Adam Tibi

Three C# 2.0/3.0 Syntaxes That You Didn't Know But Were Afraid to Ask

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Tue, 30 Sep 2008 10:06:00 +0000

Working with other colleagues, I found these C# syntaxes are still not well-known and used, so I thought of blogging on them.

1 - Properties Without Members

In the old days, before C# 3.0, we used to write syntax like:

    public class Point {
        private int _x;
        private int _y;
        
        public int X {
            get {
                return _x;
            }
            set {
                _x = value;
            }
        }
        public int Y {
            get {
                return _y;
            }
            set {
                _y = value;
            }
        }
    }

But if you are not doing any special processing in your property, you can use a shorter syntax introduced in C# 3.0:

    public class Point {
        public int X {
            get;
            set;
        }
        public int Y {
            get;
            set;
        }
    }

2 - The '`??`'

While all of use, especially those coming from C/C++ background have used the ternary operator '?:', such as:

    Point point1 = null;
    // some code to initialise the point1...
    Point point2 = (point1 == null ? new Point() : point1);

However, C# 2.0 introduced this new syntax:

    Point point1 = null;
    // some code to initialise the point1...
    Point point2 = (point1 ?? new Point());

Which does exactly the same as the previous syntax.

3 - Initialising Properties when Creating an Object

    Point point = new Point();
    point.X = 1;
    point.Y = 1;

Or you can use the C# 3.0 syntax:

    Point point = new Point() { X = 1, Y = 1};

Probably if you are using LINQ then you have used this code several times.

UK Software Consultant Nightmare: The IT Recruiting Agents

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Tue, 30 Sep 2008 09:03:00 +0000

Working as a .NET software consultant in UK, I spent ages with the IT recruiting agents on the phone and had suffered their tricks. So, in this post, I thought of educating my software consultant colleagues of the agents' sneaky tricks and dodgy tactics.

Recruiting agents, especially in the current credit crunch, are having less 'productive' work to do due to the reduced demands in the market, so they are spending more time wasting our "software consultants" time and resources rather than doing their actual role which is, obviously, recruiting!

Below are some of their tricks, tactics and some commonly used phrases on the phone:

1 - "I need two references from your current and ex employers"

This is the most famous phrase that you will hear and probably if you are a software consultant in UK then you know what I am talking about.

When: This happens after the agent does the sale pitch for a non-existing job. The job miraculously matches your skills, highly paid, in a location near you and the client is willing to train you for the skills that you don't have.

Claimed Reason: His client, which is mostly a blue chip or a company that he can't give its name at the moment, requires the references to validate your suitability.

Real Reason: As you have already left your current job, then there might be a vacancy in the company, so the agent will call the reference and offers him/her some candidates that match the used technology as you have already told the agent everything about the projects and used technology.

Implications: Your references will get TOO MANY cold calls which will put you in a bad position and in the worst case you will lose your references.

What Should I Do: You should only give a reference, if asked, after a successful interview with the company and to the employer, not the agent! So, you could apologise by saying that you cannot do it as your references are getting too much calls from recruiting agents. Don't go with the "I will give you two references but promise me that you won't contact them for marketing purposes" route.

Always remember that you are the sale, if he hires you then he gets the commission, otherwise he won't, so he needs you! If the agent insists on having the references, then ask to end the conversation as the agent is not serious and he doesn't have any vacancy.

2 - "Are you currently lined up for interviews?"

The idea is that you are a pro and you should have many interviews at the moment so you should be telling the agent 'Yes' and that you are in demand (this is what he wants you to say to get to his next question).

When: This question is usually proceeded by "How do you find the market?" This part of speech usually happens in the beginning of the conversation.

Claimed Reason: The agent is chit chatting with you and wants to know what you are doing at the moment.

Real Reason: The agent wants to harvest the current vacancies and offer them his candidates; you are not a sale to him as you went through another agent.

Implication: The agent might call the interviewer and push his candidates. In the worst cases, he might call the interviewer and claim that you have a bad reputation and the interviewer shouldn't interview or hire you.

What Should I Do: Answer with "No", if the agent asks why, you could tell him that you have just started searching.

3 - "What employers did you submit your CV to"

When: This is proceeded by that "We have a lot of vacancies and we will be sending your CV to [put big number here] of employers and we want to make sure that your CV haven't been submitted to that employer."

Claimed Reason: You don't want the employer to get a duplicate submission of your CV as this will give an unprofessional image about you.

Real Reason: Yes, You guessed it!

Implication: Same as the previous point.

What Should I Do: Don't go down the route of giving clues about the companies that are of interest to you, note that the agent will be pushing for clues if you refuse to give the company name and details. If you give clues then a colleague of the agent will call you later and offer you the same job that you gave clues about and expects you to say "I have already applied for company X, so please don't put me forward for this."

4 - "I have a Vacancy for You [sale pitch goes here], I will tell you the full details this [time goes here]"

This is just for harvesting your details and buy some time to keep you out of the market as long as possible as if you get hired by another agent then this agent lost the sale!

5 - "I will put you on the phone with the employer who wants to keep his details hidden"

Probably, the employer will be a colleague of the agent who will try to extract the reference information from you as now he is the employer which you assumingly trust more!

6 - "Oh you have worked at company X, I know [false name] from the HR department, who do you know there?"

Well, probably you know the reason behind this question by now which is information harvesting. Just refuse to give a name or give a false name.

7 - "He is on the other line", "He is out of the office", "He is in a meeting"

This is what the receptionist will tell you after you call the recruiting agency, giving your name and reason for call when asking for a specific agent.

You probably are calling after you have submitted your CV to discuss this matching vacancy further with the agent. But the agent has posted that FAKE ad to harvest CVs and has no time to waste on the phone with you. Good luck trying to get him on the email as well.

8 - "What is your current rate at your current employment?"

In the case of a software consultant, they want to try to squeeze down your rate to get a higher share themselves.

I believe that this question should only be asked after explaining the job they want to propose to you so you could decide your rate based on the given factors.

If you have been asked for your previous rate, ask what his proposed role is paying and what is it about.

9 - False Job Ads

The majority of posted ads on famous job sites like jobserve.com are fake! Their aim is to harvest CVs:

To be ready when they get a client.
Because they don't want to post information that will lead their competitors to the client, so they will contact you and tell you that this vacancy is taken now and they have these new vacancies.

10 - Threatening of blacklisting you if you are not going to cooperate

Agents might get very rude when you refuse to give information and will start threatening of blacklisting you and tell other agencies how bad you are.

In this case I would beg the agent to blacklist me as I will be more than happy not to get contacted from agents from the same nature.

11 - The Job is Posted Else Where But With The Real Company Name

Agents might go as far as copying a direct employer's posted ad from some where, change the employer's real info into vague ones, then post it as if it is their own without the employer's consent and even though, in most cases, the employer has mentioned the phrase "strictly no agents." The reason might be:

Using a good targeted ad, written by an experienced employer and use it to harvest CVs for the agent's own benefit, i.e. to be used for other jobs.
Will take the CVs, filter it, then send it to the employer to show him that "we are a good agency" and we can get you good candidates.

12 - Removing Your Contact Information From the CV

Now the agent called you, agreed with you, and is going to send your CV to his client. The next step is removing any contact information or anything that might lead to you before sending it to the client.

Why? You probably know why! He is an agent and since he is working in an enviroment that is 'unsafe' where you can't trust anyone, he assumes that this also applies to software consultants. What a shame...

