Tag Archives: asp.net

Microsoft updates the .NET stack with .NET Core 2.0 and updated Visual Studio. Should you use it?

Microsoft has released .NET Core 2.0, a major update to its open source, cross-platform version of the .NET runtime and C# language.

New features include implementation of .NET Standard 2.0 (a way of targeting code to run under multiple .NET platforms), new platform support including Debian Stretch, macOS High Sierra and Suse Linux Enterprise Server 12 SP2. There is preview support for both Linux and Windows on ARM32.

.NET Core 2.0 now supports Visual Basic as well as C# and F#. The version of C# has been bumped to 7.1, including async Main method support, inferred tuple names and default expressions.

Microsoft has also released Visual Studio 2017 15.3, which is required if you want to use .NET Core 2.0. New Visual Studio features include Azure Stack support, C’# 7.1 support, .NET Framework 4.7 support, and other new features and fixes.

I updated Visual Studio and downloaded the new .NET Core 2.0 SDK and was soon up and running.

image

Note the statement about “This product collects usage data” of which more below.

image

The sample ASP.NET MVC application worked first time.

image

How is .NET Core doing? The whole .NET picture is desperately confusing and I get the impression that most .NET developers, while they may have paid some attention to what is happening, have concluded that the safe path is to continue with the Window-only .NET Framework.

At the same time, .NET Core is strategically important to Microsoft. Cross-platform support means that C# has a life on the Mac and on Linux, which is vital to its health considering the popularity of the Mac amongst developers, and of Linux as a deployment platform for web applications. Visual Studio for Mac has also been updated and supports .NET Core 2.0 in the new version.

Another key piece is the container trend. .NET Core is ideal for container deployment, and the only version of .NET supported in Windows Nano Server. If you want to embrace microservices running in containers, while still developing with C#, .NET Core and Nano Server is the optimum solution.

Why not use .NET Core, especially since it is faster than ASP.NET? In these comparisons, .NET Core comes out as substantially faster than .NET Framework for various algorithms – 600 times faster in one case.

The main issue is compatibility. .NET Core is a subset of the .NET Framework, and being a relative newcomer, it lacks the same level of third-party support.

Another factor is that there is no support for desktop applications, though some solutions have been devised. Microsoft does have a cross-platform GUI story, in Xamarin Forms, which is now in preview for macOS alongside iOS, Android, Windows and Tizen. If Xamarin used .NET Core that would be a great solution, but it does not (though it does support .NET Standard 2.0).

One of the pieces that most concerns developers is data access. If you use .NET Core you are strongly guided towards Entity Framework Core, a fork of Microsoft’s ORM (Object-Relational Mapping) framework. Someone asked on this page, is EF Core usable? Here’s an answer from one user (11 days ago):

Answering 4 months later but people should know: Definitely not, it is still not usable unless you are doing something very trivial and/or have very small DB.
I don’t understand how it is possible for MS to ship it, act like it’s OK and sparsely here and there provide shallow information about its limitations like in this article without warning clearly and explicitly about the serious issues this “v1 product” has.

Someone may jump in and say no, it is fine; but there are undoubtedly missing pieces and I would suggest caution.

You can also access data using the Connection/Command/DataReader approach which avoids EF, and although this is more work, this is what I would be inclined to do personally since you get the best performance and flexibility. Here is an example for SQL Server.

Who is using .NET Core? Controversially, Microsoft gathers telemetry from your use of the command-line tools though you can opt out by setting an environment variable. This means we have some data on .NET Core usage, though unfortunately it excludes Visual Studio usage. I downloaded the most recent dataset and imported it into a database. Here are the figures for OS family:

Total rows 5,036,981
Windows 3,841,922 (76.27%)
Linux 887,750 (17.62%)
Mac 307,309 (6.1%)

image

Given that this excludes Visual Studio users, who are also on Windows, we can conclude that the great majority of .NET Core developers use Windows, and only a tiny minority Mac (I do not know if Visual Studio for Mac usage is included). This is evidence that .NET Core has so far failed in its goal of persuading Mac-using developers to adopt .NET. It does show interest in deploying .NET applications to Linux, which is an obvious win in licensing costs as well as performance.

