Every once in a while, I receive emails stating that some of my libraries were utilized as part of larger project. Besides being very excited (and somewhat proud I must admit), I always felt a need to somehow share the information with the rest of the world. After some thought, I decided to simply write a post and provide author's original work for download (with author's permission).

The latest project that I received was Masters Project by Karlo Martin Zatylny from University of Texas at Austin. Karlo's project was to implement Korat - "a library for creating test structures and data" - in C# language (hence the name Korat#). Korat testing environment was originally implemented and utilized in Java programming language. Karlo enhances original Korat implementation by adding "regular-expression data generation engine to provide valid string-based input for the given methods and libraries" Karlo's paper and implementation can be downloaded below:

Download Karlo's Paper in PDF (473.81 kb)
Download Source Code (683.25 kb)

Couple of days ago, my blog application started crushing. At first, I assumed that my ISP provider is to blame. Somewhat irritated I submitted the question to the support crew and couple of emails later, they informed me that the blog application was taking over 100MB in RAM space (which triggers the server to stop the application). In addition I noticed that the number of visitors increased dramatically over the last couple of weeks. Quick look under the hood revealed that during post rendering, source code is rendered "on-fly", which utilizes Wilco.SyntaxHighlighter.dll control. Considering the fact that there are many posts that display the source code and that there are many visitors viewing them, it is possible that memory usage would increase drastically. To eliminate the issue I decided to render the code at the time of post editing (as opposed to rendering during page loading). The only elegant solution (in my case) was to use Windows Live Writer with source code plugin. However, I could not find a plugin that would satisfy my needs, so I decided to write my own.

More...

Recently I have been developing numerous applications in ASP.NET and Flex Builder 3. For security I utilized forms authentication as provided by ASP.NET engine. At first, everything worked well until there was a need to manually sign out current user. Quick look into MSDN documentation revealed SignOut() method of FormsAuthentication class. The documentation promised that this method signs out the user and redirects the client to login page. Considering the fact that I did not care about redirect (Flex application was running on the client side, so that redirection did not have any effect), I was hoping that the method would still perform desired effect and "de-authenticate" (I know, I know, that is not even a word) current user. At first, it seemed to work, but debugging revealed that even though this method removed authentication cookie, it did not sign out the user. User's identity was still marked as authenticated and subsequent calls to the Http handler would be considered authenticated. Furthermore, the session object was still valid, so that existing session information was still available. Quick look into MSDN revealed Session.Abandon() method, which would destroy session object upon execution. However, even though the session object was destroyed, client calls to ASP.NET web application were still considered authenticated. It was time to search the web to see if other developers faced the same issue.

After some research I ran into following Microsoft article: http://support.microsoft.com/kb/900111. The article explains that FormsAuthentication.SignOut() method does not prevent cookie reply attack, which essentially means that the cookie, even though it was destroyed, it was considered to be valid and all calls to the application that utilized this particular cookie were considered authenticated. The same article presented some possible workarounds, but it did not satisfy my needs. It bugged me that in order to prevent the access to secure parts of the application (even after log off), I had to track the security on client side (in addition to server side). So I tried following code:

/* Create new session ticket that expires immediately */
FormsAuthenticationTicket ticket =
    new FormsAuthenticationTicket(
        1,
        context.User.Identity.Name,
        DateTime.Now,
        DateTime.Now,
        false,
        Guid.NewGuid().ToString()); 

/* Encrypt the ticket */
string encrypted_ticket = FormsAuthentication.Encrypt(ticket); 

/* Create cookie */
HttpCookie cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    encrypted_ticket); 

/* Add cookie */
context.Response.Cookies.Add(cookie); 

/* Abandon session object to destroy all session variables */
context.Session.Clear();
context.Session.Abandon();

Essentially the code replaces old cookie with new security cookie that expires immediately, which performs user sign out. In addition, all session variables are destroyed and new session is created so that old session cannot be reused. However, it is essential to mention that the technique presented in this post does not prevent Cookie Reply Attack. The old cookie is still valid for the duration specified in FormsAuthenticationTicket constructor.

Unlike Silverlight, Flex Builder does not integrate with Visual Studio programming environment. Therefore, debugging ASP.NET or Flex applications can become very cumbersome, especially when they become very large. However, with Flex Builder 3, Adobe has made possible to utilize built in ASP.NET web server (Cassini) to debug Flex applications. Following post describes one possible way to set up both environments to make debugging easier.

More...

Lately, Adobe Flex has been getting more and more attention in programming community. Especially after the launch of open source version of Flex SDK developers are able to make rich Internet applications (RIA) using Flex, which (as everybody knows) produces a flash file (swf) that can be used in any web application. The article will focus on the following topics:

1. Communication between Action Script (HTTPService) and .NET (HTTP Handler);
2. Security - securing HTTP Handler calls from unauthorized access;
3. ASP.NET Forms Authentication and Authorization through Flex;
4. ASP.NET Handlers and session management;

It is assumed that the reader is familiar with basic concepts of ASP.NET handlers, forms authentication, and Adobe's Action Script.
More...

SQL Server 2005 has been released for a while now, and most of the new features are well known throughout programming community. Right after the initial release, I downloaded a copy of SQL Server 2005 Express, eager to explore new features. At first, there was a lot of reading and browsing the documentation; then I moved onto converting smaller projects to SQL Server 2005 edition, and finally I decided to move larger projects to my new favorite DBMS. Throughout conversion process, I was poised to utilize the newest feature of SQL Server 2005: CLR Stored Procedures.
More...

In my previous post Displaying .NET DataSet with Crystal Reports I discussed one way to report the data that does not come directly from a database. In this way, it is possible to preform more complex data analysis and present the result using Crystal Report engine. Following post addresses similar issue. However, here, the data to be presented is not stored in a DataSet, but rather in a .NET Collection, which implements IEnumerable interface.
More...

Couple of days ago, I started playing with Crystal Reports engine included with Visual Studio.NET. After creating several reports using SQL Express database, I started wondering how to create reports that require more sophisticated data analysis. At first, my thoughts were to utilize stored procedures to create report result, and and then display the result using Crystal Report engine. However, it turned out that Crystal Report engine has some limitations when it comes down to stored procedures. Crystal Reports documentation states that stored procedures can be utilized if they contain at most one SQL SELECT statement. In addition, the documentation states that no return parameters can be utilized (parameters declared by SQL keyword OUT, or INOUT). Clearly, complicated data analysis cannot be performed using single SELECT statement. Considering these limitations, I immediately started to investigate options to present a structure using Crystal Reports. At first, I considered a .NET containers, but Crystal Reports engine did not seem to provide any convenient way of displaying such structures. In addition, I noticed that every report that I designed, required the structure of the data to be known at report design time. At that time, two options came to my mind:
More...