13 - Agents Might Push You for an Interview for a Job that Doesn't Meet Your Skills

Maybe to send as much candidates as possible to the employer
Who knows? It might work! After all, the agent isn't the one who is wasting his time, it is the candidate and the employer!

Ask for a phone interview at first if you are not sure of the requirements or if you have any suspicion. This will save both your and the interviewer's time.

Frankly speaking, it might not be the agent's fault, it might be that the employer did not supply the agent with the full requirement.

Honest to God Words to the Recruiting Agents

For the honest recruiting agents, I am sorry that these practices, which are employed by some agencies, have ruined your reputation and please note that this post has no intention of generalisation. For the other types of agents, these are my words to you:

Don't insult our intelligence by using cheap tactics, because if we work as software consultants then that mean we are intelligent enough to perform such a job.
Stop wasting our time to harvest information as we really have more important things to do.
Stop using these phrases: 'brilliant', 'fantastic', 'I'm going to pass your CV to my colleagues', 'we have [employer quantity]', 'leave it with me, I'm going to take it from there' and 'you have a fantastic CV'.
"Largest TV Group in Europe" means Sky and "Europe's biggest B2B media company" is RBI. Come on guys, Britain is too small for this, could you make the ad description more vague please? This is so easy and software consultants are not dump, you know.
If you are honest and not a time waster then please display your phone number, that shows more consideration to the candidates.

Advice To the Software Consultant

Don't give your real phone number to the agents as they will keep cold calling you every [set amount of time] to harvest information and update their database, use a pay as you go phone if you are job hunting.
Same goes for email, use a different email for recruitment as you will get loads of irrelevant emails with apologies in the beginning if this is irrelevant.
Educate your colleagues with the tactics mentioned in this post as we should all stand against such tricks and have a better, mature and more professional recruiting environment for software consultants in UK.

Finally, I am happy that I wrote this post and shared my experience, and nightmares, with the rest of UK's software consultant colleagues. If you are a software consultant in the American market, then let me know if you have a similar experience. Please let me know if I have missed an important trick or if you had a bad experience. If you like it then please Digg It and Kick It.

How Not To Compromise Security Through ASP.NET Validators

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Tue, 23 Sep 2008 09:45:00 +0000

I have explained in The Three Steps of Building an ASP.NET Validator Control, how to build a validator control from the ground up in three easy steps and in a reusable format. I highly recommend reading it before going any further.

Here I am discussing the common validator control security holes that might compromise your forms security when left untreated.

Security Hole 1: Failing to Implement The Server-Side Validation

When building a validator control from scratch or using a CustomValidator, you should always implement server-side validation (i.e. the .NET code), however, the client-side validation (i.e. The javascript) code is optional but nice to have.

The reason is, a malicious user might disable JavaScript from his browser to bypass your validation or might not even be using a browser but some code to post to your form.

Always start by building the server-side validation, test it, then start building the client one.

Security Hole 2: Failing to check `Page.IsValid`

This is a major pitfall and failing to avoid it will render your validation next to useless! Before you process any data coming from your form, you need to make sure that it has passed your validators, however, if the client's browser has JavaScript disabled, then the code will reach the server without validation and will require you to check the Page.IsValid manually. For example:

protected void Submit_Click(object sender, EventArgs e) {
    // Very Important
    if (!Page.IsValid) {
        return;
    }

    // Do some processing here...
}

Security Hole 3: Client-side and Server-Side Regular Expressions

Regular expressions AKA RegEx on the server-side and the client-side may not have the same desired effect, in other words, the same regular expression syntax that works on the server side, might not work on the client side. So make sure you thoroughly test both.

Security Hole 4: Relying on the `MaxLength` property of a `TextBox`

This is not directly related to validator controls, however, it belongs to validation and I thought of mentioning it for completion.

You should not rely only on MaxLength to restrict the max allowed text for your TextBox as this property can be easily bypassed on the client, by setting the TextBox with JavaScript for example, and will never be checked on the server-side. However, set it anyway for usability purpose.

To force a max length on a TextBox, you might use a RegularExpressionValidator with the validation expression ^.{0,MaxLength}$.

Always test your validators in both modes JavaScript enabled and disabled. To turn off JavaScript in Internet Explorer, you can go to the "Security Settings", however, I recommend using Internet Explorer Developer Toolbar.

If you think that there are more security holes that are worth mentioning then please drop me a comment line.

The Three Steps of Building an ASP.NET Validator Control

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Mon, 22 Sep 2008 09:40:00 +0000

The standard ASP.NET validator controls such as the RequiredFieldValidator or the RegularExpressionValidator do not cover all validation requirements, so usually developers tend to create a CustomValidator for such scenarios.

A major problem with the CustomValidator is reusability, as if you wanted to use the validator in another project then there would be some copying and pasting and code duplication, then you have to maintain multiple versions of the same control.

The solution, as you have guessed from the title, is to build your own validator control when possible to promote reusability.

In this post I will be showing you in three simple steps how to build an ASP.NET validator control and take credit card number format check to show by example. I will also be building the architecture so that your validator and other validators that you will develop in the future could be as reusable as possible.

How to Check a Credit Card Format

Luhn check is an algorithm that checks if a credit card number is valid (format wise), so in practice, before you even think of doing any further processing on the credit card, this check should be satisfied.

Introduction to ASP.NET Validators

ASP.NET validators are ASP.NET controls that when associated with a web control will perform client-side (JavaScript) and server-side (C#/VB.NET) validation.

Using them will dramatically reduce the amount of validation code and will helps in writing more maintainable and clean code. The more specialised controls that you have the more you will finish building a form faster.

All what you need to do is check for Page.IsValid in the server-side (in our case that would be the code-behind file) to make sure that the page is valid before you start collecting its values.

Step 1: Prepare The Class Library to Include the Validators

You will need a class library to host your validator, this class library will be used to add additional validators in the future. The library will contain a JavaScript file that will include the required JavaScript and will be served whenever the validator is used.

Add The Class Library

Create a new class library, mine is called AT.Web.UI.Validators then add a reference to System.Web and remove the auto generated class class1 from the project

You will need to add this line to the end of the AssemblyInfo.cs

[assembly: TagPrefix("AT.Web.UI.Validators", "at")]

The previous line will append the prefix "at" to the validator control when dropped on a form.

Add the JavaScript file

This is the JavaScript file that will be served whenever our validator is used on a page. We will embed this file as a WebResource in the library to save ourselves adding it manually to every page that uses our validator.

To know more about WebResources have a look at WebResource ASP.NET 2.0 explained.

Now add a JavaScript file and call it JavaScript.js then change its build action to be "Embedded Resource." In the AssemblyInfo.cs file you need to add a line that will make this JavaScript file a WebResource, first add a reference to the name space using System.Web.UI; then append this line to the end of the file:

[assembly: WebResource(
      "AT.Web.UI.Validators.JavaScript.js",
      "application/x-javascript")]

Step 1 will only be done once and the next time you add a new validator you won't need to do it again.

