Web Forms vs. ASP.Net MVC

Hi,
With emergence of ASP.Net MVC, Many Web developers put forward ideas and discuss about the future of Web Forms. There is a nice podcast there on Joe’s blog interviewing Scott Hunter, Senior Program Manager Lead on the ASP.NET Team. In this podcast, Joe & Scott talk about future of Web Forms and compare it to ASP.Net MVC.
Don’t miss this podcast!
Episode #1 – Scott Hunter on the future of ASP.NET Development with Web Forms

Keeping Passwords Secure

 

Hello,

Keeping sensitive data in database has always been one of the most challenging tasks which needs deep understanding of system planning and security issues that might affect the reliability of the system. Mainly, you may implement one of the following ways to keep passwords in database:

1 – Storing Passwords as Clear-Text/Plain-Text:

This option is the most insecure way of storing passwords in DB, because each password is kept as clear text without any kind of encryption/hashing algorithms used. The disadvantage of putting this into work is that anyone with access to your database will be able to read passwords and modify them. This imposes a great potential risk on your system and is not recommended in any scenario.

2 – Using Encryption Algorithms

This is a more secure approach that may be taken into account. In this way, you may implement one of the Asymmetric/Symmetric algorithms to encrypt/decrypt the data. In asymmetric algorithms, the key which is used to encrypt data differs from that of decrypting; there is a public key which enables you to encrypt password and a private key allowing you to decrypt it. In contrast with Asymmetric algorithms, Symmetric algorithms use a single key for encrypting/decrypting data. Intending to implement this method, use a unique public/private key for each user. Consequently if attacker obtains the private/public key of a user, it will not be usable for other users. This algorithm is mostly common in scenarios which need password retrieval system, meaning that passwords can be recovered. So if password retrieval is not a part of your system planning, this method is not recommended.

3 – Hashing Passwords

This technique is a one-way solution and makes it more secure. A “Hash Function” gets a value of variable length and produces an output with constant length. For instance, SHA256 algorithm gets the input value and generates a 256 bits output. Note that hashes of two sets of data are identical if and only if the corresponding data matches and any minor change in data causes the hash value to change dramatically, so this is a cool method when comparing large amount of data. Password recovery is also not possible when implementing this solution. When using hash functions to store scrambled data, keep in mind that if two users have the same password . the hash output will be identical and this is considered as a great vulnerability. To prevent this, you may use “Salted-Hash technique”, it means that you should add some additional data to your password and then compute the hash of new generated data. For example you may append username to the password and then hash the whole string. Consequently when authenticating users, you must first append username to entered password, hash it and then comparing it with the hash value stored in database. For more security you can generate a random salt for each user and store it in database.

.Net Framework System.Security.Cryptography namespace provides you with many cryptographic services such as Encryption/Decryption , Hashing , Random Number generation , etc.

4 – OTP – One-Time Password

In spite of implementing salted hash, passwords are still stored on hard disk and are prone to be cracked. So a better approach is required here. In contrast with static passwords, one-time passwords are changed each time a user logs on to the system and usually users should carry a small hardware used for synchronizing with server. Mainly there are two types of OTP:

• Time-Synchronized: In this method, user should enter a password in a given period of time, otherwise it will be expired and a new password is generated. Of course this method may lead to clock-skew problem, it means that if the authentication server and the user token don’t keep the same time, authentication process will fail.
• Counter-Synchronized: A counter is synchronized between server and user client and each time the device requests an OTP value, the counter is advanced. Like the previous solution, when user wants to logs on, he enters the password shown on the device.

For more information, visit Safer Authentication with a One-Time Password Solution.

