ASP.NET
Webby gubbins
Oh how I have wanted to sing about this for months, now it’s public … Due to the popularity of the Microsoft AntiXSS Library, ASP.NET 4.5 now incorporates core encoding routines from version 4.0 of that library. The encoding routines are implemented by the AntiXssEncoder type in the new System.Web.Security.AntiXss namespace. You can use the AntiXssEncoder type directly by calling any of the static encoding methods that are implemented in the type. However, the easiest approach for using the new anti-XSS routines is to configure an ASP.NET application to use the AntiXssEncoder by...
Last month I was rather pleased to welcome Troy Hunt into my little band of Developer Security MVPs. He’s been doing a bunch of blog posts on the OWASP Top 10 list for ASP.NET developers. Check them out, he’s almost finished. Technorati Tags: MVP,Security,OWASP,ASP.NET
As I’m almost done the AntiXSS 4.0 release notes have been finalised; Minimum Requirements .NET Framework 3.5 Return Values If you pass a null as the value an encoding function the function will now return null. The previous behavior was to return String.Empty. Medium Trust Support The HTML Sanitization methods, GetSafeHtml() and GetSafeHtmlFragment() have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and...
So late Friday two security researchers presented a side channel attack on the encryption and validation methods used on viewstate. This attack allows the attacker to derive the machine key used to encrypt viewstate and thus create their own signed viewstate, possibly compromising the web application. Side channel attacks work by analysing the response from the cryptosystem to infer information, in this case using the error responses from invalid padding. Now that the researchers have presented their work is under investigation; MSRC have an official advisory along with further information. ScottGu has also posted more details including a work around...
The Information Security Tools Team at Microsoft is hiring. Oh yes, your dream could come true, you could work with me … We have an opening for a Senior SDE to help us develop software to support Microsoft’s information security program, analysing everyone else’s software for potential flaws and helping mitigate, manage and analyse. Mad SQL and OLAP skillz will put you at the top of the queue. You can either apply though the link above, or email me your résumé/CV to my work email, bdorrans@microsoft.com (which has until now been spam free *sigh*. I promise not to...
So this sprint I’ve been playing around with AntiXSS. This makes me very nervous, changing something that quite a few folks internally and externally depend on is a heavy burden! One of the most popular requests was “Can you support language X?” and now the answer is probably yes. I say probably, because we’re covering the UTF-16 code tables – if you wanted support for Byzantine Musical Notation (really, it exists) then you’re out of luck. Now there’s a little problem in all of this – Unicode doesn’t have a concept of language, it has code tables. If you’re...
When I started off discussing where I would take the Security Runtime Engine with the Developer Security MVPs Raffaele Rialdi asked if there would be a way to inspect raw requests and responses. Whilst I can’t do requests, as I don’t see them until ASP.NET has parsed them I can do responses, via ASP.NET’s filter mechanisms so, despite him tagging someone else as me on Facebook I started to look at how best to do this and came up with IResponseInspector. The response inspector works slightly differently to the other inspectors – by the time it’s called there is no...
The WPL site on CodePlex now has the May CTP code only release for the Web Protection Library and a Word document introducing the new extensibility points for the Security Runtime Engine. I haven’t released binaries because it’s just a preview, it is in no way ready for production and I want to discourage you even thinking of that. So why did I make the source available? Simple – feedback. This represents a rewrite of the Security Runtime and a new way for you to easily write plug-ins for it. Rather than simply decide what’s best for our users...
(And yes, I did mean PlugIns – darned FXCop rules) After a couple of weeks of experimentation with code I think I have the plug-in model complete now. As suggested by Travis in the comments on a previous post as many parameters as possible are now using System.Web.Abstractions. Right now there are three main interfaces: /// <summary>
/// Defines methods that must be implemented for request inspection.
/// </summary>
public interface IRequestInspector : ISecurityRuntimePlugIn
{
/// <summary>
/// Inspects an HTTP request for potential problems.
/// </summary>
/// <param name="request">The...
So now our fit and finish sprint is finished (my PM, Frank, has published the results which demonstrate that, well, fit and finish is never, errr, finished) I’ve been doing some thinking and experimenting. Two things came out of the MVP summit this year, 1) we want logging which isn’t the Enterprise Library and 2) we want to write our own WPL plugins (more specifically a particular Developer Security MVP wanted to write a SQL Injection detector for MySQL). This week was scheduled to be a lazy week, as we work around planning meetings for sprint 2 so I...
