, now that's another matter all together; the reigning champions of writing testable code are the Extreme Programmers. They have a motto, "Test First". Even though they're talking about testable code in a slightly different way than I will in this column, I feel a certain esprit de corps when I hear them say, "There can be no misunderstanding a specification written in the form of executable code." So this month I'm going to share my thoughts on what it's going to take to get a user interface architecture that is designed with modeling and testing in mind. For example, I'll redesign my favorite user interface design framework to make it more testable; and I'll talk about ASP.NET and web services in ways that highlight their testability. I present no new facts here, but by suggesting a new way of looking at what we already know, I think the end result might be just as meaningful. If I'm wrong, I'm sure you'll let me know. ______________________________________________________________________