I would be interested in comments from developers on whether or not they use .NET Core and why.

A note on Azure storage and downloading large files

I have written a simple ASP.NET MVC application for upload and download of files to/from Azure storage.

Getting large file upload to work was the first exercise, described here. That is working well; but what about download?

If your files in Azure storage are public, you can simply serve an URL to the file. If it is not public though, you have a couple of choices:

1. Download the file under application control, by writing to Response.OutputStream or using a FileResult action.

2. Issue a Shared Access Signature (SAS) to the client which enables it to retrieve the file directly from Azure storage. The SAS is sent as an URL argument which tells Azure storage that the request is authorised. The browser downloads the file directly, so it makes no difference to your web application if the file is large.

Note that if you use the first option, it will not work with large files if you simply call DownloadToStream or similar:

container.GetBlockBlobReference(FileName).DownloadToStream(Response.OutputStream);

Why not? Well, the way this code works is that it downloads the large file to the web server, then sends it to the browser. What if your large file is 5GB? The browser will wait a long time for the first byte to be served (giving the user an unresponsive page); but before that happens, the web application will probably throw an exception because it does not like downloading such a large file.

This means the SAS option is a good one, though note that you have to specify an expiry time which could cause problems for users on a slow connection.

Another option is to serve the file in chunks. Use CloudBlockBlob.DownloadRangeToStream to write to Response.OutputStream in a loop until the download is complete. Call Response.Flush() after each chunk to send the chunk to the browser immediately.

This gives the user a nice responsive download experience complete with a cancel option as provided by the browser, and does not crash the application on the server. It seems to me a reasonable approach if the web application is also hosted on Azure and therefore has a fast connection to Azure storage.

What about resuming a failed download? The SAS approach should work as Azure supports it. You could also support this in your app with some additional work since Resume means reading the Range header in a GET request. I have not tried doing this but you might find some clues here.

Microsoft open sources further ASP.NET Frameworks, publishes code with Git

Microsoft has released two further ASP.NET frameworks as open source, joining ASP.NET MVC which was already open source. These are published on CodePlex, Microsoft’s open source repository site, using the newly added Git support. You can find the code here.

The two additional frameworks are ASP.NET Web API and ASP.NET Web Pages. Just to recap, ASP.NET supports several frameworks:

ASP.NET Web Forms: the original framework shipped with .NET 1.0 and greatly enhanced since then. Excellent for quickly assembling a dynamic web site but somewhat heavyweight with its ViewState field and complex page lifecycle. Designed in pre-Ajax days.

ASP.NET MVC: A more elegant framework with separation of content from code, amenable to test-driven development, based on controllers and routing.

ASP.NET Web Pages formerly known as Razor: An alternative view engine designed to work with ASP.NET MVC. Uses .cshtml or .vbhtml extension in place of .aspx. A declarative language with codewords like @foreach and @if – though Microsoft’s Scott Guthrie says it is not a language but rather a template markup syntax.

ASP.NET Web API: formerly known as WCF Web API is a framework for building REST services. A key framework if you have a cloud + mobile target in mind. Now gets installed with ASP.NET MVC.

So why is ASP.NET Web Forms not open source? According to Microsoft’s Scott Hanselman:

The components that are being open sourced at this time are all components that are shipped independently of the core .NET framework, which means no OS components take dependencies on them. Web Forms is a part of System.Web.dll which parts of the Windows Server platform take a dependency on. Because of this dependency this code can’t easily be replaced with newer versions expect when updates to the .NET framework or the OS ships.

though it is not clear why this prevents the code being published.

Hanselman adds that Microsoft is not only publishing the code, but also taking contributions:

Today we continue to push forward and now ASP.NET MVC, Web API, Web Pages will take contributions from the community.

Why is Microsoft doing this? Within Microsoft, there have always seemed to be open source advocates like Hanselman, and others who pull back. One answer is that the open source folk are winning more arguments now.

Another take is that this is the outcome of industry-wide changes. Microsoft’s platform is less dominant than it was; it still reigns on the desktop, but Macs, tablets and smartphones are eroding its position on the client, and on the web Netcraft’s figures show steady decline since June 2010:

image

Most of the competition is open source and it is possible that this is a factor behind the latest moves. Microsoft is not open sourcing its IIS web server yet, though Hanselman does make the point that ASP.NET MVC runs well on Mono, the open source implementation of the .NET Framework, which is often used with Apache.

