Monday, February 9, 2009

Where is the best place to store the connection string?

I think the best place to store the connection string is the Web.Config File if you are developing a Web Application or the App.Config File if you are developing a Windows Application.

You have another opinion? Leave a comment.

Thursday, February 5, 2009

Subtracting Two Float Digits in .NET

I have faced a very strange issue with the .NET which was subtracting 2 Float digits "1.5 - 1.1" the result should be 0.4 but it was 0.39999999999999991 . This happens because floating point numbers can not be precisely represented in binary, such as 1/4 the result will be 0.

To solve this issue all you have to do is using round function in Math class provided by .NET Framework. So if you do this Math.Round(1.5-1.1,1) the result would be as expected 0.4 .Be careful when dealing with float and decimal especially if you are working on financial application.

Source: https://www.nilebits.com/blog/2009/06/subtracting-two-float-digits-in-net/

Tuesday, February 3, 2009

How to Access controls on Master Pages from Content Pages in ASP .NET

We will assume that we have a Label control called "Label1" on your Master Page, you might want to change the text of that Label.
To do that write this code in your content page:
Label lbl = new Label();
lbl = (Label)Master.FindControl("Label1");
lbl.Text = "Text";
Of course, this is all assuming the label is OUTSIDE the ContentPlaceHolder

Source: https://www.nilebits.com/blog/2003/05/how-to-access-controls-on-master-pages-from-content-pages-in-asp-net/

Sunday, February 1, 2009

How to Secure Session State in ASP.NET

The information in session state is very secure, because it is stored exclusively on the server. However,the cookie with the session ID can easily become compromised. This means an eavesdropper could steal the cookie and assume the session on another computer.

Several workarounds address this problem. One common approach is to use a custom session module that checks for changes in the client’s IP address. However, the only truly secure approach is to restrict session cookies to portions of your website that use SSL.

That way, the session cookie is encrypted and useless on other computers. If you choose to use this approach, it also makes sense to mark the session cookie as a secure cookie so that it will be sent only over SSL connections.

That prevents the user from changing the URL from https:// to http://, which would send the cookie without SSL. Here’s the code you need:
Request.Cookies["MySessionId"].Secure = true;
Typically, you’ll use this code immediately after the user is authenticated. Make sure there is at least one piece of information in session state so the session isn’t abandoned (and then re-created later). Another related security risk exists with cookieless sessions. Even if the session ID is encrypted, a clever user could use a social engineering attack to trick a user into joining a specific session.

All the malicious user needs to do is feed the user a URL with a valid session ID. When the user clicks the link, he joins that session. Although the session ID is protected from this point onward, the attacker now knows what session ID is in use and can hijack the session at a later time.

Taking certain steps can reduce the likelihood of this attack. First, when using cookieless sessions, always set regenerateExpiredSessionId to true. This prevents the attacker from supplying a session ID that’s expired. Next, explicitly abandon the current session before logging in a new user.

Quoted.