Tuesday, 28 April 2009

Today's Learning Points - AutoCompleteType & RegisterStartupScript

Just wanted to share a couple of things I discovered in ASP.NET today.

We had some security testing done on our main web app a few months ago, as a result of which we did work around things like password expiry, complexity etc. We got retested last week and we've been asked to review three points, which I've been looking at today.
One of the points was that on our login page, our password textbox is auto-completable. So I edited the page today to add "autocomplete='off'", however as I started typing Intellisense kicked in and revealed to me the AutoCompleteType attribute. I'd never seen this before! There's a whole Enum of options you can use for autocompletion, or if you set AutoCompleteType="None" then input elements that share a common ID will share their values for autocompletion.
To output "autocomplete='off'" the ASP.NET markup is

However when I was checking the output in View Source, the autocomplete attribute wasn't being rendered at all, presumably because, duh, it opens a security hole. So how did our testers pick up on this? We suspect they'd used the 'Do you want to remember this password' feature, which we don't believe we can defend against.

I dropped some project work onto our internal test site last week, where I've done some enhancements and also moved the project up to ASP.NET 3.5 and added a couple of UpdatePanels with some controls from the AjaxControlToolkit. I had an email today from our user who is doing some testing, who said that some of the buttons didn't seem to do anything eny more. I ran the project upon my laptop, checked it and found I was seeing the same behaviour. I dug into the code and reminded myself that the buttons that weren't working, worked by emitting some script using ClientScriptManager.RegisterStartupScript.
Knowing that the major change to the page was to add UpdatePanels, it didn't take much to deduce that a combination of UpdatePanels and partial page rendering had broken the RegisterStartupScript model. But how to solve it? My first thought was to change the ScriptManager's rendering mode to disable partial page rendering on the basis that if you re-render the entire page then a startup script might be correctly emitted, however on trying this I learned you can't change the rendering mode in any event that occurs after Page_Init. But I did spot that there are several other methods on ScriptManager, including one called RegisterStartupScript. I swapped out my calls from ClientScript.RegisterStartupScript to ScriptManager.RegisterStartupScript, ran it up, and success, my buttons were functional once more. And I should go on to learn the other methods of ScriptManager...

Sunday, 19 April 2009

WebDD Roundup

I had a really enjoyable day at WebDD yesterday. Aside from presenting my own session and catching up with people like Andy Westgarth and Barry, I attended four other sessions:

ASP.NET 3.5 - Miss something? - Dan Maharry
This was a really interesting session covering a number of out-of-band releases from Microsoft that may have been a little overshadowed by the ASP.NET MVC release. For me, the high points that I need to go off and investigate further are:
Lightweight Test Framework
This is a framework which was initially used internally by Microsoft's QA teams for ASP.NET but has now been released on Codeplex. It is a single DLL which works cross-browser and supports integration testing for ASP.NET sites. It also supports AJAX callbacks.
AJAX HistoryState and Back-button Support
This is a feature that was added in ASP.NET 3.5 SP1. It provides a method enabling the Back button to be fully supported by AJAX postbacks so that the browser's History list includes entries showing different states. I'm afraid I threw Dan a little bit as I asked about how well supported this is across different browsers - my thoughts were that I could see this would work with IE but I wasn't really expecting it to work in Firefox (or, to be frank, any other browser). However Dan confirmed that it does work in Firefox, though he hadn't tested it in against the other browsers. Definitely one to look into.
Composite Scripts
This is a method by which a number of JScript references can be combined into a single file, meaning your site only has one file to download instead of opening up a number of connections to download seperate files. I was unsure about this from a scalability point of view as it involves referencing scripts inside the ScriptManager control (which normally prevents the browser caching scripts since the URL is different for each postback), however the combined file is also put into the output cache instead of being compiled on the fly.
This was Dan's first time presenting at a DDD but I thought he presented very well and I'd like to see more from him in the future.