Step 2: Write the ASP.NET Validator

Add to the project a class file and call it CreditCardValidator.cs. The code that should go in the class looks like the following, I will discuss the code later:

// CreditCardValidator.cs
using System.Text;
using System.Web.UI.WebControls;
using System.Web.UI;

namespace AT.Web.UI.Validators {

// Tells VS that when the control is droped on the form, it should look like this
[ToolboxData(@"<{0}:CreditCardValidator runat=server></{0}:CreditCardValidator>")]

// The best way to start your own validator is to inherit BaseValidator
public class CreditCardValidator : BaseValidator {

    // This method will be executing while the attributes are being rendered
    // and the HTML is being generated. This method should always be overriden
    // to supply the name of the client-side check function.
    protected override void AddAttributesToRender(HtmlTextWriter writer) {
        base.AddAttributesToRender(writer);

    // Checking if the browser supports JavaScript
        if (RenderUplevel) {
        // This will "attach" an attribute called "evaluationfunction" and gives
            // it a value "CreditCardNumberValidatorEvaluateIsValid" which is the 
            // JavaScript function that will be called to validate the TextBox
            Page.ClientScript.RegisterExpandoAttribute(ClientID, "evaluationfunction", 
                "CreditCardNumberValidatorEvaluateIsValid");
       }
    }

    // This method will be called when the server-side checking is triggered
    // and should ALWAYS be implemented to return true or false.
    protected override bool EvaluateIsValid() {
        string cardNumber = this.GetControlValidationValue(ControlToValidate);
        if (!IsValidCardNumber(cardNumber)) {
            return false;
        }
        return true;
    }

    protected override void OnPreRender(System.EventArgs e) {
        // emit the JS file into the page so you won't need to add it manually
        Page.ClientScript.RegisterClientScriptResource(typeof(CreditCardValidator),
                                             "AT.Web.UI.Validators.JavaScript.js");

        base.OnPreRender(e);
    }
    
    // Luhn check algorithm which will check the validity of the Credit Card #
    private static bool IsValidCardNumber(string cardNumber) {
        if (!System.Text.RegularExpressions.Regex.IsMatch(cardNumber,"^[0-9]*$")) {
            return false;
        }
        int length = cardNumber.Length;

        if (length < 12) {
            return false;
        }
        int sum = 0;
        int offset = length % 2;
        byte[] digits = new ASCIIEncoding().GetBytes(cardNumber);

        for (int i = 0; i < length; i++) {
            digits[i] -= 48;
            if (((i + offset) % 2) == 0)
                digits[i] *= 2;

            sum += (digits[i] > 9) ? digits[i] - 9 : digits[i];
        }
        return ((sum % 10) == 0);
    }

}

}

And the JavaScript.js file:

// This function shall be called for client-side validation
function CreditCardNumberValidatorEvaluateIsValid(val) {
    var cardNumber = ValidatorTrim(ValidatorGetValue(val.controltovalidate));
    if (!IsValidCardNumber(cardNumber)) {
        return false;
    }
    return true;
}

// Luhn check, the JavaScript way
function IsValidCardNumber(cardNumber) {
    var digitsRegex = new RegExp("^[0-9]*$");
    if (!digitsRegex.test(cardNumber)) {
        return false;
    }
    if (cardNumber.length < 12) {
        return false;
    }
    var sum = 0;
    for (var i = 0; i < cardNumber.length - 1; i++) {
        var weight = cardNumber.substr(cardNumber.length - 
                (i + 2), 1) * (2 - (i % 2));
        sum += ((weight < 10) ? weight : (weight - 9));
    }
    if (parseInt(cardNumber.substr(cardNumber.length - 1)) == 
                ((10 - sum % 10) % 10)) {
        return true;
    } 
    else {
        return false;
    }
}

What is this code all about?

When implementing ASP.NET validators, your best candidate to inherit from is the BaseValidator. And you should always, at least, override these three methods: AddAttributesToRender, EvaluateIsValid and OnPreRender.

The JavaScript in our case matches the C# code to do the same check on the client. Note that the JavaScript is using ValidatorTrim and ValidatorGetValue which are methods that are available to you via the framework.

The reason behind both server and client sides checking is because:

The user will have an old browser or JavaScript turned off, so in all cases, the server-side check would still execute. You don't want to be at the mercy of your web users, do you?
The JavaScript will help informing the user as soon as he changes focus or clicking submit that his entry is invalid and saves the page to do a round trip to the server.

Step 3: Use the Validator Control

Now that you have created the validator you will need to test it and use it. So, create a web project and then add the class library that you have created in Step 1 to the solution. Add a reference from the web project to the class library project (not to the .dll).

You will need to add this line to the web.config inside your system.web section:

<pages>
  <controls>
    <add tagPrefix="at"
        namespace="AT.Web.UI.Validators"
        assembly="AT.Web.UI.Validators" />
  </controls>
</pages>

This will instruct ASP.NET that whenever there is a tag that is prefixed with "at" then it should be fetched from namespace AT.Web.UI.Validators that exists in assembly AT.Web.UI.Validators.dll.

Drop it on the page

Add the following code to the "default.aspx" page.

<asp:Label runat="server" AssociatedControlID="CreditCardNumber" 
            Text="Credit Card Number"></asp:Label>
<br />
<asp:TextBox runat="server" ID="CreditCardNumber" />
<at:CreditCardValidator runat="server" ControlToValidate="CreditCardNumber"
            Text="Invalid credit card number. Please recheck." />
<br />
<asp:Button runat="server" ID="Submit" onclick="Submit_Click" Text="Submit" />

For a list of test credit card numbers try this Credit Card Test Numbers

Download

I have added the source code with Visual Studio 2008 solution and the assembly file using .NET Framework 2.0, feel free to download it and use it. However, all copyrights should be reserved.

<< Credit Card ASP.NET Validator (11 kb) >>

Disclaimer

I tried to ensure that the information posted here are up to date and accurate, however, I do not hold any responsibility to any damages that might occur from using or misusing the information and the posted code.

What is next?

In the next post I will be discussing the validators secrity holes... If you liked what you've seen so far, then let me know in a comment so I would discuss it in the next post. And finally, Kick It if you like it!

UPDATE: How Not To Compromise Security Through ASP.NET Validators.

Google Sandbox: When? Why? And How to Dump it!

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Sat, 20 Sep 2008 14:52:00 +0000

I got a question from Anthony Grace in the comments of my previous post Three Rules That ASP.NET Developers Should Know About SEO about Google Sandbox and thought of writing this short post to illustrate what is it and how to avoid it.

Google Sandbox is, in essence, the process of keeping your website outside Google search results for competitive keywords because your website has just been registered or changed owner.

When Google Sandbox

The sandbox usually starts when you register a new website and lasts from 6 months up to a year depending on factors that are only known to Google.

Google is also monitoring the domain registration information so this will also happen when the registered owner of the website changes i.e. you've bought a second hand domain.

Put simply, you are sandboxed when your website has valuable content and is SEO optimised and you are no where near the search engine top result pages.

Why Google Sandbox

Even though Google doesn't admit the concept of Google Sandbox, however, it is crystal clear that it exists.

The reason behind this is obvious, Google is mimicking real life situation when you just start a business and don't expect people to come running at you for your services. Also, if old sites and newly registered sites are treated the same, then this is unfair.

Another reason is to prevent spammers of starting a spammy website to market some products and do some black hat SEO methods to get visitors to their site.

How to Dump It

Now the bad news, you cannot avoid it! But you could follow some practices in reducing its effect:

Register your domain name as soon as you think of a business and even before start implementing the website.
Some people claim that going with AdSense or AdWords programs could take you out faster, but I didn't validate this myself.
Get external links to your website, aka backlinks, from a high profile websites such as governmental sites, reputable charities, etc...
If you are buying a second hand domain name, try to seek ways to not changing the registered owner so that your domain age is not reset. There is not generic way to do it, every case has its own solution.
Buy a domain that has recently expired and still appears in Google results, you might be lucky...
Temporarily, use a subdomain of a non-sandboxed site. When your subdomain site is fully indexed then do 301 redirections to your sandboxed site. The rank for every page that has already been indexed shall be preserved.
Following the movies popular phrase: "If I go down, I will take you all with me!". There are some black hat SEO methods, that I won't even mention as they are unethical, to take your competitors down since you cannot climb up...

