Check the checkbox first, then click the Submit button.

    /* Front End Code
     * One check box has a normal postback the other creates
     * a stacked PostBack.
     */
    <div>
        <asp:CheckBox ID="cb1" Text="CheckBox 1 (AutoPostBack=false)" OnCheckedChanged="cb1_CheckChanged" AutoPostBack="false" runat="server" />&nbsp;
        <asp:CheckBox ID="cb2" Text="CheckBox 2" OnCheckedChanged="cb2_CheckChanged" AutoPostBack="true" runat="server" />&nbsp;
        <br />
        <br />
        <asp:Label ID="lblTarget" runat="server" />
        <br />
        <br />
        <asp:Button ID="Submit" Text="Submit" runat="server" OnClick="Submit_Click" />&nbsp;
        <asp:Button ID="Reset" Text="Reset" OnClick="Reset_Click" runat="server" />
    </div>

    /* Back End Code
     * The back end code just adds the name of the ID of the button lblTarget
     */
        protected void cb1_CheckChanged(object sender, EventArgs e)
        {
            if (lblTarget.Text.Equals(lblTargetText))
            {
                lblTarget.Text = " cb1 ";
            }
            else
            {
                lblTarget.Text += " cb1 ";
            }
        }

Effectively he was doing something that requires a PostBack then saying not to PostBack. This leads to a stacking effect (which was unknown to us until recently). On the next PostBack  the method for the OnCheckedChanged event was fired then the actual item that caused the PostBack’s method is executed. I never realized you could queue up PostBack events. Hopefully this will help someone else out.

PostBack Event Experiments

It seems that everyone who is security oriented in computing knows that everyone who isn’t security oriented in computing doesn’t manage passwords properly. It is even the case that some people who do know a lot about security manage their passwords poorly as well. In my eyes the main reasons for poor passwords is 3 fold.

• Poor enforcement
• Lack of education
• Loss of Convenience

Poor enforcement and loss of convenience I believe are the developers fault and I will discuss them later. Lack of education is not entirely the developers fault in my opinion. There is no reason this issue still plagues the internet. We have classes in school about learning basic computer skills and yet we don’t cover password security. To me it is as important or more important then learning things like Excel and Word. A mere day of password security in school could go a long way.

Rolling your own

First and foremost I blame developers for the state of password based security. Developer’s are the front line when it comes to security. If we don’t contemplate security, it is likely the rest of the organization won’t either.  Gawker’s recent password debacle is a prime example of what not to do. It is amazing to me that a network that has technically oriented sites like LifeHacker can use such horrible password procedures (DES with 8 char max). Here are the results and some evidence of encryption failures.

If you are going to roll your own password security at least look into a little bit before you develop a million plus user database. Three of the basics everyone should know are:

• Use hashes, not encryption to store your passwords. Also you’ll probably want to use SHA2-512 or SHA3 once it is available. MD5 and SHA1 are both vulnerable to collision based attacks already and it will only get worse as time progresses. In PHP it is as simple as

  hash('sha512', $pswd)

• Salt the passwords before hashing. Salting is adding a “secret” phrase to the password.

   $pswd = "secret".$pswd."phrase";

• Password Complexity Requirements. Passwords like “password” or “password1″ should never be used. You should enforce some type of password complexity requirement on your site that prevents them from being used. Including symbols, numbers, as well as upper and lower case letters with a minimum length of 12 is what I would consider secure.

To create a very basic authentication system using these concepts you would have a user input their password, then append your salt (secret phrase) to it, and last hash the password. This hashed result is stored (if they’re signing up) or compared (if they’re logging in) to the user information stored in the database. There are many other things to consider when developing an authentication system, but those are basics ANYONE should know (except Gawker apparently).

OAuth, the Single Sign On (SSO) of the internet

All of that being said, I support using  OAuth. They may have their weaknesses, but I believe it is the most effective way to create a secure internet infrastructure. One reason I believe so is that it eliminates the convenience problem discussed below. By making it more convenient for users you may be able to encourage them to use more secure passwords. Since you are basically using a SSO for the entire internet, you can create more complex password policies on the SSO and add very little inconvenience which then translate into better security for all the websites involved. It also centralizes the focus of security on the large OAuth suppliers like Google. Eventually we may be able to complete solve the password problem, but until then I think OAuth are a step in the right direction.

Convenience is the enemy of most security. This is really unfortunate because it encourages people to be less secure to regain convenience. Passwords are something everyone has and most people hate. Even I hate when my domain credentials at work need to be changed. Coming up with a decently secure password that you can remember is a pain.  OAuth allow you to only have one painful password instead of many.

Note: OpenID is another similar concept to OAuth that could also work.

Reality

OAuth aren’t widely used yet.

The solution I use involves creating individual passwords for most sites, and a common password for sites I don’t care about. I then store these passwords for recovery purposes in an encrypted database that I can retrieve. Although it might sound complicated to some, it isn’t. It is however inconvenient. You can use programs like KeePass to help you manage and encrypt your passwords if this interests you, but for most it won’t because it is still inconvenient.