The mystery of unexpected expiring sessions in ASP.NET

This is one of those posts that will not interest you unless you have a similar problem. That said, it does illustrate one general truth, that in software problems are often not what they first appear to be, and solving them can be like one of those adventure games where you think your quest is for the magic gem, but when you find the magic gem you discover that you also need the enchanted ring, and so on.

Recently I have been troubleshooting a session problem on an ASP.NET application running on a shared host (IIS 7.0).

This particular application has a form with some lengthy text fields. Users complete the form and then hit save. The problem: sometimes they would take too long thinking, and when they hit save they would lose their work and be redirected to a login page. It is the kind of thing most of us have experienced once in a while on a discussion forum.

The solution seems easy though. Just increase the session timeout.  However, this had already been done, but the sessions still seemed to time out too early. Failure one.

My next thought was to introduce a workaround, especially as this is a shared host where we cannot control exactly how the server is configured. I set up a simple AJAX script that ran in the background and called a page in the application from time to time, just to keep the session alive. I also had it write a log for each ping, in order to track the behaviour.

By the way, if you do this, make sure that you disable caching on the page you are pinging. Just pop this at the top of the .aspx page:

<%@ OutputCache Duration="1" Location="None" VaryByParam="None"%>

It turned out though that the session still died. One moment it was alive, next moment gone. Failure two.

This pretty much proved that session timeout as such was not the issue. I suspected that the application pool was being recycled – and after checking with the ISP, who checked the event log, this turned out to be the case. Check this post for why this might happen, as well as the discussion here. If the application pool is recycled, then your application restarts, wiping any session values. On a shared host, it might be some else’s badly-behaved application that triggers this.

The solution then is to change the way the application stores session variables. ASP.NET has three session modes. The default is InProc, which is fast but not resilient, and for obvious reasons not suitable for apps which run on multiple servers. If you change this to StateServer, then session values are stored by the ASP.NET State Service instead. Note that this service is not running by default, but you can easily enable it, and our helpful ISP arranged this. The third option is to use SQLServer, which is suitable for web farms. Storing session state outside the application process means that it survives pool recycling.

Note the small print though. Once you move away from InProc, session variables are serialized, not just held in memory. This means that classes must have the System.Serializable attribute. Note also that objects might emerge from serialization and deserialization a little different from how they went in, if they hold state that is more complex than simple properties. The constructor is not called, for example. Further, some properties cannot sensibly be serialized. See this article for more information, and why you might need to do custom serialization for some classes.

After tweaking the application to work with the State Service though, the outcome was depressing. The session still died. Failure three.

Why might a session die when the pool recycles, even if you are not using InProc mode? The answer seems to be that the new pool generates a new machine key by default. The machine key is used to encrypt and decrypt the session values, so if the key changes, your existing session values are invalid.

The solution was to specify the machine key in web.config. See here for how to configure the machine key.

Everything worked. Success at last.

Microsoft’s Scott Guthrie moving to Windows Azure

According to an internal memo leaked to ZDNet’s Mary Jo Foley, Microsoft’s Scott Guthrie who is currently Corporate VP of the .NET Developer Platform is moving to lead the Azure Application Platform team. This means he will report to Ted Kummert who is in charge of the Business Platform Division, instead of S Somasegar who runs the Developer Division; however both divisions are part of the overall Server and Tools Division. Server and Tools is the division from which Bob Muglia was ousted as president in January; the reason for this is still not clear to me, though I would guess at some significant strategy disagreement with CEO Steve Ballmer.

Guthrie was co-inventor of ASP.NET and is one of the most approachable of senior Microsoft execs; he is popular and respected by developers and his blog is one of the first places I look for in-depth and hands-on explanations of new features in Microsoft’s developer platform, such as ASP.NET MVC and Entity Framework.

I have spent a lot of time researching and using Visual Studio 2010, and while not perfect it is among the most impressive developer products I know, from the detail of the editor and debug features right through to ALM (Application Lifecycle Management) aspects like Team Foundation Server, testing in various forms, and build management. Some of that quality is likely due to Guthrie’s influence. The successful evolution of ASP.NET from web forms towards the leaner and more flexible ASP.NET MVC is another achievement in which I am sure he played a significant role.