This is fun. Network Solutions, not known for their wonderful hosting setup, messed up WordPress configuration, file permissions and basically allowed people hosting on their servers to read everyone else’s authentication information. When it was discovered NetSol tried to spin it as a WordPress problem. WordPress are pissed. But what’s amusing, to me anyway, is their talk of crappy configuration – which they justify with the following WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server...
A few people have been asking for the table of contents for Beginning ASP.NET Security so here it is; CHAPTER 1: WHY WEB SECURITY MATTERS Anatomy of an Attack Risks and Rewards Building Security from the Ground Up Defense in Depth ...
Last year Wrox switched from having happy, smiling, chin posing authors on their book covers to, well, to random images with a bit of red. So for those of you that have pre-ordered you’ll be happy to know that you won’t have me smiling out from your book shelf. Instead you’ll get an image which encapsulates my interest in exercise and sports. Errr, well, someone’s interest in exercise and sports. Never fear though, I am on the inside … Note for Americans – this image is from a game called football by the rest of the world. The...
Mark Curphey has obviously been whipping his team into a frenzy and a new version of CAT.NET, along with WPL and WACA have been announced. They’re all in CTP and available from Connect. WPL is the evolution of AntiXSS, which is turning into a nice basis for a web application firewall (ok, it’s a stupid marketing term I know, but with the Security Runtime Engine and the new extensibility features it will allow you to build something that sits between your app and the evil internet and protects you. That’s not an excuse for getting it right in the...
To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point). Fired up Visual Studio, took a quick look at the code. Nice surprises ...
Version 3.1 of the Microsoft AntiXSS library (binary download) was released on the 15th September and now comes with HTML sanitation. Not content with dropping a new release of the library Anil’s wife also dropped a release of her own and he’s now on paternity leave, which means the new functionality is undocumented for now. A quick look in the help file shows two new methods, GetSafeHtml and GetSafeHtmlFragment. Both methods have the same three overloads, GetSafeHtml(string) – which takes a string containing the HTML to be made safe GetSafeHtml(TextReader, Stream)...
Scott “Red Shirt” Guthrie announced today that the jQuery and the Microsoft AJAX scripts would be hosted on the Microsoft content delivery network (CDN) – which should speed up the initial loading of these script libraries and save you bandwidth, as you won’t have to host them any more. Being an untrusting soul, errr, security person, I thought I’d take a quick look at how its delivered. The scripts are hosted on http://ajax.microsoft.com/ which presents the first problem – it’s a microsoft.com domain. When you do any serious browsing to the normal microsoft.com sites you’re going to get a...
At the end of the month I’ll be in Dublin delivering “Stop your website being stung” – a guide to the OWASP Top Ten project and how you can secure your ASP.NET site against them at epicenter. There’s a few other MVPs speaking as well including Craig Murphy, the Black Marble boys Richard Fennell and Robert Hogg and that damned Jon “I’m going to answer everything on StackOverflow” Skeet. Two DDD Belfast speakers are reprising their topics, Alex Mackay is giving his standing room only session on VS2010 and Andrea Magnorsky is covering the Monorail MVC package. Tickets are...
Yes, I know, it’s painful. You have to run a cryptic command line tool from the .NET framework directory. You have to mess around with RSA keys and export them if you’re load balancing, or want to encrypt on one machine and use it on another. Or you could use a handy tool from Hugo Bonacci. I know, he has a goatee, so he may in fact be evil, but you pays your money and you takes your choice. Point the tool at your server, choose the section you want to encrypt and press, well, press encrypt. There’s even...
AntiXSS, the open source encoding library from the Microsoft Security Tools folks has gone live, and the binaries are available from the MS download centre. I’ve been recommending this for quite a while over the framework’s HttpEncode and UrlEncode simply because it offers more options (JavaScript, VBScript Xml Encoding) and has a visible test suite – plus if something does go wrong it’ll be easier to patch it quickly, rather than wait for a patched version of the .NET framework. There’s also a runtime module which will try to encode on the fly in case you forget to … ...
I gave my OSWAP presentation to Vista Squad last Wednesday, where Ian Smith kindly (?) videoed it. The other speaker for that evening dropped out, meaning the poor attendees had just me to listen to as I stretched it out to about 100 minutes. The length meant that the video is in two halves. Part 1 from Vista Squad on Vimeo. Part 2 from Vista Squad on Vimeo. The presentation is the same one I gave at WebDD so the slides and code are the same. The feedback on twitter was amusing; ...
