posted on April 24, 2015 by long2know in ASP.NET, Entity Framework
Profiling a ‘black box’ framework to see exactly how it works and behaves can be edifying. It can also lead to better optimizations/usage of the framework. In my case, it helped diminish the mistrust of Entity Framework.
There are tools like Rhinomocks EF Profiler which allow for inspecting the ObjectContext of Entity Framework. However, if you don’t want to buy additional tools, you can effectively write your own.
posted on April 23, 2015 by long2know in ASP.NET, MVC, Web
I’ve used T4MVC within my MVC projects for a long, long time now. It’s one of those extremely useful utilities that probably gets forgotten.
At any rate, I’m not sure if I ever mentioned why I like T4MVC, but here are a few reasons.
posted on April 23, 2015 by long2know in ASP.NET, Database, Entity Framework, Web
Using Stored Procedures in the latest version of Entity Framework is pretty doable. You lose a lot in terms of flexibility, but sometimes there are trade-offs that one must make. This week I was playing around with converting an application that used a Repository pattern with EF, Lambdas, and IQueryables to StoredProcs for all CRUD operations.
Here are some interesting bits that I learned.
posted on April 16, 2015 by long2know in ASP.NET, Web
Here’s something I learned about Url hashtags a while back that seemed worth sharing.
As you may know, hashtags are never sent to the server. There is, by regular browser redirection, no way to get hashtag information to the server.
For a client-side script based web application that uses hashtags, obviously, this presents a challenge. Even if all you want is a redirect url on login, it can’t utilize the hashtag.
One work-around that I found that works well is to redirect to a page that has a hidden HTML input which you can stuff the hash (url encoded) into and then post that as a named/value pair to the server.
posted on April 14, 2015 by long2know in ASP.NET, OWIN, Security, Web
After my previous post regarding Secure Token Services / SSO, I have been diving deeper into OWIN to understand its capabilities further.
As I mentioned, the STS system I devised is still using FormsAuthentcation. As a consequence, the relying applications are also dependent on FormsAuth. Upon further inspection, I found that this is redundant. It turns out that OWIN was doing more than I initially divined. Additionally, from all that I have read, it appears that Microsoft’s vision is to completely supplant, and retire, FormsAuth. This, obviously, could be a point of contention if one ties their authentication system into FormsAuth.
posted on April 11, 2015 by long2know in ASP.NET, Web
Earlier this week, an article about technology choices was floating around the office: Choose Boring Technology
The premise of the article focused on technology choices and explained why sticking to tried and true technologies has merit. In my own experience, and in the same week, I find this article to be very relevant and had my own correlating experience.
posted on April 9, 2015 by long2know in ASP.NET, OWIN, Security, Web
For the past week, I’ve been working on creating a Single SignOn (SSO) system with ASP.NET. One joke around the office is that SSO could also stand for Seldom SignOn. Essentially, we want to make securing applications as painless for the user as possible. Along the way, being able to generate secure tokens through a Secure Token Service (STS) seemed advantageous as well.
Interestingly, it still comes back to cookies. Tokenizaiton is only useful for securing API’s. That is to say, attaching an Authorization Header to an API call is straight forward, but it’s not feasible to attach one to a user’s initiated browsing.
posted on April 2, 2015 by long2know in angular, ASP.NET, JavaScript, jsfiddle, Web
When I’m online with my banking site, or Pandora, I occasionally get those nice dialogs asking if I’m still around after being idle for a while. Sometimes, I think it’s a nuisance, but it can be a helpful security measure. It can also be beneficial in SPA-type applications.
With SPA’s, the user can perform so many actions in the browser that never make requests of the server. As a result, if we’re using a cookie-based security mechanism that has a short expiration time, they could be effectively logged out and not even know it.
This is a problem.
posted on March 25, 2015 by long2know in ASP.NET, JavaScript, Mobile, Web
Today I spent a few hours playing around with Apache Cordova. If you don’t know what that is, it’s basically a set of API’s that let you deploy Web Apps (JavaScript) to a mobile device and then have access to that device’s hardware.
If you’re already writing SPA-type apps, Apache Cordova can be a quick way to deploy your Web App to a mobile device and have it behave just like a native app.
posted on March 24, 2015 by long2know in angular, ASP.NET, JavaScript, Security, Web
In .NET when I’m dealing with WebAPI controllers, I like to secure them. Typically, this is done with an [Authorize] attribute on the controller or the controller’s actions.
One problem that arises with .NET, though, is that a user’s auth token/cookie could be expired because they are inactive for a set amount of time. Imagine that you’ve written a shiny new SPA-type web app and is SOA driven. When the user resumes accessing your site, all of the API end-points will fail until the user logs back in.