Conclusion

I have experimented the effect myself on this site www.adamtibi.net and on other sites as well. I have met some friends and businesses who were frustrated by this effect thinking that their website is not attracting visitors.

If you have encountered this effect, then drop me a comment line and let me know how you escaped it.

Best sandbox-free wishes.

Three Rules That ASP.NET Developers Should Know About SEO

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Tue, 16 Sep 2008 18:22:00 +0000

Search engines optimisation, SEO, is an evolving 'science' and it keeps changing on purpose. Most articles that I read which involve both SEO and ASP.NET usually focus on how to programatically set the meta keywords tag and they tend to make it look like very important while, as of today, it has minimal effect on optimisation.

Generally, web developers tend to turn the blind eye when it comes to SEO while a great part of SEO should be done by developers. Here are three rules for .NET developers to follow while building a site:

1 - Favour XHTML with DIV and CSS Design Over Tabular Design

Thankfully, the era of developing tables-based website is about to end. Today most of the sites are following the DIV and CSS style of design and are table free, except for tobular data. However, some designers and developers did not make the leap yet. The DIV with CSS design will:

Generate less code which will improve your 'code to content' ranking which is favoured by search engines.
Improve your page load as your pages tend to have smaller size with reduced tags and will be even smaller with the CSS sheet separated. Load time is another factor in SEO.
Promote better web semantics by marking your content with the correct XHTML elements. This will enable the spider(the search engine robot which will crawl your pages content) to better understand the structure of your site and your page content.

Always opt-in for XHTML with DIV and CSS type of design and think of rewriting your current tabular based site in a table-free format.

2 - Allow For Meta Description and Meta Keywords Tags

The meta description tag, from SEO point of view, will suggest to the search engine what to display in the search results page. The meta keywords tags are mostly ignored by search engines as spammers gave them a bad reputation, today they are only used to add misspellings and different culture spellings e.g. 'optimisation' and 'optimization'.

ASP.NET does not provide an out-of-the-box solution in adding these tags, so you have two options:

Add a ContentPlaceholder in the head of your MasterPage and fill it with the appropriate MetaKeyword and MetaDescription tags from within the page.

In the MasterPage:

<head runat="server">
    <!-- other xhtml code... -->
    <asp:ContentPlaceHolder id="head" runat="server">
    </asp:ContentPlaceHolder>
    <!-- other xhtml code... -->
</head>

In the ASPX Page:

<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
    <meta name="keywords" content="ASPNET, optimisation, optimization" />
    <meta name="description" content="Three SEO rules for ASP.NET developers
        that will improve your site optimisation" />
</asp:Content>

Use a base page for your ASP.NET pages (Also known as: Page Controller Enterprise Design Pattern) in which you will create a definition for generating the meta tags. This article Using Meta Tags with Master Pages in ASP.NET is well written and the code is in both C# and VB.NET.

Use a development procedure in adding Meta Description to your site pages where relevant. You could also add a Meta Keywords tag where relevant.

3 - Do Permanent 301 HTTP Redirects to Mark Moved Pages

Usually, when developers change the structure of a website, say upgraded the site from ASP to ASP.NET, they tend to forget that the old pages accumulated SEO ranking over time and it would be unwise to throw that away!

To point the search engine from the old page location to the new page location, you will need to issue a 301 HTTP redirect to the new URL when somebody, including the spider, requests your old page.

301 Redirection in ASP.NET could be done with the following code in the old page's Init event:

Response.StatusCode = 301;
Response.RedirectLocation = "new-url.aspx";
Response.End();

However, the old page, most probably, will not exist or the old site might be on ASP and ASP is no longer supported on the new site. There is an easy solution for this, try URL Rewriter for ASP.NET. You might also consider implementing your own database driven redirection by using a HttpModule or HttpHandler.

Doing 301 HTTP redirections will maintain the previous ranking that the old URL has accumulated and will update the URL on the search engine result page to the new URL.

Two ASP.NET/VS 2008 Performance Tricks That Even Microsoft Didn't Know About!

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Sun, 14 Sep 2008 18:35:00 +0000

Visual Studio 2008 is a huge resources consumer, it takes long to load then long to open your solution, long to run it and debug it. I have been using it for more than a year now after setting VS 2005 to retirement. I have VS 2008 set on a high perforamce Vista Business laptop with 2GB of memory.

While working with ASP.NET on VS 2008 my colleagues and myself started to notice some patterns when running or debugging a web project that will improve performance rapidally. Tricks that do really work and we laugh every time they work at how silly they are.

Here are two interesting tips that we encountered:

1 - The Magical VS 2008/ASP.NET Mouse Moving

When debugging a running ASP.NET application, sometimes, it takes long to step from one code line to the other, usually I run out of patience and I snap my fingers asking Studio to leg it, but obviously that doesn't work. I started changing my pattern into keep moving the mouse right and left and I have noticed that it takes no time to move from one line to another, tried it again and again and it kept working every time. I even asked my collegues to try it and it worked for them. So, now when I debug I usually click F10 with one hand and move the mouse right and left with the other.

Trick: While debugging ASP.NET with VS 2008 moving the mouse continuously will make debugging faster

2 - The Miraculous VS 2008/ASP.NET Task Bar Click

When hitting F5 or clicking "Run" to run and debug an ASP.NET Website or Web Application, the project used to compile then takes more than a minute, sometimes, to load the browser while I sit patiently looking arround waiting for it to load.

My colleague, Liz Ridley, which happens to have similar laptop specs, was less patient, she used to click randomly on the screen waiting the project browser to run. Suddenly, she clicked the task bar and the browser run at once! Is it a coincidence? She tried it again and again and it worked! Then I tried it and it worked for me, even if I waited for some time before clicking it.

Trick: Clicking on the task bar after the project completes compilation and preparing to launch the browser in debug mode will reduce the browser's launch time.

Do you think that Microsoft knows about this? Is there a logical explanation for this? No, but it works so enjoy it while you can. If it works for you then please drop me a line of comment to let me know. And if you happen to know similar tricks, then please hit me with it.

LINQ to SQL: The Data Access Layer (DAL) Shrinker

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Sat, 23 Aug 2008 10:57:00 +0000

In the pre-LINQ days, I used to use the classical 3-tiers architecture for designing ASP.NET web projects, the user interface (UI), the business logic layer (BLL) and the data access layer (DAL).

My DAL layer used to rely on Microsoft's Data Access Application Block (DAAB) which abstracted the repetitive and boring ADO.NET implementations. There are some 3rd party tools such as SubSonic, which has some common features with LINQ, or NHibernate, however, I would rather use the enterprise library.

Let me quickly illustrate the way to solve a problem with the classical architecture. This is a simple business problem, a website that has many brands and each brand has an advertising campaign. To access the campaign stats, which are supplied by the campaign agency, we need to access the agency's webservice by providing our brand credentials. We simply store these login credentials in our database -> retrieve login info of a brand -> call the webservice -> display the stats on a web page.

I did not choose a trivial problem like the Company-Employee one as I wanted a real-life problem which I had experimented myself.