After DDD Belfast came WebDD09 where I was presenting on the OWASP Top Ten Project (well I could hardly present at DDD Belfast, I was organising, that seems just a little too egotistical *grin*). You can download the PowerPoint [905kb] and the sample code [432k]. For the person who asked you can download Fritz Onion’s ViewState Decoder. For further reading on XSS Russ McRee republishes his Anatomy of an XSS attack article from the ISSA journal and NG Software have two PDFs, Advanced SQL Injection and More Advanced SQL Injection. With the added bonus of discovering coffee beans...
The UK .NET Community’s favourite redheaded step child Phil Winstanley just emailed me to say I’ve been picked to talk at WebDD. I’ll be presenting “P0wn3d! (Or how to redirect your friend's website to katyperry.com)”. This takes the outings of my OWASP Top Ten Web Vulnerabilities talk to 5 outings over the next couple of months: WebDD09 18 April 2009 DDD Scotland 2 May 2009 VBug London 26 May 2009 DevEvening Woking 4 June 2009 Vista Squad London 17 June...
I was emailed the second draft of the book cover today, which makes it scarily real. But not half as scary as what Oliver did with it. Ah the MVP community – we’re a tight bunch of nits … Technorati Tags: Wrox,Book Cover,Books,ASP.NET,Security,MVP
As part of the book I've been developing some sample code for each chapter; and for chapter 4 the code has taken far more time than the chapter itself. That chapter deals with query strings and forms and covers Cross Site Request Forgery (CSRF). CSRF is a exploit where a form request comes from another site and your site proceeds to act upon it because a user is already authenticated. I’ve covered this in more detail previously and released AntiCSRF to codeplex to help you protect against it. One of the things Alex and I discovered whilst going...
As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts. CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An...
For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.
However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.
It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even...
Well; in a few months anyway. A month or so ago I saw a tweet flit past asking for someone who has ASP.NET security knowledge; someone pointed the user my way. I assumed it was someone just asking for advice, so I sent off something along the lines of "What do you need to know?". It turns out the recipient was part of Wrox Press and he was after knowledge, on the shape of a book. So after some pondering and pointing out I thought it had been done to death we both came up with, what...
Two hours in Starbucks with coffee and Mike Ormond? How could you pass that up? Microsoft is piloting a more local and informal technical event, called “Microsoft CoffeeTalks” at select Starbucks coffeehouses. Our team is excited about visiting these locations and meeting with the technical community, and we will use your feedback to determine if these events should be rolled out more broadly. So on Thursday 13th December at 17:00 in the Oxford Starbucks on the High Street Mike is coming to talk about Silverlight, what it is, where you might use it etc. If you fancy discovering and...
The ACE Team at MS have thrown out a beta of XSSDetect, a static analysis tool plugin for VS2005 to, err, detect XSS vulnerabilities in your code. Interesting stuff; it’s a shame it doesn’t detect as you code or add errors into your compile time; which would better enforce good practice just as FXCop does; indeed the tool is part of a bigger internal suite; XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets...
Be honest, those banks of Wrox Press books you have how often do you look at them? There’s a problem with most technical books, the nuggets of information you need right now are in the middle of some chapter somewhere and the words you’re looking for aren’t in the index. A while back Phil, Jon, Jeff et al blogged about writing a book and in Phil’s great book giveaway I snagged a copy (I’m not feeling that guilty about shipping; I did send him some "cute" baby stuff when Phil 2.0 arrived). When the parcel arrived I pulled it...
I received the email last night; I’m speaking at DDD again, this time on WCF in a presentation entitled Web Services; we don’t need no stinking web server Remoting is dead. Long live WCF. This session aims to cover the creation of web services with WCF, inside and outside of IIS, including one way and two way services, as well as contracts, faults, authentication, authorisation and security. I think I’ll try to sneak something CardSpace related in there *grin* As an added bonus I’m also sitting on the recruitment round table discussion sharing my personal thoughts on where candidates...
If you missed DDD altogether or couldn't decide between my own and the other presentations on during that slot (and decided wrongly ;)) I'll be giving the presentation at the following events; What:VBUG Technical SeminarWhen:Thursday, July 26, 2007 7:00 PM to 9:00 PMWhere:New Horizons8th Floor, 207 Old StreetLondon, EC1V 9NR England What:nxtgenug "It came from outer CardSpace"When:Monday, September 17, 2007 7:00 PM to 9:00 PMWhere:Coventry Flying ClubRowley RoadCoventry, CV3 4FR England As you can see Richard Costall's naming strategy has been used for the nxtgen event. If you're not a member of either of these fine groups then I highly...