Some Security Tips

1. Try implementing salted hash.
2. Enforce password policies when registering users and do not allow weak passwords.
3. Separate authentication data (i.e. username, password, salt, etc) and user profile data (i.e. FirstName, BirthDate, etc) into different tables.
4. Implement strong hash algorithms like SHA256, SHA384, and SHA256 (known as SHA2).
5. When connecting to database, use an account with the minimum required privileges.
6. Prevent SQL Injection attacks by using stored procedures, parameterized queries and validating data before passing them to query.
7. Obtain information on different kinds of attacks (i.e. Dictionary, Brute-Force, SQL Injection, etc) and how to defend against them.
8. Keep security tasks and functions secure by encrypting them.
9. Use secure connections when sending/receiving data to/from server. (I.e. SSL).
10. …

The issues that mentioned in this article are just a few tips that should be considered in order to provide a secure system and the given recommendations are all dependant upon system requirements and scenario.

Enjoy!

SecureString : Storing Sensitive Data

Hello ,

Today , I’m going to elaborate on a great feature called System.Security.SecureString class which was introduced in .Net Framework 2.0. This class provides you with a secure way to store sensitive data and prevent them from being revealed by hackers. Implementing standard System.String class is not a secure way for keeping sensitive information and also swap file is in danger of being disclosed. Let’s take a look at some disadvantages of putting System.String class into work :

1. As it’s not encrypted , anyone with access to swap file or process memory is able to read unencrypted data easily.
2. When modifying this class , old value is not removed from the memory , so both old and new versions are kept in memory.
3. There is not a certain way to dispose it from memory when finishing with it.

SecureString class uses DAPI to encrypt data. Information ecrypted in this way by CLR is only decrypted when accessing it and in contrast with standard System.String class , this class implements IDisposable interface so that it can be cleared out from memory and its allocated memory will be zeroed out when disposing it.

Now , let’s see an example :

using System.Security;
using System.Runtime.InteropServices;
using System;
using System.Windows.Forms;

namespace SecureStringProject
{
public class SecureStringExample
{
public void ImplementSecureString()
{
SecureString secureString = new SecureString();
///Implementing AppendChar method to add
///characters to SecureString Object.
secureString.AppendChar(’A');
secureString.AppendChar(’C');
secureString.AppendChar(’G');
secureString.AppendChar(’E');
secureString.AppendChar(’F');

///Implementing InsertAt method to insert a character
///at specified index.
secureString.InsertAt(1, ‘B’);

///Implementing SetAt method to replace character
///at specified index with new character.
secureString.SetAt(3, ‘D’);

///Implementing RemoveAt method to
///remove a character at specified index.
secureString.RemoveAt(5);

///Reading SecureStrinng content.
IntPtr pointer = Marshal.SecureStringToBSTR(secureString);
MessageBox.Show(Marshal.PtrToStringUni(pointer));

///Clearing SecureString Object.
secureString.Clear();

///Disposing SecureString Object.
secureString.Dispose();

///Free BSTR pointer allocated using
///SecureStringToBSTR method.
Marshal.ZeroFreeBSTR(pointer);
}
}
}

Creating a strong assembly using ILMerge

Hello ,

Sometimes , you may use an assembly that is not strong-named and also the source code is not available. How do you make an strong assembly out of that? ILMerge Tool allows you to sign/resign an assembly with a specified .snk file. Consider having a weak assembly called “Weak.dll” , you can create a strong-named assembly out of that as shown below :

ilmerge Weak.dll /keyfile:key.snk /out:Strong.dll


Note: You can create a random .snk file using Sn.exe(Strong Name Tool) from Visual Studio Command Prompt , For Example :

sn -k key.snk


ILMerge Download Page

C# 3.0 : Automatic Properties

Hello ,

Being a C# programmer , you’ve used to leverage propcode snippet to create a property . C# 3.0 provides you with a nice feature called “Automatic Properties” which enables you to avoid having to declare private accessor field for properties and write get/set logic , this will make your code more concise and legible . However , you can still create regular properties and change get/set logic.