A stored procedure that fetches a campiagn credential for a brand from the campaign table could look like this:

ALTER PROCEDURE dbo.GetCampaignPerBrand

@BrandID TINYINT,
@AdwordsEmail VARCHAR(50) OUTPUT,
@AdwordsPassword VARCHAR(50) OUTPUT,
@AdwordsDeveloperToken VARCHAR(50) OUTPUT,
@AdwordsApplicationToken VARCHAR(50) OUTPUT,
@AdwordsClientEmail VARCHAR(50) OUTPUT

AS
BEGIN

SELECT    @AdwordsEmail = AdwordsEmail, 
    @AdwordsPassword = AdwordsPassword, 
    @AdwordsDeveloperToken = AdwordsDeveloperToken,
    @AdwordsApplicationToken = AdwordsApplicationToken, 
    @AdwordsClientEmail = AdwordsClientEmail
    FROM Campaign
    WHERE BrandID = @BrandID
END

And a class, in the DAL layer, that would consume this method would look like:

public static class CampaignDAL {

// More code ...
        
public static void GetCampaignPerBrand(byte brandID, out string adwordsEmail,
    out string adwordsPassword, out string adwordsDeveloperToken, 
    out string adwordsApplicationToken, out string adwordsClientEmail) {

    // Using Microsoft's DAAB from the Microsoft Enterprise Library
    Database db = DatabaseFactory.CreateDatabase();
    DbCommand command = db.GetStoredProcCommand("GetCampaignPerBrand");

    db.AddInParameter(command, "BrandID", DbType.Byte, brandID);

    db.AddOutParameter(command, "AdwordsEmail", DbType.AnsiString, 50);
    db.AddOutParameter(command, "AdwordsPassword", DbType.AnsiString, 50);
    db.AddOutParameter(command, "AdwordsDeveloperToken", DbType.AnsiString, 50);
    db.AddOutParameter(command, "AdwordsApplicationToken", DbType.AnsiString, 50);
    db.AddOutParameter(command, "AdwordsClientEmail", DbType.AnsiString, 50);

    db.ExecuteNonQuery(command);

    object adwordsEmailObj           = db.GetParameterValue(command, "AdwordsEmail");
    object adwordsPasswordObj        = db.GetParameterValue(command, "AdwordsPassword");
    object adwordsDeveloperTokenObj  = db.GetParameterValue(command, "AdwordsDeveloperToken");
    object adwordsApplicationTokenObj= db.GetParameterValue(command, "AdwordsApplicationToken");
    object adwordsClientEmailObj     = db.GetParameterValue(command, "AdwordsClientEmail");

    adwordsEmail             = adwordsEmailObj == DBNull.Value ? null : (string) adwordsEmailObj;
    adwordsPassword          = adwordsPasswordObj == DBNull.Value ? null : (string)adwordsPasswordObj;
    adwordsDeveloperToken    = adwordsDeveloperTokenObj == DBNull.Value ? null : (string)adwordsDeveloperTokenObj;
    adwordsApplicationToken  = adwordsApplicationTokenObj == DBNull.Value ? null : (string)adwordsApplicationTokenObj;
    adwordsClientEmail       = adwordsClientEmailObj == DBNull.Value ? null : (string)adwordsClientEmailObj;
}

// More code ...
}

The purists among us might argue that I should be using a Data Container (DC) to carry the data from the BLL to the DAL, yes, it is a good solution, but I am trying a simpler solution here. Now a method in the associated business logic layer might look like this:

public class CampaignBLL {

// More code..

    public Stats[] GetStats() {
        byte brandID = Brand.CurrentBrand.BrandID;
        string adwordsEmail, adwordsPassword, adwordsDeveloperToken, 
                adwordsApplicationToken, adwordsClientEmail;

        GetCampaignPerBrand(brandID, out adwordsEmail, 
            out adwordsPassword, out adwordsDeveloperToken, 
            out adwordsApplicationToken, out adwordsClientEmail);

        Stats[] stats = new Stats();
        // Use the retrieved values in calling a
        // webservice and do other stuff to fill the stats array

        return stats;
    }

// More code..
    
}

The advantages of this approach is that I was pushing my SQL into stored procs which, as I was convincing myself, is giving me an extra performance in addition to semi-portability (as the T-SQL will need to be rewritten when taken to another RDBMS). I had created a CodeSmith template to generate code which saved me writing it as writing such code with more complex stored procedures is error-prone and most probably the errors will be run-time errors.

Disadvantages are too much code to achieve a simple task, no intellisense for the column names (there are third party solutions for this which cost money), no compile-time checking for mispellings of stored proc and column names, semi-portable Transact SQL and the code is splitted into multiple locations/projects.

When I started designing an architecture based on .NET 3.5 of a mid-sized project, I was struggling with the DAL layer. I had tried to force the use of the DAL layer with LINQ to find that I am complicating the architecture rather than simplifying it. If LINQ is dealing with the database transparently and returning my data containers (DC) directly in strongly-typed format then I don't need to use code such as the one used above.

To DAL or not to DAL, this is the Question

Some evil thoughts started to go arround my head, why do I need to have the DAL layer with LINQ? I went back to the basics for the need of the DAL layer.

DAL Fact: DAL will hide the DB provider such as SQL Server or Oracle make transitions to another DB much simpler and theoratically you will only need to change the implementations of the DAL layer, or you might not even need to change it if you have your own abstraction design or using a library such as EntLib DAAB.

LINQ Fact: Same fact goes for LINQ. Additional LINQ implementations, other than the SQL Server one, are currently available or in development.

DAL Fact: DAL will abstract the DB layer for the BLL and transform the db data types into .NET ones.

LINQ Fact: LINQ takes this a step further and returns strongly-typed data containers rather than dummy DataSets.

First I was afraid, I was Petrified

Shrinking the DAL layer or removing it completely? Merging the DAL and the BLL, very bold indeed, but I did it! My architecture turned to be much simpler and easier to change, this is a code snippet from the new LINQ-based model:

public class CampaignBLL {

// More code..

    public Stats[] GetStats() {
        byte brandID = Brand.CurrentBrand.BrandID;
        
        DataClassesDataContext db = new DataClassesDataContext();

        // using lambda expressions to make my life even easier.
        Campaign campaign = db.Campaigns.Single(c => c.BrandID == brandID);

        Stats[] stats = new Stats();
        // Use the retrieved object in calling a
        // webservice and do other stuff to fill the stats array

        return stats;
    }
    
// More code...

}

Where Did The Code Go?!

Let us go back to one of the most famous physics laws, yes, phyiscs, I didn't mistype:

Conservation of Energy Law: Energy cannot be created or destroyed, but can change its form.

Same applies to code. Code cannot suddenly disapear without changing to another form. The generated code by LINQ to SQL has reduced the amount of code to be written. With LINQ, usually developers tend to write less stored procedures as the performance benefit is negligible when compared to that of cleaner code and better architecture (you guessed it, I am a "better architecture" against "higher performance" type of developers).

Someone might argue that the DAL still exists in the LINQ generated code. Well, yes, but what is important to me that I didn't have to do it and I can hardly see it. My discussion is what I have to do to get the project going and now I have no concern in "outsourcing" my DAL layer.

Some developers try to keep their DAL layer by having their LINQ statements inside DAL with methods that has 2 or 3 lines. I believe they have the fear of change! Some fanatic developers took this further step by returning IQueriable objects. I wouldn't have taken such approach as I know that other developers will be working on the project and it is not just me.