During the betas of Atlas Microsoft provided an update for the asp.net validators which allowed them to work in update panels, at release time these vanished much to the consternation of most people. ScottGu ("All hail ScottGu") promised a patch to ASP.NET would be forthcoming, and in the mean time Microsoft published source for sample validators. 6 months later, and still no sign of the patch on WindowsUpdate but it has appeared as a hotfix on Microsoft Connect (not that the Knowledge Base article linked to on the download page, or the extra KB article linked to in the readme inside the...
I say "umm" a lot. The sessions at the Irish Microsoft Technology Conference were recorded. You can see mine on askasqlguru.com (stop laughing Tony, I know I'm not a SQL guru, Niall Flanagan is and asked Chuck Boyce to host them). Maybe it's the whole listening to your own voice thing, but I've never seen myself present and I'm cringing. A lot. I can only apologise to those who attended and didn't enjoy it or take anything useful away. Technorati tags: IMTC
A while back the call went out for a .NET speakers who would come to Ireland; and now the Irish Microsoft Technology Conference has been finally announced by Claire Dillon. Yes, I am speaking, giving my "Hacking Web Sites for Fun & Profit" talk (which doesn't appear to be as trendy as all the other topics, but Dominick Baier beat me to a CardSpace presentation!). I'm not sure this counts as an international engagement for me as I was born north of the border, but it does give me a a birthday cake, as my birthday is the day after and...
Last Thursday saw Chris Seary and myself presenting at the Microsoft offices in sunny (yes, really) Edinburgh for the Scottish Developers Group. Thanks must go to Craig and John for organising. I presented an updated (trendy white on black) "Hacking Websites for Fun & Profit", "Securing ASP.NET Websites and Applications" and "An Introduction to Windows CardSpace". An audience member (sorry, I didn't catch your name) asked me to put together some resource links on SQL Injection, XSS and so on. Probably the best breakdown of SQL Injection is Chris Anley's PDF, "Advanced SQL Injection In SQL Server Applications". The XSS FAQ is...
Phil picks up ScottW's Quick Tips for ASP.NET and beats him around over his comment to never use the <asp:label> control, but misses the weirdest thing about <asp:label>, it has two faces; due to backwards compatibility for ASP.NET 1.0 and 1.1. In previous versions of ASP.NET the label control was used to dump text into your page, surrounded by a <span> tag. In 2.0 it finally became equivalent to the <label>, but that's hidden away. If you look at the MSDN documentation the control is described thus; Represents a label control, which displays text on a Web page. which isn't what...
After the last Developer Day John from the Scottish Developers Group approached myself and my colleague Chris Seary about taking our knowledge (and my unorthodox presenting style) north of the border. It took a little organisation but it's finalised. On the 12th April, at the Microsoft Offices in Edinburgh we will be presenting the "Web Security Conference Day for Windows Developers".
Attendees get a full Barry morning experience, with the now infamous "Hacking Websites for fun and profit" session at 9:00 (what a way to start the day); and "Securing ASP.NET Communications and Applications" at 11:00.
The afternoon sees Chris presenting "Code Access...
So I presented "An Introduction to CardSpace" earlier today at WebDD, with poor Pat acting as a foil in my attempts to get the audience to laugh.
The more I attempted to draw the presentation materials together the more I am coming to view CardSpace as unfinished. Aside from crashing when I cancel sending an information card the CardSpace paradigm leaves open questions. The main sticking point for me is around managed cards. It's all very well saying that trusted parties will issue managed Information Cards, but how do you measure the trust you should apply to those cards? Passport failed...
The nxtgenug crew have grabbing Denis Cruz again for a couple of two day training courses, March in Leamington Spa and April in London. Having sat on the panel with Denis during the Ed Gibson road shows and having seen him at various DeveloperDays I can't recommend him enough (even if Dave thought we were both about to punch either other during the panel discussion <g>). He's insanely passionate about security and scarily knowledgeable. The course aims to cover such topics as Security Principles, .NET Framework Architecture, Threat Modeling, Discovering Vulnerabilities, Penetration Testing Techniques and Secure Coding Techniques. If he...
