How many browsers do you test with? I’ve got five… and all on the same computer at the same time. Of course, we have Firefox, Opera, and Safari. Those are usually the easy ones to get right. But wait there’s two more.

You can install the beta of IE8 right now, but doing that takes IE7 off your system, right? Not unless you have IE Tab installed. IE Tab is a Firefox add-on that loads the IE ActiveX control inside of a Firefox tab. But not from IE8 that you just installed, it loads the IE7 control. Sure you can emulate IE7 inside of IE8, but you need to restart the browser to enable and disable emulation. With the IE Tab trick, you can develop web apps and have all five browsers up at the same time.

Of course, I’m not saying that you shouldn’t test on the same browsers in other platforms. This is just a great place to start.

I attended the Microsoft DevCares event here in Indianapolis a few weeks ago. It might not be on par with MIX, but whatcha gonna do? Anyway, the event was broken up into two sessions: security and Office.

In the security portion of the event, we looked at some common web exploits, how they work and how to fix them in your code. We went over cross-site scripting, cross-site request forgeries, SQL injection, insecure direct object references, information leakage and improper error handling, and broken authentication and session management. The presenter demo’d each one with a fictitious product website and some exploit code. It was pretty interesting although I had seen most of the demos already when I attended the previous month’s MSDN event on IIS7 and ASP.NET 2.0 application services.

We then broke in the Office integration session. Mostly talk around VSTO, WWF, Ribbon development and ClickOnce deployment. Not too bad, but not my cup of tea.

Anyway, I couldn’t get the exploit code, but I have the PowerPoint slides for anyone that wants them:

• Securing Web Applications
• Security Best Practices
• Visual Studio 2008 and Office Business Applications

When declaratively programming in ASP.NET (or even just plain ol’ HTML), always typing in those darn quotes can be pretty mind numbing. Luckily you can easily have the quotes automatically inserted for you like so:

…by just setting the “Insert attribute value quotes when typing” option:

Now since you don’t have to type in all those quotes, you’ll have more time to add in an extra update panel… or two… or three!

Recently I’ve been working on the membership provider that I talked about in my last ASP.NET post. I know it was mad secure already, but I figured a little extra beefing up probably wouldn’t hurt. So I create a user class derived from MembershipUser and override some more methods in my derived MembershipProvider class. I fire up the page, login and then bam!

Configuration Error

Ok, well how about we set some breakpoints and see what’s going on. I hit F5 and get a welcome dialog in return:

You want Windows auth? I’ll give you Windows auth. Back into Visual Studio. Open up web.config. Change it from Forms auth to Windows auth:

<authentication mode="Windows">

Ok, let’s F5 again…

Ok, looks like I’ll need a little more help. I hit Google with the error and get a wide variety of help. After a few wild goose chases and clicking through IIS Manager a lot, I finally come across a page actually talking about this problem in Vista and IIS 7. It says to go to the “Turn Windows features on or off” dialog. I go. As directed, I click IIS -> WWW Services -> Security, and then check “Windows Authentication”:

Ok, seriously. What the heck? The option that the IIS 7 help page for my exact error is telling me to check an option that isn’t there. Peachy. I go back to IIS Manager and go to the Authentication section for my site. I click on help and find the answer to my questions (but not my prayers):

What? What?!? So Windows Home Premium isn’t good enough to debug with? For something as “esoteric” as debugging you have to go all out and buy Windows Vista Ultimate? Please… Sure I can still debug by opening up my project as a file system solution rather than an HTTP solution and then debug with Cassini, but that’s just annoying and just shouldn’t be necessary. You shouldn’t need the end-all-be-all ultimate-of-ultimates version of Vista to debug. However, since there’s little choice, I may just be upgrading to Vista Ultimate after all:

At least this gives me a more compelling reason to upgrade than the “Vista Ultimate Extras”…

Creating a login page with ASP.NET is almost ridiculously easy. First create a page called “Login.aspx”. If you want to use a page named something other than “Login.aspx”, you can specify that in your web.config file:

<authentication mode="Forms">
  <forms loginUrl="member_login.aspx" />
</authentication>

After that, add an <asp:Login …/> control inside your page. The how to use the ASP.NET login control article from MSDN has more details (if you need it). After a successful login, the user will be redirected back to the page they were originally trying to access before being redirected to Login.aspx. If the user went straight to Login.aspx, they they will be sent to your Default.aspx page. If you don’t have a Default.aspx page or simply want to send them somewhere else, add this attribute to your asp:Login tag:

DestinationPageUrl="~/YouLoggedIn.aspx"

Easy enough, huh? Well, how about the actual authentication? By default, ASP.NET will try to authenticate with the AspNetSqlMembershipProvider as specified in your machine.config file:

<membership>
  <providers>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web,
               Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer"
               enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/"
               requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
               minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
  </providers>
</membership>

If you want to use your own database provider, just specify it in your project’s web.config:

<connectionStrings>
  <add name="GlamRock" connectionString="server=skidrow;database=motleycrue;uid=poison;pwd=warrant;"/>
</connectionStrings>

<membership defaultProvider="MySQLProvider">
  <providers>
    <add name="MySQLProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,
               PublicKeyToken=b03f4a8e571d503a" connectionStringName="GlamRock" enablePasswordRetrieval="false"
               enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"
               passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
               minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
  </providers>
</membership>

Or if you want to make your own provider you can easily do that too. Again, in web.config you add:

<membership defaultProvider="Simple">
  <providers>
    <add name="Simple" type="SimpleMembershipProvider, App_Code"/>
  </providers>
</membership>

Then add a new class declaration for SimpleMembershipProvider under App_Code, override ValidateUser and put your super complex code in it:

public class SimpleMembershipProvider : MembershipProvider
{
  public SimpleMembershipProvider()
  {
  }

  public override bool ValidateUser(string username, string password)
  {
    return (username == "mike" && password == "foo");
  }

…and of course you need to define all the rest of the abstract functions from the MembershipProvider base class. If you want to read in a flat file with all the account info you can do that or maybe read in a file that’s been encrypted with .NET’s encryption mechanism and then decrypt it. It’s really up to you. Although, I’m awfully fond of my implementation up above…