DAL Shrinking Advantages

In the classical DAL architecture, each change in the database structure requires searching the associated stored procedure then changing the related DAL method(s) then changing the related business method(s). I am assuming with all the mentioned steps that you didn't mis a change.

With LINQ you automatically shift to less stored procedures. Now changing in the db will require a LINQ recompilation and changing in the business layer only. If you've missed anything, you will get a compile-time error.

The code is easier to read, shorter and still portable as LINQ is having more and more RDBMS providers added every day.

Finally

Even though the project that I have applied these principles to is a mid-size and the database operations are mostly reading. I am still wondering if this approach is going to work in enterprise projects or projects with intensive write and update operations.

In the next post I am going to illustrate how I used Codesmith's PLINQO template and created a simple architecture that made using LINQ a breeze. The results of this architecture was a scalable project which took less development time than it usually takes. It is an end to end architecture with fully functional commercial project. I will keep you posted, you might need to revisit in the next few days or subscribe to my RSS feeds.

Leave me a comment if you have any suggestion and if you agree or disagree on my approach. Kick It if you like it!

IE6 ? It's alive, IT'S ALIVE!

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Tue, 19 Aug 2008 20:25:00 +0000

I redesigned my website, adhered to the XHTML standards, validated on the W3C validator and everything went alright, now the last step, cross-browsers compatibility tests.

First step, I need to look at the previous stats to learn what browsers are support-worthy. And? Surprise, surprise! IE6 is still alive with quarter of the IE users! But why?! My blog is targeted at the IT pros which are expected to be on modern browsers.

Back in the first half of this decade, Microsoft knocked out the real last competitor, Netscape Navigator (which is now, funnily enough, uses the IE engine) and IE6 became the dominant browser on the internet. Then Microsoft thought, should we upgrade this uncompliant, bugy browser which has no competitors? And probably you know the answer. IE6 was born on August 2001 and IE7 was released on late 2006, that is 5 long years for such a critical software. I would think MS would had left it to live longer if not for Firefox. Even more, Microsoft is rushing into IE8 which is claimed to have standards better compatibility by passing the ACID2 test.

IE6 was preventing the web from moving forward with lots and lots of CSS and XHTML bugs. All the important XHTML and CSS updates that have been released years ago are not implemented, therefore as a developer or a designer you can't use them and you are stuck with what IE6 states.

I expected to find much less IE6 user and I even promised in a previous post that I won't test for it, however, I am very flexible :) So while feeling disgusted, once again, I had to comply with IE6 and do some CSS hacks to make IE6 happy. I have also posted these pie charts which are collected by Google Analytics on adamtibi.net for the public benefit.

Final word, I am not a Firefox fan, but thank you Mozilla, you saved the web.

Ye Mighty .NET Developers, I Have Betrayed Thy Oath

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Sun, 10 Aug 2008 19:24:00 +0000

The story began when my wife asked me "Oh my lord, I want a blog." I was extremely happy to fulfil her request as now she can post her thoughts and save me listening :) . I answered, "My dear queen, I shall grant thee a weblog."

.NET blog engines for non-techies anyone? I found only two, BlogEngine.NET and dasBlog and they both don't suit her royal needs. What do the majority of bloggers use? WordPress? But that is PHP?! I'm not touching PHP, I wouldn't be happy if a mate of mine told me "So, Adam, you are using PHP." I, who spent hours arguing with the open source blokes, from university professors to collegues to online forums to developers in meetings.

I thought, what is more important? Turning down her highness' request or betray my oath to Microsoft and .NET community? And the answer, as you have already guessed, the second option.

And the moral of the story is? Check my wife's blog AboutXena.com with WordPress engine, let me know your thoughts and forgive me if you feel that I have betrayed you as a .NET Developer.

Reskinning My Blog

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Mon, 28 Jul 2008 00:07:00 +0000

Finally, I redesigned my blog, I did it from scratch, I made it the way I want it to be, bespoked to my own wild desires and following my own specifications (you could count the number of "I" and "my" in the previous sentence and see how proud I am).

I could have gone to a web designer or to a web agency for the redesign and even though they would have surely done a better art work but I would have lost the pleasure of the DIY (for Americans: DIY = Do It Yourself), not to mention the cost. I read tutorials on how to make Web 2.0 thingies with Photoshop, sharpened my humble graphic design skills, reviewed the list of favourite technology blogs that I have stumbled upon in the past, then started. When designing, I abandoned the 800 pixel width standard and went for the 1024 pixels one, I also haven't tested for IE6 (and never will!) as I have used unsupported CSS because I know thay my blog readers are technology experts that are using modern browsers.

Old Design

My original design was based on the Leaves theme of BlogEngine.NET

There aren't many choices when it comes to .NET blog engines, there are only two AFAIK, dasBlog and BlogEngine.NET. After a quick test on both, I went for BlogEngine.NET as I felt it had more features, more updates, better object-oriented architecture and is easier to install. What I didn't like about BlogEngine.NET is the embedded html inside the code and in-line CSS which prevents the blog from being XHTML strict compatible, however, I am not complaining and would like to thank the BlogEngine.NET guys for the great efforts.

I cannot deny that I had the desire of building my own LINQ+MVC+AJAX blogging engine, but I reviewed the intial goal of reskinning and concluded that designing and creating an engine from scratch doesn't fit with the requirements.

Let me know any feedback and if you want to critique my humble web design skills, then you need to do it on the basis that I am a web design hobbiest.

Response.Redirect and Server.Transfer Demystified

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Wed, 23 Apr 2008 11:52:00 +0000

I still remember the old days when I first learned ASP.NET 1.0, I used to search, like other newcomers, for the differences between Response.Redirect and the Server.Transfer. I found answers such as Server.Transfer had been kept in ASP.NET for backward compatibility with ASP so the recommendation was to use Response.Redirect or that I should be using the Server.Transfer for better performance!

The truth is every method has a completely different and important use.

Response.Redirect : When you call this method, ASP.NET will issue HTTP headers that will instruct the browser for the new page tonavigate to and will stop processing any further ASP.NET instruction. The following code:

 
Response.Redirect("default2.aspx");
throw new Exception("This exception will not be executed!");

will redirect to default2.aspx and will not execute the next line. It will issue an HTTP header instruction to the browser as follows:

 
Location: /default2.aspx

Then the browser will request the new page "default2.aspx".

Server.Transfer : This method will transfer execution ON THE SERVER from the current executing page to the new page "default2.aspx" without notifying the client (the browser) of this change. Also, will stop executing any further instruction on the current page.

 
Server.Transfer("default2.aspx");
throw new Exception("This exception will not be executed!");

Comparison

	Redirect	Transfer	Commets
Better performance		X	Redirect involves the extra overhead of going back and forth between the server and the client while Transfer is done completely on the server
Change the URL in the browser’s address bar	X		Transfer will not notify the browser with the change of pages
AJAX and JavaScript Friendly	X		Since Transfer will not notify the browser with the change of page, some Ajax operations might fail as well as some JavaScript operations
Can carry simple information securely from one page to another		X	Both methods can transfer simple data from one page to another via query strings, however, with Redirect the client will be able to read the information from the query string. Encrypting the query string is another topic
Can carry complex objects from one page to another		X	Doing Transfer ("default2.aspx", true), you can still access the objects of default.aspx from default2.aspx when default2.aspx first loads
Errors can easily be traced	X		Using Transfer, errors might appear in your error log as if they are coming from default.aspx when they might be coming from default2.aspx

So what does all this mean? Simply, use the Redirect method by default unless you need to transfer complex data from one page to another, pass the data securely or hide the new page from the client.