One of the things I try to hammer home in my presentation is you should never emit user input without making it safe. The HttpUtility class provides developers with two main methods for this, HtmlEncode and UrlEncode. HtmlEncode will take a string and escape it so that it is safely displayable on screen, removing the risk of Cross Site Scripting attacks. UrlEncode takes a string and escapes it to a format suitable for use in a URL and is usually used to encode query values, escaping such characters as = and & into their encoded values; but what happens...
Not content with having DeveloperDay twice a year at no cost there's now a new UK event, WebDD. Like DDD it's free, held on a Saturday at Microsoft, the 3rd of February to be precise. This free conference features some rather stunning speakers including ASP.NET's very own Scott Guthrie, Dave Verwer of the Ruby world and two guys from Telerik, Hristo Deshev and Zhivko Dimitrov. Oh, and me. Again. (Yes, my name isn't spelt right on the speaker list yet, but frankly the idea of meeting Scott Guthrie overshadows that by a long shot! [edit] five minutes and it's fixed, heh.) The...
So I'm now hosting on a US server which is, of course, configured for US date formats, number formats etc. Whilst subtext has the option to set a culture it, err, doesn't work. Of course being open source (BSD licensed, so you can do what you want with it) the code is available, but there is a lazy way whilst you wait for 2.0 to arrive. Open up your web.config file and look for the system.web section. Near the top you should see<globalization culture="en-US" requestEncoding="utf-8" responseEncoding="utf-8" />
Simply change the culture to the one you desire (en-GB in my...
A slightly more relaxed Developer Day yesterday, with calming blue speaker polo shirts. This time I covered "Security ASP.NET Applications and Communications" which attempted to give an overview of ASP.NET's security model, guide the choices made when choosing authentication and authorisation strategies, a brief look at how to secure communications between tears and some how tos supporting the options I had covered previously. The slides and notes are available.
I ended up with a full session, with a couple of people sitting on the floor at the sides of the room, always quite intimidating and ego boasting at the same time....
Scott Hanselman wrote today about P3P and adding headers, which got me thinking. For this site (however dead it is) I can control the actual server, so adding the P3P headers was easy. However I have a community site bubbling under and if it takes off it will be need to be moved somewhere professional and not my attic. With professional hosting comes that lack of control and the need to have a better way of adding headers, and Scott made a throw away comment that sparked a day of fun;
If you don't have access to your IIS instance or...
It's been a busy weekend, what with sunburn and Developer Day #3. Resplendent in a fetching maroon / wine speakers shirt (which matched my sunburnt face for colour, no photos yet, I had thought Simon, as ever, did snap one, but it turns out he left his camera in the car) I attempted to rattle through the basics of developing asp.net server controls. Rather than being slide based the presentation was code based and it's not until you sit in front of 60 or so people, standing room only, that you realise how fat your fingers are and how...
The next Developer Day agenda is up and sign ups are open. Once more I get to bounce around in front of an audience on Saturday the 3rd June This time around I'll be talking about building ASP.Net Controls. I hope to demonstrate how easy it is to build server controls, littered with examples.
(And for those of you who tell me I should start writing here again I am still struggling to find a suitable voice. I know it's been over 6 months, but what can I say, it's a struggle, but I do appreciate the emails and concern. Thank...
MSDN just published an article on "Building ASP.NET 2.0 Web Sites Using Web Standards" by Stephen Walther from superexpert.com. Whilst overall it's useful, it's not perfect, I want to take issue with 3 points it makes.
Validating XHTML Pages
The section on validating XHTML pages offers up the W3C validation service as an alternative to the internal VS 2005 validator. This is a great recommendation, but should not be considered an alternative, but a "must do". The internal VS 2005 validator looks at the xhtml as you type. It does not, and cannot check...
If you missed the presentation I gave on "Hacking Web Sites for Fun and Profit" at the first Developer! Developer! Developer! day I'm presenting it aain on the 14 September at Anglia Polytechnic University through vbug. vbug started as a VB organisation I'm a member despite using C#. They arrange technical talks all around the country which are normally free for members, as well as lots of other benefits included discounted Microsoft Software, MSDN magazine subscriptions and, ummm, people like me I guess.
Brian Goldfarb links to the list of major changes between beta 2 and RTM. Finally we have directory names put back into namespaces, so two default.aspx files no longer clash.
