Every once in a while, I receive emails stating that some of my libraries were utilized as part of larger project. Besides being very excited (and somewhat proud I must admit), I always felt a need to somehow share the information with the rest of the world. After some thought, I decided to simply write a post and provide author's original work for download (with author's permission).

The latest project that I received was Masters Project by Karlo Martin Zatylny from University of Texas at Austin. Karlo's project was to implement Korat - "a library for creating test structures and data" - in C# language (hence the name Korat#). Korat testing environment was originally implemented and utilized in Java programming language. Karlo enhances original Korat implementation by adding "regular-expression data generation engine to provide valid string-based input for the given methods and libraries" Karlo's paper and implementation can be downloaded below:

Download Karlo's Paper in PDF (473.81 kb)
Download Source Code (683.25 kb)

For a while, I have been using Simple Download Counter Extension provided by Al Nyveldt. I really liked it because it was easy to install and use (just like any other BlogEngine extension), and it provided me with valuable information about download counts. However, I noticed following bugs:

1. Download count is not tracked properly if the file contains a space character within the name;
2. Download count is not tracked properly if the file is in a sub-directory;
3. If your post contains a string saying "file.axd?file=" then simple download counter will try to interpret that as file serving and crash your web site (I discovered it when I wrote this post);

Quick look at the code revealed that after the file name is retrieved from the path, no URL decoding is preformed leaving special characters in URL format (space = %20, slash=%2f, etc.) The fix is very simple (for 1 and 2) and it is applied in UpdateDisplay(string body) method of the extension. Let's look at the modified code:

private string UpdateDisplay(string body)
{
  if (body.Contains("file.axd?file="))
  {
    int pos = body.IndexOf("file.axd?file=");
    while (pos > 0)
    {
      pos = pos + 14;

      /* Bug fixes:
         - http://www.amergerzic.com/post/Simple-Download-Counter-Al-Nyveldt.aspx */
      int quote_pos = body.IndexOf("\"", pos);
      if (quote_pos > -1)
      {
          /* Get the file name */
          string url_filename = body.Substring(pos, quote_pos - pos);

          /* Get rid of special characters */
          string filename = HttpUtility.UrlDecode(url_filename);
        
          /* Find where the download link ends */
          int linkTextEnds = body.IndexOf("</a>", pos);

          /* Serch for link begin */
          int linkTextBegins = body.IndexOf("<a ", pos);

          /* If we found a link begin before the link end, 
             then our link end does not belong to the download */
          if (linkTextBegins != -1)
              if (linkTextBegins < linkTextEnds)
                  break;

          /* Verify that we found link end in the first place */
          if (linkTextEnds > -1)
          {
              /* Look up the count */
              int count = GetFileCount(filename);

              /* Insert the number */
              body = body.Insert(linkTextEnds, " [Downloads: " + count.ToString() + "]");
          }
      }
      pos = body.IndexOf("file.axd?file=", pos);
    }
  }
  return body;
}

Before passing the file name for lookup (GetFileCount method), we need to make sure that the file name is URL decoded, for which we use static method HttpUtility.URLDecode(...). In this way, the file name that contains any special characters is properly decoded and can be matched against XML entry.

Fixing bug 3 is somewhat trickier. The solution presented here is not perfect, but it provides decent workaround. The solution consists of multiple checks:

1. We are checking that closing quote character is found. If the character is not found then we do not have valid file name;
2. We are checking that ending tag of the link is found. If we cannot find ending tag then this is not file download link, but simply text;
3. If we find ending tag, we must make sure that it belongs to the file download link. We are doing that by checking if starting tag can be found between file link and ending tag;

Couple of days ago, my blog application started crushing. At first, I assumed that my ISP provider is to blame. Somewhat irritated I submitted the question to the support crew and couple of emails later, they informed me that the blog application was taking over 100MB in RAM space (which triggers the server to stop the application). In addition I noticed that the number of visitors increased dramatically over the last couple of weeks. Quick look under the hood revealed that during post rendering, source code is rendered "on-fly", which utilizes Wilco.SyntaxHighlighter.dll control. Considering the fact that there are many posts that display the source code and that there are many visitors viewing them, it is possible that memory usage would increase drastically. To eliminate the issue I decided to render the code at the time of post editing (as opposed to rendering during page loading). The only elegant solution (in my case) was to use Windows Live Writer with source code plugin. However, I could not find a plugin that would satisfy my needs, so I decided to write my own.

