Recently I have been developing numerous applications in ASP.NET and Flex Builder 3. For security I utilized forms authentication as provided by ASP.NET engine. At first, everything worked well until there was a need to manually sign out current user. Quick look into MSDN documentation revealed SignOut() method of FormsAuthentication class. The documentation promised that this method signs out the user and redirects the client to login page. Considering the fact that I did not care about redirect (Flex application was running on the client side, so that redirection did not have any effect), I was hoping that the method would still perform desired effect and "de-authenticate" (I know, I know, that is not even a word) current user. At first, it seemed to work, but debugging revealed that even though this method removed authentication cookie, it did not sign out the user. User's identity was still marked as authenticated and subsequent calls to the Http handler would be considered authenticated. Furthermore, the session object was still valid, so that existing session information was still available. Quick look into MSDN revealed Session.Abandon() method, which would destroy session object upon execution. However, even though the session object was destroyed, client calls to ASP.NET web application were still considered authenticated. It was time to search the web to see if other developers faced the same issue.

After some research I ran into following Microsoft article: http://support.microsoft.com/kb/900111. The article explains that FormsAuthentication.SignOut() method does not prevent cookie reply attack, which essentially means that the cookie, even though it was destroyed, it was considered to be valid and all calls to the application that utilized this particular cookie were considered authenticated. The same article presented some possible workarounds, but it did not satisfy my needs. It bugged me that in order to prevent the access to secure parts of the application (even after log off), I had to track the security on client side (in addition to server side). So I tried following code:

/* Create new session ticket that expires immediately */
FormsAuthenticationTicket ticket =
    new FormsAuthenticationTicket(
        1,
        context.User.Identity.Name,
        DateTime.Now,
        DateTime.Now,
        false,
        Guid.NewGuid().ToString()); 

/* Encrypt the ticket */
string encrypted_ticket = FormsAuthentication.Encrypt(ticket); 

/* Create cookie */
HttpCookie cookie = new HttpCookie(
    FormsAuthentication.FormsCookieName,
    encrypted_ticket); 

/* Add cookie */
context.Response.Cookies.Add(cookie); 

/* Abandon session object to destroy all session variables */
context.Session.Clear();
context.Session.Abandon();

Essentially the code replaces old cookie with new security cookie that expires immediately, which performs user sign out. In addition, all session variables are destroyed and new session is created so that old session cannot be reused. However, it is essential to mention that the technique presented in this post does not prevent Cookie Reply Attack. The old cookie is still valid for the duration specified in FormsAuthenticationTicket constructor.

Unlike Silverlight, Flex Builder does not integrate with Visual Studio programming environment. Therefore, debugging ASP.NET or Flex applications can become very cumbersome, especially when they become very large. However, with Flex Builder 3, Adobe has made possible to utilize built in ASP.NET web server (Cassini) to debug Flex applications. Following post describes one possible way to set up both environments to make debugging easier.

More...

Lately, Adobe Flex has been getting more and more attention in programming community. Especially after the launch of open source version of Flex SDK developers are able to make rich Internet applications (RIA) using Flex, which (as everybody knows) produces a flash file (swf) that can be used in any web application. The article will focus on the following topics:

1. Communication between Action Script (HTTPService) and .NET (HTTP Handler);
2. Security - securing HTTP Handler calls from unauthorized access;
3. ASP.NET Forms Authentication and Authorization through Flex;
4. ASP.NET Handlers and session management;

It is assumed that the reader is familiar with basic concepts of ASP.NET handlers, forms authentication, and Adobe's Action Script.
More...

In my previous post Displaying .NET DataSet with Crystal Reports I discussed one way to report the data that does not come directly from a database. In this way, it is possible to preform more complex data analysis and present the result using Crystal Report engine. Following post addresses similar issue. However, here, the data to be presented is not stored in a DataSet, but rather in a .NET Collection, which implements IEnumerable interface.
More...

Couple of days ago, I started playing with Crystal Reports engine included with Visual Studio.NET. After creating several reports using SQL Express database, I started wondering how to create reports that require more sophisticated data analysis. At first, my thoughts were to utilize stored procedures to create report result, and and then display the result using Crystal Report engine. However, it turned out that Crystal Report engine has some limitations when it comes down to stored procedures. Crystal Reports documentation states that stored procedures can be utilized if they contain at most one SQL SELECT statement. In addition, the documentation states that no return parameters can be utilized (parameters declared by SQL keyword OUT, or INOUT). Clearly, complicated data analysis cannot be performed using single SELECT statement. Considering these limitations, I immediately started to investigate options to present a structure using Crystal Reports. At first, I considered a .NET containers, but Crystal Reports engine did not seem to provide any convenient way of displaying such structures. In addition, I noticed that every report that I designed, required the structure of the data to be known at report design time. At that time, two options came to my mind:
More...