What's Good in .NET 4.0 and VS2010 - Alex Mackey
This session covered a number of things from the next release of the CLR and Visual Studio 2010. The things that stood out for me from this session were:
The improved code editing experience, including highlighting of every instance of a method call whenever you enter one of them, and showing the hierarchy of calls down to the method you are currently editing.
Something called variance and contravariance - I'll be honest, I didn't understand this. At all.
Much better control around disabling Viewstate, including better support in the grid controls around working without Viewstate.
Static client IDs for controls.
The ability to compress Viewstate (though attendees to my session will have seen that this is possible in ASP.NET 2.0)
Environment-specific changes for web.config files e.g. web.config.debug, which looks like a mix of XSLT and the .dconfig configuration deltas from the Enterprise Library.
Better server-side control over META tags, for those developers interested in SEO-type activities.

For Workflow:
Performance improvements - up to 10x better performance.
A new workflow type, the Flowchart, which is a hybrid between the existing Sequential and State Machine workflows.
It will be easier to include information in a workflow, hopefully remving the need for the ExternalDataExchange object.
Overall, Alex' recommendation was that if you're currently thinking of developing a workflow application, wait for this version. This was particularly relevant for me, as I'm currently looking at a workflow app for a project at work.

I want it on that one, that one and that one! And it all needs to be synched! - Andy Westgarth
This session from VBUG Chairman Andy Westgarth covered the new Web Deployment bits coming from Microsoft. This tool is built on top of MSBuild and allows you build deployment packages to be deployed to IIS. These packages are not MSIs, the idea of the tool is to produce a package that can be passed to IT types without the need to handhold them as they deploy your application.

ASP.NET 4.0 - Mike Ormond
This session from Mike Ormond of Microsoft was, like Alex, concerned with .NET 4.0, however it was much more focussed on ASP.NET. The highlights I picked out were:
VS2010 is going to be productivity-focussed - there will be a new range of snippets for both HTML and AJAX authoring, although Mike pointed out that a snippet called 'requiredfieldvalidator' doesn't actually save you much typing. A nice feature is that when you add a validator, it will try and attach itself to the nearest control that can be validated - nice, but it seems Microsoft haven't grasped that not many people use the designer, they code the HTML in Source View.
Mike covered some of the new provider-based caching functionality and demonstrated a custom cache provider. Velocity was mentioned, but only as one of the available providers. Mike also mentioned that the existing System.Web.Cache namespace is likely going to be moved to a more general namespace, which explains the decision of the Velocity team to change their namespace - it seems likely to me that SYstem.Web.Cache will become System.Data.Caching. This is a small change but will clear up a lot of confusion over whether you should use System.Web.Cache in a WinForms application.
In WebForms, the need for the CSSFriendly adapters will go away - controls will be much easier to style in CSS out of the box. Mike also covered the Routing engine (which was split off from the MVC effort) which gives you much better control over URLs you generate inside your application, and the NamingPanel, a new control which is part of increased control you will have over client IDs.

I'd have liked to have seen Andy Gibson's session on jQuery but it was on at the same time as me :-( however all the sessions have been videoed so I will be able to see it on the web!
I had a great day, it was just a shame I couldn't stick around for beers afterwards. Next time!

Saturday, 18 April 2009

ASP.NET Scalability at WebDD

Thanks to everyone who attended my session on ASP.NET scalability at WebDD today - I hope you all found it useful. I got to the end of the section on caching, which is more or less the first half, and realised I had ten minutes left for the entire second half, so apologies for having to race through the rest of the slides. If anyone has any questions please feel free to post them in the comments here and I'll answer them.

I had a few questions afterwards over coffee, which were:
Q) Output Caching. Can you VaryBy things other than elements in the QueryString?
A) Yes, there are a range of VaryBy options: VaryByContentEncoding, VaryByControl, VaryByHeader, and VaryByCustom. In each case ultimately it boils down to a string. There's a discussion of all these options on MSDN, but basically VaryByContentEncoding's probably not going to help you too much since this looks at what encodings your browser can accept e.g. compressed content (and remember that I mentioned all the current browsers (and previous generation browsers) can accept compressed content). VaryByHeader looks at a semi-colon seperated list of HTTP headers. VaryByControl looks at the controls declared inside a UserControl. VaryByCustom is perhaps the most interesting as it allows you to roll your own scheme by implementing GetVaryByCustomString in your Global.asax file, or if you set it to 'browser' it caches page instances based on the browser name and major version.

