If you want to read one book about Asp.Net security, read OWASP Top 10 for .NET developer by Troy Hunt

                There’s a harsh reality web application developers need to face up to; we don’t do security very well. A report from WhiteHat Security last year reported “83% of websites have had a high, critical or urgent issue”. That is, quite simply, a staggeringly high number and it’s only once you start to delve into to depths of web security that you begin to understand just how easy it is to inadvertently produce vulnerable code.

Error Message:

Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "AjaxControlToolkit.Properties.Resources.NET4.resources" was correctly embedded or linked into assembly "AjaxControlToolkit" at compile time, or that all the satellite assemblies required are loadable and fully signed.

Reason:

AjaxControlToolkit’s control load reference refers to the base System.Web.UI.Control method which is present as a part of the ASP.NET AJAX Libraries and those libraries are referenced only when the ScriptManager is referenced in the page.

Solution:

Add ScriptManager in the page and this error would be resolved.

            <asp:ScriptManager ID="ScriptManager1" runat="server">
            </asp:ScriptManager>

This diagram shows the high-level architecture of PerformancePoint Services in Microsoft SharePoint Server 2010 Enterprise. (From MSDN Sharepoint Blog)

• 260 Unicode (UTF-16) code units – the characters in a full file path, not including a domain/server name.
• 256 Unicode (UTF-16) code units – the characters in a full folder path, not including the file name and the domain/server name.
• 128 Unicode (UTF-16) code units - characters in a path component, that is, a file or folder name.
• 260 Unicode (UTF-16) code units – the characters in a full path, including a domain/server name for use with Office clients.
• 256 Unicode (UTF-16) code units – the characters in a full path including the domain/server name, for use with Active X controls.

The above limitations apply to the total length of the URL path to a folder or a file in SharePoint Foundation 2010 but not to the length of any parameters. Also, these limitations apply only to un-encoded URLs, not to encoded URLs. There is no limit to encoded URLs in SharePoint Foundation 2010

Reference: http://technet.microsoft.com/en-us/library/ff919562.aspx

Problem:

Last week I came across this bug (?) with AsyncFileUpload control in updatepanel. The control is not firing OnUploadedComplete server side event when it’s in updatepanel.

Solution:

After doing some research on this issue, came across these solutions.

1)     Add another AsyncFileUpload control on the page and set its’ style to display:none; 

<div style="display: none;">

  <cc1:AsyncFileUpload ID="AsyncFileUpload1" runat="server" />

</div>

2)     Another workaround is to add the following attributes to the <form> tag of the page..

enctype="multipart/form-data" method="post"

Both the solutions are working fine.

Thanks to obout_teo and MikeMelendez of Asp.Net forums

Symptoms:

After you enter credentials on SharePoint site login prompt, you will be thrown the login prompt repeatedly despite providing the right credentials.

Cause:

This issue occurs with default security settings of IE7 in windows server environment. The settings include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails.

It can also happen for users that are behind a secured network and browser settings are controlled by administrator.

Solution:

To work-around this problem, users need to turn off Integrated Windows Authentication in Internet Explorer.

1. In Internet Explorer, click on the Tools button, then choose Internet Options
2. Click on the advanced tab
3. Clear the Enable Integrated Windows Authentication option (In Security section) and Click “OK”
4. Close and restart Internet Explorer.

If the problem persists, you may need to manually add the team Web site to the list of trusted intranet sites. To do this, complete the following steps:

1. On the Internet Explorer toolbar, click Tools, and then click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then select Local intranet.
3. Click Sites, and then click Advanced.
4. Type the URL of the team Web site in the Add this Web site to the zone box, click Add, and then click OK.

When button is disabled, it’s not-clickable in all browsers. However in Firefox and Chrome, the button looks enabled, though the user cannot click it.

Reason:

From W3Scholl, "Enabled" Property isn't standard property of XHTML 4.

Solution:

You can modify the way they look with CSS

button[disabled] { 
 color:Grey;
/* Add other  styles here for disable button */ 
} 

Enable Developer Dashboard via stsadm :

stsadm -o setproperty -pn developer-dashboard -pv ondemand

To disable Developer Dashboard:

stsadm -o setproperty -pn developer-dashboard -pv off

Here is a quick & dirty trick to alert users on session timeout. This is not a perfect solution. But it will give reader an idea to work on...

Some facts before we start:

Session doesn't end

• When the user closes his browser
• When the user navigates away from your page
• When user connection lost.

Session ends, when the server hasn't gotten a request from the user in a specific time (Session timeout value).

In this solution, I am using ajaxtoolkit’s modalpopupextender control to alert user about expiring session.

Each time a page is rendered back to the client, I am injecting JavaScript that will show modalpopup two minutes before session timeout. I am passing the session expiry value to the client side java script. This will execute a countdown, and at the end display the Popup.

I added modalpopupextender to the page and set its target control id to a panel. That panel contains alert message and two buttons.

The Page_Load code looks like this.

I added two java script functions, one for showing alert message and second one is for hiding that message.

Here are javascript functions

That’s it. Run the application and it will check 2 minutes before the timeout and provide user the option to "slide" the session. If user clicks “OK” it will refresh page, which in turn will slide the session. If user clicks “Cancel” the popup will hide.

You can improve this code on each step. Like for example, to renew session you don’t have to refresh the page. You can just call web service from client side etc.

If you have any questions, leave a comment.

How to capture logoff time when user closes browser?

Or

How to end user session when browser closed?

These are some of the frequently asked questions in asp.net forums.

In this post I'll show you how to do this when you're building an ASP.NET web application.

Before we start, one fact:

There is no full-proof technique to catch the browser close event for 100% of time. The trouble lies in the stateless nature of HTTP. The Web server is out of the picture as soon as it finishes sending the page content to the client. After that, all you can rely on is a client side script. Unfortunately, there is no reliable client side event for browser close.

Solution:

The first thing you need to do is create the web service. I've added web service and named it AsynchronousSave.asmx. 

Make this web service accessible from Script, by setting class qualified with the ScriptServiceAttribute attribute... 

Add a method (SaveLogOffTime) marked with [WebMethod] attribute. This method simply accepts UserId as a string variable and writes that value and logoff time to text file. But you can pass as many variables as required. You can then use this information for many purposes.

To end user session, you can just call Session.Abandon() in the above web method.

To enable web service to be called from page’s client side code, add script manager to page. Here i am adding to SessionTest.aspx page

When the user closes the browser, onbeforeunload event fires on the client side. Our final step is adding a java script function to that event, which makes web service calls. The code is simple but effective

My Code

HTML:( SessionTest.aspx )

C#:( SessionTest.aspx.cs )

That’s’ it. Run the application and after browser close, open the text file to see the log off time.

The above code works well in IE 7/8. If you have any questions, leave a comment.