Couple of days ago, I installed BlogEngine.NET on my home server's root directory. Besides being extremely impressed by BlogEngine.NET, I noticed that all of my other sub-applications started crashing. Immediately, I knew that the installation of BlogEngine.NET affected all other web applications. After short investigation, I noticed that all of my sub-applications were trying to load handlers and modules defined in BlogEngine class library. Specifically, all web applications tried to load following:

[...]
<httpModules>
      <add name="WwwSubDomainModule" type="BlogEngine.Core.Web.HttpModules.WwwSubDomainModule, BlogEngine.Core"/>
      <add name="UrlRewrite" type="BlogEngine.Core.Web.HttpModules.UrlRewrite, BlogEngine.Core"/>
      <add name="CompressionModule" type="BlogEngine.Core.Web.HttpModules.CompressionModule, BlogEngine.Core"/>
      <add name="ReferrerModule" type="BlogEngine.Core.Web.HttpModules.ReferrerModule, BlogEngine.Core"/>
      <!--The CleanPageModule below removes whitespace which makes the page load faster in IE. Enable at own risk -->
      <!--<add name="CleanPageModule" type="BlogEngine.Core.Web.HttpModules.CleanPageModule, BlogEngine.Core"/>-->
      
      <!--Remove the default ASP.NET modules we don't need--> 
      <remove name="PassportAuthentication" />
      <remove name="Profile" />
      <remove name="AnonymousIdentification" />
    </httpModules> 

    <httpHandlers>
      <add verb="*" path="file.axd" type="BlogEngine.Core.Web.HttpHandlers.FileHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="syndication.axd" type="BlogEngine.Core.Web.HttpHandlers.SyndicationHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="sitemap.axd" type="BlogEngine.Core.Web.HttpHandlers.SiteMap, BlogEngine.Core" validate="false"/>
      <add verb="*" path="trackback.axd" type="BlogEngine.Core.Web.HttpHandlers.TrackbackHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="pingback.axd" type="BlogEngine.Core.Web.HttpHandlers.PingbackHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="opensearch.axd" type="BlogEngine.Core.Web.HttpHandlers.OpenSearchHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="metaweblog.axd" type="BlogEngine.Core.API.MetaWeblog.MetaWeblogHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="rsd.axd" type="BlogEngine.Core.Web.HttpHandlers.RsdHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="css.axd" type="BlogEngine.Core.Web.HttpHandlers.CssHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="js.axd" type="BlogEngine.Core.Web.HttpHandlers.JavaScriptHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="rating.axd" type="BlogEngine.Core.Web.HttpHandlers.RatingHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="opml.axd" type="BlogEngine.Core.Web.HttpHandlers.OpmlHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="monster.axd" type="BlogEngine.Core.Web.HttpHandlers.MonsterHandler, BlogEngine.Core" validate="false"/>
      <add verb="*" path="blogml.axd" type="BlogEngine.Core.Web.HttpHandlers.BlogMLExportHandler, BlogEngine.Core" validate="false"/>
</httpHandlers>
[...]

At first, I was very confused that all sub-applications are loading web.config from the root application. I thought that each web application simply used the web.config from it's own virtual folder (besides machine.config). To investigate the issue, I started searching the web and after a short time I found the following article. The article explains the way IIS 6 is handling web configuration loading and inheritance. Frustrated with the result, I was determined to find solution to my problem. And then it hit me: <location> tag! With <location> tag, it is not only possible to control application security, but also selectively load parts of web.config. Actually, the accurate statement would be that <location> option allows user to control if "child" applications will inherit portions of web.config. In this way, I was able to pick and choose, which parts of web.config will be loaded in sub-applications. Following part of web.config explains everything:

[...]
<location inheritInChildApplications="false">
 
  <system.web>
    
  [...]   
 
  </system.web>
  
</location>
[...]

Adding <location> option solved my headache ...

Introduction

Authentication and authorization as fundamental part of a web application was tremendously simplified with arrival of .NET 2.0. Basic authentication and authorization can be performed using different DBMS systems. There are numerous examples implementing authentication using Access database. One such example can be found in the article ASP.NET 2.0 Authentication using Access Database. In this article the example implements bare minimum to achieve desired goal, namely authentication and authorization using access database. However, authentication and authorization is only first part of the user management system. Second fundamental part of user management is allowing users to create an account at will. In such instances, users can sign up and become members of the community without administrator intervention. Furthermore, the user should be able to provide contact information (email) so that he/she can be contacted if necessary. Contact information must be verified. This article focuses on very simple ways to achieve such goal.
More...

Introduction

Authentication and authorization is one of the basic components of web application development. When I first started web development, I quickly realized that authentication and authorization of resources were performed in variety of ways. Throughout years, I developed variety of web applications, primarily for my own use. With arrival of ASP.NET 1.0, authentication and authorization were simplified. ASP.NET 2.0 takes this feature even further by providing the user with powerful tools to quickly implement authentication and authorization. With these tools, a user can utilize MS SQL 2005 Server, XML data source, MS Access database and other data sources to retrieve user information. In this article I will focus on bare minimum needed to implement forms authentication using access database.

More...