This is a property created by C# 2.0 :

        private string propertyName;
        public string PropertyName
        {
            get { return propertyName; }
            set { age= propertyName; }
        }


And this one is re-writed using C# 3.0 :

public string PropertyName { get; set; }

Implementing this feature , the compiler automatically creates the get/set logics . If you need to make the above property readonly , add private keyword before set accessor :

public string PropertyName { get; private set; }


How to Load CSV File Into SQL Server Table/View

Hello ,

T-SQL ‘Bulk Insert’ statement lets you load CSV or any other user-specified file formats into table/view .  In a CSV file , each field is seperated by a Comma and each line represents a record. Now , open notepad and create a CSV file named ‘test.csv’ with the following content :

1,FirstName1,LastName1,20
2,FirstName2,LastName2,25
3,FirstName3,LastName3,30
 

The following procedure demonstrates loaing the CSV file into a temporary table :

Create Procedure dbo.LoadCSVFile
AS
Begin
Create Table #CSVTest( ID INT , FN Nvarchar(50) , LN Nvarchar(50) , Age INT )
BULK INSERT #CSVTest FROM 'c:\test.csv' WITH
(
FieldTerminator = ',' ,
RowTerminator = '\n'
)
SELECT ID,FN,LN,Age FROM #CSVTest
End

Executing the procedure results in :

ANTS Profiler – .Net Code & Memory Profiler

Hello ,

RedGate ANTS Profiler is a great tool which enables you to identify bottlenecks in your code and optimize memory usage , It also profiles how long each line of code takes to be executed(line-level timing) and reports the slowest lines of code and procedures. In addition , It Integrates into Visual Studio with context sensitivity.

ANTS Profiler profiles Windows Applications , ASP.Net Web Applications , COM+ Applications and Windows Services which are written under .Net Framework 1.1 , 2.0, and 3.0.

Download 14-day free trial

Microsoft SQL Server Database Publishing Wizard 1.1

Hello ,

Microsoft SQL Server Database Publishing Wizard enables you to Generate Script of SQL Server Database with the following features:

1)Creating Data Only , Schema Only or Schema & Data Script.

2)Building Script for specific objects.

3)Compatible with SQL Server 2000 and SQL Server 2005 servers.

4)Two scripting modes :

a)Scripting to a file .

b)Publishing to shared hosting provider.

5)Integrating into Visual Studio 2005 and/or Visual Web Developer 2005.

Download Microsoft SQL Server Database Publishing Wizard 1.1

BUG : Unable to update the dependencies of the project.

Hello ,

Yesterday , When building the setup project , I received the following error :

“Unable to update the dependencies of the project. The dependencies for the object ‘ name.dll ‘ cannot be determined..”

Also trying to Refresh Dependencies was not successful :

“The operation can not be completed.”

This problem occurs when .VDPROJ file is corrupted , to resolve this bug , you may follow these steps :

1) Open .VDPROJ file with a text editor :

2)Find “Hierarchy” & “File” Sections and Delete everything in them ,

3)Delete “Project Primary Output” And Add it again.

4)Reload the project .

5)Rebuild the project.

If the above solution did not work , you may need to DELETE the setup project and create it from the scratch.

Note : This BUG occured on a machine having Visual Studio 2005 Team Suite Edition with SP1 Installed .

This BUG is reported here :

http://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=119625

Microsoft has also published a hotfix that can be found here :

FIX: The Visual Studio 2005 IDE may corrupt the deployment files for a Web Setup Project and for a Setup Project

In this article , the author mentined that :

“This problem may occur when you have a Database Project and a Setup Project in the same solution”

But Keep in mind that this problem may occur even if the solution does not contain any Database Project , So the above quotation is not the accurate cause of the issue.

Microsoft Adds Persian Collation to SQL Server 2008

Hello ,

I appreciate Mr.Amin Sobati for requesting Microsoft to add persian collation to SQL Server 2008 and Now It’s accepted!

All Iranian Programmers and Developers would be glad to know that they no longer have any problem with persian support in SQL Server in the near future and are able to take the most advantage of SQL Server enhancements.

Visit the following Microsoft Connect Page :

https://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=284192