Design site navigation

An easily navigable web site is half of the battle. I wouldn’t write about the revolutionary navigation designs and ideas here, let the web designers struggle with that. In this post, only cool and standard developer navigation will be considered. So let’s begin!

Our syllabus states the following on this objective: when to extend site map provider, treeview menu vs. site map path, programmatically manipulating site map nodes, overriding menu rendering by controls adapters, filtering site map nodes based on user roles. A nice collection.

The foundation of ASP.NET site navigation is the SiteMap. Now there are some classes with this name, so let’s lay out a terminology. The SiteMap is the XML document from where the data originates. It populates the SiteMapDataSource data source object, which looks for the web.sitemap file to get its data. It also populates the SiteMapPath control, which is a graphical representation of the sitemap, and is also known as breadcrumbs. I never understand why do they call it that way, but I have no English background.

So what’s the big deal with the epic battle between SiteMapPath and TreeView? The secret is that TreeView actually uses the SiteMapDataSource control to gain its data, so it reflects any changes made in the SiteMapDataSource. However, SiteMapPath queries the underlying web.sitemap file, without the intervention of a datasource object, so changes made in the SiteMapDataSource won’t affect it.

A little info about web.sitemap: it must be placed  in the root directory, must have a root element, but you can define sub sitemaps inside elements. So the following XML is valid:
Continue reading “Design site navigation”

Establish security settings in Web.config

In this post (which is the 100th one in the life of the blog), we’ll review three important security-related settings that you can define in your application’s web.config file, namely: authentication, authorization and impersonation. You’ll find a very thorough article about the topic here.

First a little terminology: authentication is the process of identifying, authorization is of checking rights. A common example: when you check-in to a plane, you show your ID, passport, etc. to identify yourself. Then you show your ticket for the given plane, to show that you are authorized to be there. It’s that simple. And impersonation is the process of taking someone else’s personality, which is a bad, bad thing. So long for terminology.

There are some a few authentication types in ASP.NET.  Windows authentication uses the Kerberos protocol (or NTLM) to identify itself. Let’s consider it using with and without impersonation. You’d use Windows authentication with impersonation when:
Continue reading “Establish security settings in Web.config”

Ensure that sensitive information in applications is protected

I really don’t know what to think about this one. Microsoft gives the following guidelines: hash and salt passwords, encrypting information. Now this topic is a bit broad, but let’s see it. If you don’t find my post detailed enough, feel free to refer this Patterns & practices article on MSDN.

Our first issue is the connection to a database. The main recommendation is: whenever it’s possible, use Windows Authentication. This has many benefits, including that you don’t need to store authentication information in your application, you don’t need to send this authentication info across the network, etc.

Continue reading “Ensure that sensitive information in applications is protected”

Plan Web Sites to Support Globalization

This post will be about the globalization and localization techniques ASP.NET provides us. There are two types of resources which you can use in an ASP.NET page: global, which means they are accessible from all pages, and local, for each given page. First let’s see how to use global resources.

To enable them, add a special folder named App_GlobalResources. In this folder, you can insert whatever resource you’d like to use. Let’s insert a .resx file, this will be the default culture you’d use. Let’s call it GlobResx.resx. Add a key-value pair, for example HeaderText = Hello World. Now on a random .aspx page, define a Label control, and set its text property to <%$ Resources: GlobResx, HeaderText %>. Now you are done, when you run your site, you’ll see Hello World as the label’s text.

Now let’s take a further step. Create a file named GlobResx.en.resx into the App_GlobalResources folder. Add the same HeaderText entry, but now use the value: Hello for the English-speaking World! If your browser is set up to use the English culture, you’d see your label shows the new text.

Continue reading “Plan Web Sites to Support Globalization”

70-564: Failed

Today I took my test and failed it with 560 points. The passing limit, as usual, was 700 points, so I wasn’t even close to it. However, now I know what to learn for, and my future posts will reflect this new found knowledge.

As I wrote yesterday (and I can confirm that based on today’s experiences) this exam isn’t the kind of “can you find the syntactic/logical error in the following four code samples”. It was about decisions in certain circumstances, so you should be able to select the best fitting solution for a given problem, from four (or more) possible answers.

I aced the Designing and Implementing Controls section, without any error, so I won’t focus on that. Instead, you’ll get more info on the topics of security, project types and navigation. Thanks to the second shot offer, I’m able to schedule this exam again for free, I guess I’ll do it in a week.

70-564: Tomorrow

Anyone who read my most recent posts can think that they are just drafts. I think it’s true, because I don’t know what to prepare for, sometimes I wouldn’t like to review a topic, because I consider it too basic and sometimes I can’t even start to learn the exact same topic, because of the its complexity.

These things helped me make my decision: I’ll take this exam tomorrow. If I pass it, well, it’s good for me, I was prepared. If not, it’ll be good for you, because you get study material which was produced and reviewed by heart.

So I’ll post my experiences (and my result) tomorrow. The next exam I’m currently considering is the Windows Forms MCTS (70-505). But it’s possible that I’ll head for the 70-503, WCF exam, because I ordered the book a month ago, and I’d desperately like to read it.

Identify Vulnerable Elements in Applications

In this section, I’d like to provide a guideline which helps you build a secure website in ASP.NET. The following list is from the Pro ASP.NET 3.5 in C# 2008 book, refer to it for further information.

Never trust user input: use strong validation method when you’re dealing with user input. Whenever possible, grant a white-list of values that are acceptable for the current input.

Never, never use string concatenation for creating SQL statements: really never do it. Use parameters instead, data source controls have natural support for them. In the lower level, every ADO.NET command class supports them either.

Never output user-entered data before validating and encoding it: this one’s barely need any explanation. If you do output that information, you expose your site to serious XSS attacks. To gain an idea about the seriousness of them, check out this video.

Never store sensitive or business logic data in hidden fields: your users aren’t dumb, they can open the source of your site, tamper with it, and send it back to you.

Never store sensitive data in the View State: View State is little more than another hidden field. If you assume that its encrypted, you are wrong. However, you can make sure that it’s the same what you’ve sent to the user by setting EnableViewStateMAC to true.

Enable SSL when using Forms Authentication: no comment, enable SSL if you can.

Protect your cookies: and don’t forget to set timeouts on them.