Hopefully someone will be touched by this post and understand a little more about password security and the basic concepts surrounding it.

System.Web.HttpException:The Controls collection cannot be modifiedbecause the control contains code blocks (i.e. <% … %>).

It only happened on a couple of pages and the others would load fine which added to the confusion. Honestly, this error made little to no sense when I first saw it, so I did what any resourceful individual would. I googled it. Luckily the first result was the answer to my issue! The fix is to use data binding (<%#)  instead of writing it out (<%=). It is strange, but it resolves the problem. This is the wonderful explanation and solution: http://leedumond.com/blog/the-controls-collection-cannot-be-modified-because-the-control-contains-code-blocks/.

Limitation:

• When you paste over selected text it doesn’t work properly.
• You need the fieldSelection plugin to make this work properly.
• All linebreaks are removed by default, but you can leave them by one of the options.

Reminder:

• You still NEED to deal with tags on the server side (remove them, html encode them, etc). JavaScript can be turned off / bypassed.

Here is the code:

        /*
        * Author: Matt Seigel
        * Name: Strip Tags
        * Version: v2.0.340
        * Relase Date: 9/24/2010
        * Contact: http://brokenbytes.info
        */
        $(document).ready(function () {
            // ***** START OPTIONS ***** //
            // Name of target textarea / input box
            var target = "#txtArea";
            // Boolean indicating wether to remove linebreaks or not
            var removeLinebreaks = true;
            // ****** END OPTIONS ****** //

            // Bind to the thing you want to check for pastes
            $(target).bind('paste', function (e) {
                // Calling Object
                var callingObject = $(this);
                // Get the original text in the target
                var originalText = $(this).val();
                // Get cursor information
                var cursorInfo = $(target).getSelection();
                // Set a very short timeout and set its callback to the function
                // stripping tags, the short timeout allows for the pasted text to be accessable
                setTimeout(function () { stripTags(callingObject, originalText, cursorInfo, removeLinebreaks) }, 1);
            });
        });
        /*
        * callingObject:       Calling object.
        * originalText:        The text inside the textarea before the paste.
        * cursorInfo:          Gets the information about the cursor. (location, etc)
        * removeLinebreaks:    true to remove linebreaks, false to ignore linebreaks
        */
        function stripTags(callingObject, originalText, cursorInfo, removeLinebreaks) {
            // Get the front part of the original text (part before the new text)
            var front = originalText.substring(0, cursorInfo.start);
            // Get the back part of the original text (part after the new text)
            var back = originalText.substring(cursorInfo.end);
            // Get the pasted text out of the new text
            var pasted = callingObject.val().replace(front, "").replace(back, "");
            // Remove tags from the pasted stuff
            pasted = pasted.replace(/(<[^<>]*>)/g, "");
            // Remove newline characters, if we want to.
            if (removeLinebreaks) {
                pasted = pasted.replace(/\n/g, "");
            }
            // Put the new text into the target
            $(callingObject).text(front + pasted + back);
        }

Resources:

• http://mark.koli.ch/2009/09/use-javascript-and-jquery-to-get-user-selected-text.html
• http://w3schools.invisionzone.com/index.php?showtopic=23510
• http://stackoverflow.com/questions/441631/how-to-detect-right-mouse-click-paste-using-javascript
• http://regexpal.com/
• http://plugins.jquery.com/project/fieldselection

Here is my tribute mention

Thank you to the Office of Web and New Media and University Relations at Missouri State University.

// Line 311
function mcecomment_init() {
    global $post;
    if (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), "iphone") === false) {
        $loadJS = false;
        if (is_plugin_page()) {
        $loadJS = true;
        } else if (is_singular()) {
            if (comments_open() && ( !get_option('comment_registration') || is_user_logged_in() )) {
                $loadJS = true;
            }
        }
        if ($loadJS)
        	mcecomment_getInitJS();
    }
}

// Line 350
function mcecomment_loadCoreJS() {
    global $post, $mce_locale;
    if (is_singular() && (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), "iphone") === false))
    {
        if (comments_open() && ( !get_option('comment_registration') || is_user_logged_in() )) {
            wp_enqueue_script('tiny_mce', get_option('siteurl') .
            	'/wp-includes/js/tinymce/tiny_mce.js', false, '20081129');
            wp_enqueue_script('tiny_mce_lang', get_option('siteurl') .
                '/wp-includes/js/tinymce/langs/wp-langs-' . $mce_locale . '.js',
                false, '20081129');
            wp_deregister_script('comment-reply');
            wp_enqueue_script( 'comment-reply', get_option('siteurl') .
                '/wp-content/plugins/' . plugin_basename ( dirname ( __FILE__ ) ) .
                "/comment-reply.dev.js", false, '20090102');
        }
    }
}