Please let me know if you have additional differences or similarities that haven't been mentioned.

How to HTTP Post in .NET and handle the 500 errors

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Sat, 22 Mar 2008 18:57:00 +0000

If you google you will find a lot of posts that will tell you how to HTTP post (some call it HTML post) in .NET. However, they all fail, or at least the ones I found, to tell you how to handle the returned 500 errors and retrieve the message behind it.

I have been posting to a service and getting the "500 Internal Server Error" which doesn't tell much! I had done some research to get the real error behind it. Here is my code snippet in C#:

public static string Post(string url, string postData) {

    byte[] buffer = Encoding.UTF8.GetBytes(postData);
    int bufferLength = buffer.Length;
    HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
    request.Method = "POST";
    request.ContentLength = bufferLength;

    string result;

    using (Stream requestStream = request.GetRequestStream()) {
        requestStream.Write(buffer, 0, bufferLength);

        try {
            using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) {
                using (Stream responseStream = response.GetResponseStream()) {
                    using (StreamReader readStream = new StreamReader(responseStream, Encoding.UTF8)) {
                        result = readStream.ReadToEnd();
                    }
                }
            }
        }
        catch (WebException wEx) {
            using (Stream errorResponseStream = wEx.Response.GetResponseStream()) {
                using (StreamReader errorReadStream = new StreamReader(errorResponseStream, Encoding.UTF8)) {
                    result = errorReadStream.ReadToEnd();
                }

            }
        }
    }

    return result;
}

I have tested the code and it is working, please let me know what do you think or if you have a better approach.

Check Validator - An ASP.NET Validator Control

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Fri, 15 Feb 2008 21:00:00 +0000

While some developers assume that the classical ASP.NET validators support check boxes and radio buttons, this isn't the case! There is a logical explanation for this; there is nothing much to check, the checkbox can only be checked or unchecked so what do you want to validate?

In some cases you might want to display an error if a check box or a radio button is unchecked, e.g. terms and conditions check box, if so, then this is the right validator for you. Read on if you are interested in the bits and pieces of how the control works or skip to the "Using The Validator" section if you are just interested in using it.

Background

Usually control classes that supports validation are decorated with the ValidationProperty attribute, for example, the TextBox control looks like this:

// more attributes...
[ValidationProperty("Text")]
// more attributes...
public class TextBox : WebControl, IPostBackDataHandler, 
                        IEditableTextControl, ITextControl {
    ...
}

The ValidationProperty will point the validator at the property to validate against.

The CheckBox, RadioButton, HtmlInputCheckBox and HtmlInputRadioButton lack this attribute, accordingly, any standard validation control will throw an exception Control 'ControlID' referenced by the ControlToValidate property of 'ValidatorID' cannot be validated when set against one of these controls.

Architecture

This validator inherits, as in most validators, from BaseValidator and overrides method ControlPropertiesValid that issues this exception.

protected override bool ControlPropertiesValid() {
    if (ControlToValidate.Trim().Length == 0) {
        throw new HttpException(
            string.Format(@"The ControlToValidate property of 
                {0} cannot be blank.", ID));
    }

    Control control = FindControl(ControlToValidate);

    if (control == null) {
        throw new HttpException(
            string.Format("Could not locate control with ID {0}", ID));
    }

    if (!(control is CheckBox) &&
                !(control is RadioButton) && 
                !(control is HtmlInputCheckBox) &&
                !(control is HtmlInputRadioButton)) {
        throw new HttpException(
            @"ControlToValidate can only be 
                System.Web.UI.WebControls.CheckBox, 
                System.Web.UI.WebControls.RadioButton, 
                System.Web.UI.HtmlControls.HtmlInputCheckBox, 
                System.Web.UI.HtmlControls.HtmlInputRadioButton");
    }

    return true;
}

The rest of the server side code is classical. The validator has a property called WarnIf which will reverse checking (when set to false, the validator will warn if the box is checked).

This is the client-side validation code:

function CheckValidatorEvaluateIsValid(val) {
    var control = document.getElementById(val.controltovalidate);
    var warnif = val.warnif == 1 ? true : false;
    return control.checked ^ warnif;
}

Using the Validator

To use this validator from your Visual Studio IDE, you need to add the provided .dll to the toolbox. For more information on this, check the MSDN documentation.

Drop the control on the form and assign it to the CheckBox/RadioButton that you want to check:

<asp:checkbox ID="_termsAndConditions" runat="server"
      Text="I have read the terms and conditions" />

<at:CheckValidator ID="_checkValidator" runat="server" 
  ControlToValidate="_termsAndConditions" 
  Text="Please read and accept our terms and conditions before proceeding">
</at:CheckValidator>

Licence

This software is disributed under Ms-PL. Which simply means, you can freely use it and distribute it but you must retain all copyright, patent, trademark, and attribution notices that are present in the software.

Finally, if you like the article and find the control useful, then please Kick It (using the button below) and it would be kind of you to leave a comment. All suggestions and bug reports are welcome. I have also created the MultipleFieldsValidator validator control to tackle the problem of validating multiple controls.

<<Download CheckValidator.zip (16.97 kb))>>

Session Keep-Alive Web Control

adam.nospam@nospam.adamtibi.net (Adam Tibi) — Mon, 11 Feb 2008 23:32:00 +0000

Session expiration in ASP.NET is a nasty problem. Imagine yourself filling a long form, hitting submit then boom you get the login page! That happened to me before and probably happened to you.

This problem doesn't have an out-of-box solution in ASP.NET and there are different appraoches to solve it.

Increasing the session time out. Probably you are aware of the cons of this problem which are mainly consuming more server resources.
Having an image or an iframe that refreshes regularly and requests the server. This approach is a per page approach and you can select the pages to implement it on.

Personally, I've been using the second approach for a long time and didn't have any problem with it. However, I made it more reusable, not to mention "cleaner", by making it a web control.

If you are just interested in using the control then you can skip to the last section "Using the Control."

Architecture

The architecture here is simple and consists of both server-side and client-side solutions.

Server-Side

An ASHX handler file hosted on the root of the site which when requested will renew the session and return a 1-pixel image. In my control, I called the ASXH file as session-keep-alive.ashx and this is the code:

<%@ WebHandler Language="C#" Class="session_keep_alive" %>
using System.Web;
using System.Web.SessionState;

public class session_keep_alive : IHttpHandler, IRequiresSessionState {
    private static byte[] gif = {
            0x47,0x49,0x46,0x38,0x39,0x61,0x01,0x00,0x01,0x00,0x91,0x00,0x00,0x00,0x00,
            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x21,0xf9,0x04,0x09,0x00,
            0x00,0x00,0x00,0x2c,0x00,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x08,0x04,
            0x00,0x01,0x04,0x04,0x00,0x3b,0x00};
    
    public void ProcessRequest (HttpContext context) {
        context.Response.ContentType = "image/gif";
        context.Response.Cache.SetCacheability(HttpCacheability.NoCache);
        context.Response.BinaryWrite(gif);
        context.Response.End();
    }
 
    public bool IsReusable {
        get {
            return true;
        }
    }
}

Client-Side

On the client, my web control will render a 1-pixel image and some JavaScript code that will refresh the image every set amount of time from the ASXH file on the server. This is the control's code:

using System;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.ComponentModel;

namespace AT.Web.UI.Controls {

    /// <summary>
    /// Web control to keep the session alive by refreshing every set amount of time
    /// </summary>
    [AspNetHostingPermission(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]
    [AspNetHostingPermission(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
    [ToolboxData("<{0}:SessionKeepAlive runat=server />")]
    public class SessionKeepAlive : WebControl {