Q) Is there a reason not to use VaryByParam=*?
A) VaryByParam=* will cache pages on all combinations of elements in the QueryString - I can only tell you what it does, it's up to you to decide whether this facility is going to fit into your application or not.

Q) Can you cache objects for longer than 20 minutes?
A) Yes. If you use sliding expiration, it takes a System.TimeSpan object. TimeSpan has three constructors - I used the hours/minutes/seconds constructor, but there's nothing to stop you using the second constructor which adds a days parameter onto the constructor. Bear in mind, however, that doing that means you're sacrificing that much memory on your server for that length of time. As with so many things in scalability, it's a trade-off...

Q) Do you need command-line access to your server to enable a SQL database for SQLCacheDependencies?
A) No. There's two options here: one is to keep in mind that the ASPNET_REGSQL command-line tool takes a server name from the -S parameter - this can be any SQL server that is on your network, you don't have to run the tool locally to the server you're enabling.
The second option is to use the SqlCacheDependencyAdmin static class, which gives you the ability to programmatically enable and disable databases and tables for cache dependencies.

Thursday, 16 April 2009

Manually Uninstalling Velocity CTP2

Now that Velocity CTP3 is out I was looking forward to installing it however going through Add/Remove Programs it prompted me to locate the original installation MSI. Which I haven't got any more :-(

However I contacted the Velocity team and they sent me instructions for manually removing CTP2.

"Note: To un-install Velocity CTP bits use 'Add-Remove Program', however for scenarios where a user is unable to un-install e.g.
'Add-Remove Program' entry is missing, following workaround of using manual steps for un-installation can be used, but they need to be done at users discretion.

Below steps assume removal of Velocity Service and product from a single machine, to un-install multi node Velocity cluster below steps need to be performed on each machine (node)

1. Under 'Administration Tools' -> 'Services' ensure that Velocity service DistributedCacheService with Display Name "Microsoft project code named "Velocity" is stopped

2. Go to Command Prompt and use SC.EXE command to delete velocity service i.e.

SC.EXE delete DistributedCacheService

3. To ensure removal of entries from 'Add-Remove Program' for existing 'Velocity Installer', Download and install 'Windows Installer Cleanup Tool' as per following KB
http://support.microsoft.com/kb/290301 , Or directly from

Launch the above installed Tool and from the list choose 'Microsoft project code name "Velocity" CTP2' and select Remove

4. Next delete files under installed folder, typically under \Program Files\Microsoft Distributed Cache\V1.0

5. Remove 'Firewall Exception' for DistributedCacheService

6. If Cluster Config Store chosen during installation was 'XML'
or 'SQL Server Compact' then remove the files from the Network Share Folder (which was provided during installation)

Else if 'SQLClient Provider' was used as the Cluster Config Store then -

Drop the database (provided as 'Initial Catalog' ) which was mentioned in the connection string during installation.

or, To avoid Dropping the database in case you want to keep it, you can also just drop the table 'dbo.config' present in the above mentioned database."

I haven't tried these instructions out yet as I don't want to fry my laptop ahead of WebDD this weekend but I will try them next week and report back.

UPDATE: I ran through these instructions last week, for me they worked perfectly. The only thing I struggled with was the fact that IT have locked down the UI for firewall exceptions so I couldn't remove the ones I had set up. However I was able to remove them by hacking the Registry.

I now have Velocity CTP3 installed - details coming soon!

Friday, 3 April 2009

Answering the call

One of the feeds in my live.com Tech tab (which is distinct from my Microsoft tab :-) ) is Wintellog, which is an aggregated feed of all the bloggers at Wintellect. I've seen several of these guys speak over the years, mostly at DevWeek - they are all top-notch and I thoroughly recommend seeing them if you get chance.

Yesterday John Robbins wrote something of a call to action: read Code Complete and write a 'book report' on it as a comment in his blog.

Guilty confession time: I've never read it, despite it being on my desk for a number of years. It's not something I'm proud of, but I'm confessing. And I'm undertaking to answer the call: I took it home last night, and I'm going to read it (as soon as I finish the excellent Six Sacred Stones). I'll post my review here as well as on John's blog, and I encourage everyone to do the same.