More...

Recently I have been developing numerous applications in ASP.NET and Flex Builder 3. For security I utilized forms authentication as provided by ASP.NET engine. At first, everything worked well until there was a need to manually sign out current user. Quick look into MSDN documentation revealed SignOut() method of FormsAuthentication class. The documentation promised that this method signs out the user and redirects the client to login page. Considering the fact that I did not care about redirect (Flex application was running on the client side, so that redirection did not have any effect), I was hoping that the method would still perform desired effect and "de-authenticate" (I know, I know, that is not even a word) current user. At first, it seemed to work, but debugging revealed that even though this method removed authentication cookie, it did not sign out the user. User's identity was still marked as authenticated and subsequent calls to the Http handler would be considered authenticated. Furthermore, the session object was still valid, so that existing session information was still available. Quick look into MSDN revealed Session.Abandon() method, which would destroy session object upon execution. However, even though the session object was destroyed, client calls to ASP.NET web application were still considered authenticated. It was time to search the web to see if other developers faced the same issue.

After some research I ran into following Microsoft article: http://support.microsoft.com/kb/900111. The article explains that FormsAuthentication.SignOut() method does not prevent cookie reply attack, which essentially means that the cookie, even though it was destroyed, it was considered to be valid and all calls to the application that utilized this particular cookie were considered authenticated. The same article presented some possible workarounds, but it did not satisfy my needs. It bugged me that in order to prevent the access to secure parts of the application (even after log off), I had to track the security on client side (in addition to server side). So I tried following code:

/* Create new session ticket that expires immediately */
FormsAuthenticationTicket ticket =
    new FormsAuthenticationTicket(
        1,
        context.User.Identity.Name,
        DateTime.Now,
        DateTime.Now,
        false,
        Guid.NewGuid().ToString()); 

/* Encrypt the ticket */
string encrypted_ticket = FormsAuthentication.Encrypt(ticket); 

/* Create cookie */
HttpCookie cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    encrypted_ticket); 

/* Add cookie */
context.Response.Cookies.Add(cookie); 

/* Abandon session object to destroy all session variables */
context.Session.Clear();
context.Session.Abandon();

Essentially the code replaces old cookie with new security cookie that expires immediately, which performs user sign out. In addition, all session variables are destroyed and new session is created so that old session cannot be reused. However, it is essential to mention that the technique presented in this post does not prevent Cookie Reply Attack. The old cookie is still valid for the duration specified in FormsAuthenticationTicket constructor.

Last couple of weeks I have been coding a lot of Flex, specifically ScheduleViewer component included in flexlib version 1.9. I was mostly happy with ScheduleViewer component but I did have some minor annoyances. Actually, it was more curiosity than need that drove me to investigate the possibility of creating a custom entry renderer for ScheduleViewer component. As it turns out, it was very easy. Investigating the source code of the library, I noticed the component AbstracSolidScheduleEntryRenderer. This component was responsible for simple entry rendering, which I wanted to modify. Specifically, I wanted to modify the content of each schedule entry i.e. the date object was simply formatted as time rather than a date. Because of the fact that my schedule was really date related (rather than time related), I needed a renderer that would meet my needs. Let's look at the code of MyEntryRenderer.mxml:

<?xml version="1.0" encoding="utf-8"?>
<renderers:AbstractSolidScheduleEntryRenderer 
    xmlns:mx="http://www.adobe.com/2006/mxml" 
    xmlns:renderers="flexlib.scheduling.scheduleClasses.renderers.*" 
    paddingTop="0" 
    paddingLeft="0">
        
    <mx:Script>
        <![CDATA[
            import mx.formatters.DateFormatter;
            import flexlib.scheduling.scheduleClasses.IScheduleEntry;
            
            private var formatter:DateFormatter;
            
            override public function onPreinitialize() : void
            {
                formatter = new DateFormatter();
                formatter.formatString = "MM/DD";
            }
            
            override public function set data ( value : Object ) : void
            {
                super.data = value;
                
                entry = value as IScheduleEntry;
                var content : SimpleScheduleEntry = SimpleScheduleEntry( entry );
                
                drawTextContent(content);
            }
            
            protected function drawTextContent(content : SimpleScheduleEntry) : void
            {   
                formatter.error = "";
                
                var time : String = formatter.format( content.startDate ) 
                 + " - " + formatter.format( content.endDate );
                
                toolTip = time + "\n" + content.label;
                contentLabel.text = time;
                contentLabel.styleName = getStyle( "timeStyleName" );
                contentText.text = content.label;       
            }
        ]]>
    </mx:Script>
    