It's a shame they've felt it necessary to default back to XHTML 1.0 Transitional though. What isn't clear (and of course you can't test yet) is what happens with DTDs. If you have an XHTML 1.1 DTD on your page does the <xhtmlConformance mode="transitional" /> setting in web.config ignore this and cause asp.net to spit out transitional code?
I wonder if we'll see more thought in Visual Studio around using Sql Server...
Now that asp.net 2.0 has very nice support for xhtml those of us who care (or are anal about, you choose) about having pages validate were looking pretty smug. However, there's a problem that was there in beta 1 and is still there in beta 2; the w3c validator is treated as a down level browser and is served invalid xhtml. As asp.net 2.0 doesn't know about the w3c validator user agent it gets things wrong, viewstate isn't wrapping in a div, adds a name attribute to the form tag, control validators have font tags and other little niggles. The...
Next up (typical, you wait for one new blog post to arrive, then four come at once) adding a sql server membership database. One of the problems with asp.net configuration tool for the baby web server Visual Studio 2005 supplies is it can't understand you have SQL server installed. It appears to want to create new SQL Express databases. So in order to use SQL server for membership, roles and all the other goodness asp.net provides you need to do the following;
Install the membership databases into SQL by running aspnet_regsql.exe
Add the connection...
And finally; xhtml support is wonderful (except when the login box starts using tables; tables? How 90s). Then you go to the w3c validator and plug the address of your site in and validation fails. So you check the error messages against the source for your site and the errors it describes aren't there. It turns out that page rendering is dependant on the browser capabilities. Not good, if I set a DTD I expect it to be honoured. If you must fiddle with the HTML for down level browsers then change the DTD to match. Go comment on this...
The web admin pages don't work when setting up an email provider, instead you get a compilation error; Compiler Error Message: CS0246: The type or namespace name 'MailSettingsSection' could not be found (are you missing a using directive or an assembly reference?)
You have a choice of fixes, either set your mail settings manually in web.config;
<configuration>
<system.net>
<mailSettings>
<smtp>
<network host="mailServerFQDN" password="" userName="" from="fromAddress" />
</smtp>
</mailSettings>
</system.net>
</configuration>
or fix the broken code;
Open the SMTPSettings.aspx file in the 'C:\WINDOWS\Microsoft.NET\Framewor k\v2.0.50215\ASP.NETWebAdminFiles\AppConfig' folder. Your path might be slig htly different, but that should be enough to help you find it.
Change the 2 instances of this line
MailSettingsSection netSmtpMailSection =
(MailSettingsSection)...
You have to love beta environments, especially those were no help text was installed. I'm starting to play with asp.net 2.0, I even have a pet project to work on as a goal (don't expect it any time soon). First up on the learning list was master pages. Except they didn't work, every time I tried to add a master page to my project Visual Studio died with "Object Reference Not Set To An Instance". You have to love that error message, it should really read "Oi! Lazy programmer! You didn't check for null". Lots of searches later, including...
So DeveloperDeveloperDeveloper is done and dusted. It was the first time I've given a presentation on how to hack web sites; I now await the results of the speaker score sheets. As if presenting wasn't stressful enough <g>. Unfortunately I didn't have as much time for questions and answers as I would have wished, but the wireless mic was rather fun. For those that are interested and can't wait till my presentation appears on the conference web site (Craig is stuck in a hotel with just a modem connection) I've uploaded the powerpoint deck and sample code.
Remember don't try this...
This week I gave a quick one hour overview of ADO.Net to the developers I am currently mentoring. When I covered relationships within datasets, basically a primary / foreign key constraint I was asked where that would be useful. Aside from enforcing data integrity on inserts and deletes you can use relationships to make nesting asp.net repeaters easy.
If you look at my spam pages you can see there is an obvious data hierarchy, each month has a collection of days which show a daily spam count. Rather than send a request to the SQL server to give me...
HTTP modules are great. I finally implemented the blogger api as one, using the excellent Cook Computing XML:RPC library from Cook Computing. The problem comes when you create applications under your root application. This is a common enough scenario and necessary sometimes (for example nGallery needs to be in its own application because it uses its own authentication modules). The problem arises when you add HTTP modules and handlers to your root application. Suddenly you discover that your new application needs them too.
But wait, there appears to be a solution, the <remove> functionality, or even <clear> You would think that...
The SQL source on logging page referrals has been updated to create a last updated column, a trigger to keep it updated and a click count column. Thanks to Scott Mackey from www.scomak.com for pointing out I had missed that in the table creation sql, but the stored procedures were attempting to use the tables.