        /// <summary>
        /// Set, in minutes, the duration to trigger the session.
        /// The default value is one minute
        /// </summary>
        [Category("Behavior")]
        [DefaultValue(1)]
        public int Duration {
            get {
                return (int)(ViewState["Duration"] ??  1);
            }
            set {
                ViewState["Duration"] = value;
            }
        }

        /// <summary>
        /// The path of the image's URL that will be requested from the server,
        /// the default is ~/session-keep-alive.ashx
        /// </summary>
        [Category("Behavior")]
        [DefaultValue("~/session-keep-alive.ashx")]
        public string PageUrl {
            get {
                return (string)(ViewState["PageUrl"] ?? "~/session-keep-alive.ashx");
            }
            set {
                ViewState["PageUrl"] = value;
            }
        }

        /// <summary>
        /// Applies in-line CSS style to hide the generated image. The default is true.
        /// Alternatively, you can set this to false and hide the image using your own
        /// CSS to keep your page XHTML Strict compatible.
        /// </summary>
        [Category("Behavior")]
        [DefaultValue(true)]
        public bool AutoHide {
            get {
                return (bool)(ViewState["AutoHide"] ?? true);
            }
            set {
                ViewState["AutoHide"] = value;
            }
        }

        protected override void OnPreRender(EventArgs e) {
            base.OnPreRender(e);

            if (AutoHide) {
                this.Style.Add(HtmlTextWriterStyle.Display, "none");
            }

            Page.ClientScript.RegisterClientScriptResource(typeof(SessionKeepAlive),
                "AT.Web.UI.Controls.JavaScript.js");

            Page.ClientScript.RegisterStartupScript(
                typeof(SessionKeepAlive), "SessionKeepAlive",
                string.Format(
                   @"window.setInterval('SessionKeepAlive(\'{0}\', \'{1}\');', {2});", 
                ClientID, ResolveClientUrl(PageUrl), Duration * 60000), true);
        }


        protected override void Render(HtmlTextWriter writer) {
            writer.AddAttribute(HtmlTextWriterAttribute.Src, ResolveClientUrl(PageUrl));
            writer.AddAttribute(HtmlTextWriterAttribute.Alt, " ");
            base.RenderBeginTag(writer);
            base.RenderEndTag(writer);
        }

    }
}

And here is the used JavaScript, note that I am setting the Src of the image to the same location (the ASHX file), but changing the query string to prevent the browser from caching the request.

function SessionKeepAlive(imageID, pageUrl) {
    var imageObj = document.getElementById(imageID);
    if (imageObj == null || imageObj == undefined) {
        return;
    }
    imageObj.src = pageUrl + "?par=" + escape((new Date()).toString());
}

Using the JavaScript as an embedded resource

I have made the JavaScript file an embedded resource to make it easier for deployment. To do that I had to do the following:

Added a javascript file to the project library and called it JavaScript.js
I made this file an embedded resource by selecting it and setting Build Action to Embedded Resource
I have added the following line to the AssemblyInfo.cs : [assembly: WebResource("AT.Web.UI.Controls.JavaScript.js", "application/x-javascript")]

Using the Control

Copy session-keep-alive.ashx to your website.
Reference AT.Web.UI.Controls.dll in your website.
You can add this control to the VS.NET toolbox and drop anywhere on the page OR you could add it manually by adding <%@ Register TagPrefix="at" Namespace="AT.Web.UI.Controls" Assembly="AT.Web.UI.Controls" %> to the top of the page and adding <at:SessionKeepAlive runat="server" /> anywhere in the html body. You might need to set the refresh Duration, AutoHide or PageUrl

Check the sample file for more information.

Credits

The initial code that I used two years ago was based on an article, Make session last forever, written by Gevorg on Code Project.

Licence

Finally, if you like the article and find the control useful, then please Kick It (using the button below) and it would be kind of you to leave a comment. All suggestions and bug reports are welcome.

<<Download SessionKeepAlive.zip (19.55 kb)>>

Adam Tibi

Three C# 2.0/3.0 Syntaxes That You Didn't Know But Were Afraid to Ask

1 - Properties Without Members

2 - The '??'

3 - Initialising Properties when Creating an Object

UK Software Consultant Nightmare: The IT Recruiting Agents

1 - "I need two references from your current and ex employers"

2 - "Are you currently lined up for interviews?"

3 - "What employers did you submit your CV to"

4 - "I have a Vacancy for You [sale pitch goes here], I will tell you the full details this [time goes here]"

5 - "I will put you on the phone with the employer who wants to keep his details hidden"

6 - "Oh you have worked at company X, I know [false name] from the HR department, who do you know there?"

7 - "He is on the other line", "He is out of the office", "He is in a meeting"

8 - "What is your current rate at your current employment?"

9 - False Job Ads

10 - Threatening of blacklisting you if you are not going to cooperate

11 - The Job is Posted Else Where But With The Real Company Name

12 - Removing Your Contact Information From the CV

13 - Agents Might Push You for an Interview for a Job that Doesn't Meet Your Skills

Honest to God Words to the Recruiting Agents

Advice To the Software Consultant

How Not To Compromise Security Through ASP.NET Validators

Security Hole 1: Failing to Implement The Server-Side Validation

Security Hole 2: Failing to check Page.IsValid

Security Hole 3: Client-side and Server-Side Regular Expressions

Security Hole 4: Relying on the MaxLength property of a TextBox

The Three Steps of Building an ASP.NET Validator Control

How to Check a Credit Card Format

Introduction to ASP.NET Validators

Step 1: Prepare The Class Library to Include the Validators

Add The Class Library

Add the JavaScript file

Step 2: Write the ASP.NET Validator

What is this code all about?

Step 3: Use the Validator Control

Drop it on the page

Download

Disclaimer

What is next?

Google Sandbox: When? Why? And How to Dump it!

When Google Sandbox

Why Google Sandbox

How to Dump It

Conclusion

Three Rules That ASP.NET Developers Should Know About SEO

1 - Favour XHTML with DIV and CSS Design Over Tabular Design

2 - Allow For Meta Description and Meta Keywords Tags

3 - Do Permanent 301 HTTP Redirects to Mark Moved Pages

Two ASP.NET/VS 2008 Performance Tricks That Even Microsoft Didn't Know About!

1 - The Magical VS 2008/ASP.NET Mouse Moving

2 - The Miraculous VS 2008/ASP.NET Task Bar Click

LINQ to SQL: The Data Access Layer (DAL) Shrinker

To DAL or not to DAL, this is the Question

First I was afraid, I was Petrified

Where Did The Code Go?!

DAL Shrinking Advantages

Finally

IE6 ? It's alive, IT'S ALIVE!

Ye Mighty .NET Developers, I Have Betrayed Thy Oath

Reskinning My Blog

Old Design

Response.Redirect and Server.Transfer Demystified

Comparison

How to HTTP Post in .NET and handle the 500 errors

Check Validator - An ASP.NET Validator Control

Background

Architecture

Using the Validator

Licence

Session Keep-Alive Web Control

Architecture

Server-Side

Client-Side

Using the JavaScript as an embedded resource

Using the Control

Credits

Licence

2 - The '`??`'

Security Hole 2: Failing to check `Page.IsValid`

Security Hole 4: Relying on the `MaxLength` property of a `TextBox`