    <mx:Label id="contentLabel" />
    <mx:Text id="contentText" />
    
</renderers:AbstractSolidScheduleEntryRenderer>

From the code above it is clear that we are simply customizing existing component to meet our needs. Similar to any custom components in Flex, we are simply modifying the content of an existing component by using DateFormatter object. The function DrawTextContent is responsible to set the content of the text box and a label found on AbstractSolidScheduleEntryRenderer. This function is called by setter function of the data member of the AbstractSolidScheduleEntryRenderer, which is called by ScheduleViewer component during the drawing phase. Once the customization is performed, we simply have to specify that we want to use the new renderer in following way:

<ns1:ScheduleViewer
    id="MyScheduleViewer" 
    width="800" 
    height="100%"
    rowHeight="25"
    startDate="{ StartDate }"
    endDate="{ EndDate }"
    verticalGridLineAlpha=".1"
    horizontalGridLineAlpha=".1"
    entryRenderer="MyEntryRenderer"
    entryLayout="flexlib.scheduling.scheduleClasses.layout.SimpleLayout"
    color="#FFFFFF"
    borderColor="#FFFFFF" 
    themeColor="#FFFFFF" 
    backgroundColor="#FFFFFF" 
    click="OnScheduleClick(event)" />

As we can see from the code above, all we needed to do is set entryRenderer property to be our newly defined component. One thing to note is that we do have to set entryLayout property to be "…layout.SimpleLayout", because only then the rendering is performed using AbstractSolidScheduleEntryRenderer. At this point the customization is finished.

Unlike Silverlight, Flex Builder does not integrate with Visual Studio programming environment. Therefore, debugging ASP.NET or Flex applications can become very cumbersome, especially when they become very large. However, with Flex Builder 3, Adobe has made possible to utilize built in ASP.NET web server (Cassini) to debug Flex applications. Following post describes one possible way to set up both environments to make debugging easier.

More...

Lately, Adobe Flex has been getting more and more attention in programming community. Especially after the launch of open source version of Flex SDK developers are able to make rich Internet applications (RIA) using Flex, which (as everybody knows) produces a flash file (swf) that can be used in any web application. The article will focus on the following topics:

1. Communication between Action Script (HTTPService) and .NET (HTTP Handler);
2. Security - securing HTTP Handler calls from unauthorized access;
3. ASP.NET Forms Authentication and Authorization through Flex;
4. ASP.NET Handlers and session management;

It is assumed that the reader is familiar with basic concepts of ASP.NET handlers, forms authentication, and Adobe's Action Script.
More...

SQL Server 2005 has been released for a while now, and most of the new features are well known throughout programming community. Right after the initial release, I downloaded a copy of SQL Server 2005 Express, eager to explore new features. At first, there was a lot of reading and browsing the documentation; then I moved onto converting smaller projects to SQL Server 2005 edition, and finally I decided to move larger projects to my new favorite DBMS. Throughout conversion process, I was poised to utilize the newest feature of SQL Server 2005: CLR Stored Procedures.
More...

There are many challenges surrounding database development. With the project size, the development becomes more complicated and harder to maintain. One specific issue is the question of going about writing SQL script so that the maintenance and/or updates are handled properly. I was always found of "divide and conquer" technique, which I religiously follow during each and every project. In case of database development, I try to divide my script into multiple atomic entities, which I can execute independently or combined. The advantage: Updates/modifications are handled as independent as possible, affecting only necessary part of the project.
More...

Multiple Document Interface (MDI) is a technique to separate data layer from presentation layer, which is primarily utilized in MFC. As an MFC developer looking to develop applications in .NET, I was searching for a similar concept. My interest was mostly in GUI design, rather than complete MDI/SDI solution. At first, I was very happy to learn that Windows Forms provided assistance in MDI development. As always, I fired up VS.NET 2005 and created sample project. Couple of minutes later, I had MDI-like application, where I could add/remove views very quickly. It felt too good to be true, which later proved that it was. At first I wanted all of my child views to be shown maximized. In addition, I wanted all child views without a control bar. Everything went well, except that my forms could not get rid of control bar. In addition, form resizing did not function properly. As always, I searched the web and found numerous attempts to solve these issues. All solutions suggested following steps:
More...