Is it wise to take Guthrie away from his first love and over to the Azure platform? Only Microsoft can answer that, and of course he will still be responsible for an ASP.NET platform. I’d guess that we will see further improvement in the Visual Studio tools for Azure as well.

Still, it is a bold move and one that underlines the importance of Azure to the company. In my own research I have gained increasing respect for Azure and I would expect Guthrie’s arrival there to be successful in winning attention from the Microsoft platform developer community.

Microsoft WebMatrix released: a simple editor for ASP.NET Razor and more, but who is the target user?

Microsoft has released WebMatrix, a free tool for creating web sites for Microsoft’s web server. It uses the Web Platform Installer and installed smoothly on my Windows 7 64-bit box. What you get is a cleanly-designed tool which lets you start web sites from templates or from standard installs of popular applications including WordPress, Drupal and Moodle.

image

Yes, you can use PHP and MySQL as well as .NET web applications, though the common factor is that all are configured for IIS, Microsoft’s web server.

With many ISPs already offering instant installs of apps like WordPress, it is more interesting to look at the site templates in WebMatrix, though the selection is smaller.

image

What is interesting about these is that they create sites based on Razor, an alternative view engine for ASP.NET. Microsoft VP Scott Guthrie describes Razor here. It is odd though: Razor is a feature of ASP.NET MVC 3, currently in release candidate phase, but you cannot create ASP.NET MVC sites in Web Matrix.

Once a site is created, you can modify it in the WebMatrix editor.

image

You can run the site on IIS Express with one click. WebMatrix will show you all the requests as you run, which could be handy for tracing problems. There is also a database management workspace which uses SQL Server Compact Edition, a reporting workspace which will analyse your site for problems, and the ability to publish a site using  FTP or Microsoft’s Web Deploy.

I like the clean look of WebMatrix, and that it is lightweight and fast; but who is the target user? It appears to be aimed at non-professionals; but this is a techie product that will not appeal to users looking for an easy to use web site builder. There is no visual editor; users are just chucked in at the deep end editing raw HTML and C#. There is not even any intellisense code completion. Clicking Online Help just brings up a Microsoft search form. There is no debugger to speak of; you are expected to upgrade to Visual Studio. Which raises the question, why not just get Visual Web Developer 2010 Express, which is also free, and has a better editor and debugging features? Of course you could use the two together; but Web Matrix is not adding much value. Features like the SEO analysis seem to be be based on the existing Search Engine Optimization Toolkit, which you can install without Web Matrix.

WebMatrix has been available in beta for six months, but its forum is relatively quiet.

Still, if nothing else Web Matrix is a handy way to take a look at Razor, which deserves attention. Shay Friedman has a technical introduction here.

Guthrie has a detailed look at the WebMatrix beta here.

ASP.NET Padding Oracle fix released, time to patch for Windows administrators

Scott Guthrie’s blog reports that a fix is now available for the Padding Oracle attack, which enables successful attackers to break the security of ASP.NET applications. There are a few points of interest.

First, there is not one patch but several, and which ones you need depend both on the version of Windows and the version of .NET. Multiple versions of .NET may be installed on a single server.

Second, the exploit is rated “important” in Microsoft security-speak, rather than “critical”. This is apparently because in itself the vulnerability merely discloses information. However, Microsoft is treating it with a high priority because the vulnerability is likely to reveal information that would let the attacker go to to more sever actions such as taking over a server. Confusing, but to my mind it is as critical as they come.

Third, Guthrie’s blog notes:

We’d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.

The implication is that the POET tool may be publicly available soon – so if you are responsible for an affected machine, get patching! In fact, in the webcast on the subject Microsoft stated that “The potential for exploit is very high during the next 30 days.”

Fourth, the update works by “additionally signing all data that is encrypted by ASP.NET.”

Update: Marc Brooks has investigated and it looks like there is a bit more to it than that.

Finally, the update will be included in Windows Update but not immediately. Your choice is whether to risk a hack in the period before the automatic update appears, or endure the hassle of the manual downloads. Microsoft advises to do it as soon as possible for servers on the public internet.

I am not sure what percentage of systems are likely to be patched soon, but I’d guess that plenty of vulnerable systems will remain online and that we have not heard the last of this bug.

Crisis for ASP.Net – how serious is the Padding Oracle attack?

Security vulnerabilities are reported constantly, but some have more impact than others. The one that came into prominence last weekend (though it had actually been revealed several months ago) strikes me as potentially high impact. Colourfully named the Padding Oracle attack, it was explained and demonstrated at the ekoparty security conference. In particular, the researchers showed how it can be used to compromise ASP.NET applications:

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework’s API! … The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.

This is alarming simply because of the huge number of ASP.NET applications out there. It is not only a popular framework for custom applications, but is also used by Microsoft for its own applications. If you have a SharePoint site, for example, or use Outlook Web Access, then you are running an ASP.NET application.

The report was taken seriously by Microsoft, keeping VP Scott Guthrie and his team up all night, eventually coming up with a security advisory and a workaround posted to his blog. It does not make comfortable reading, confirming that pretty much every ASP.NET installation is vulnerable. A further post confirms that SharePoint sites are affected.

It does not help that the precise way the attack works is hard to understand. It is a cryptographic attack that lets the attacker decrypt data encrypted by the server. One of the consequences, thanks to what looks like another weakness in ASP.NET, is that the attacker can then download any file on the web server, including web.config, a file which may contain security-critical data such as database connection strings with passwords, or even the credentials of a user in Active Directory. The researchers demonstrate in a YouTube video how to crack a site running the DotNetNuke content management application, gaining full administrative rights to the application and eventually a login to the server itself.

Guthrie acknowledges that the problem can only be fixed by patching ASP.NET itself. Microsoft is working on this; in the meantime his suggested workaround is to configure ASP.NET to return the same error page regardless of what the underlying error really is. The reason for this is that the vulnerability involves inspecting the error returned by ASP.NET when you submit a corrupt cookie or viewstate data.

The most conscientious ASP.NET administrators will have followed Guthrie’s recommendations, and will be hoping that they are sufficient; it is not completely clear to me whether it is. One of the things that makes me think “hmmm” is that a more sophisticated workaround, involving random time delays before an error is returned, is proposed for later versions of ASP.NET that support it. What does that suggest about the efficacy of the simpler workaround, which is a static error page?

The speed with which the ASP.NET team came up with the workaround is impressive; but it is a workaround and not a fix. It leaves me wondering what proportion of ASP.NET sites exposed to the public internet will have implemented the workaround or do so before attacks are widespread?

A characteristic of the attack is that the web server receives thousands of requests which trigger cryptographic errors. Rather than attempting to fix up ASP.NET and every instance of web.config on a server, a more robust approach might be to monitor the requests and block IP numbers that are triggering repeated errors of this kind.

More generally, what should you do if you run a security-critical web application and a flaw of this magnitude is reported? Applying recommended workarounds is one possibility, but frankly I wonder if they should simply be taken offline until more is known about how to protect against it.

One thing about which I have no idea is the extent to which hackers are already trying this attack against likely targets such as ecommerce and banking sites. Of course in principle virtually any site is an attractive target, because of the value of compromised web servers for serving spam and malware.

If you run Windows servers and have not yet investigated, I recommend that you follow the links, read the discussions on Scott Guthrie’s blog, and at least implement the suggested actions.

Where is phpinfo() for .NET?

I’m moving an ASP.NET project to a different ISP, and rather than grill the ISP about the setup I cast around for a .NET equivalent to phpinfo(), which generates a web page giving comprehensive information about the server configuration.

The closest I’ve found so far is this Codeplex project by Aarron K Jackson. I downloaded the source, compiled (I had to delete the private key included by the author) and ran it on the new server. It did in fact answer most of my questions. Information includes the Windows and .NET version, number of CPU cores, memory available and used, environmental variables, path to the web site, IIS version, trust level, and all the server variables; there is even a test email form.

image

According to Codeplex the project has fewer than 100 downloads so I thought it deserved a plug. One caveat: I suggest you password-protect it or delete after use, since the information could be valuable to hackers.