Scott Hanselman

Historical Debugging, Profiling, New Diagnostic Tools in Visual Studio 2015

June 17, '15 Comments [16] Posted in VS2015
Sponsored By

The full range of .NET 2.0 through 4.6 in Visual Studio 2015I've been working with Visual Studio 2015 lately, even for older projects. You can create and edit all kids of .NET app from .NET 2.0 all the way up through .NET 4.6, as well as ASP.NET 5 apps on the Core CLR.

In my case I've been doing some pair programming with Mark Downie on DasBlog, the blog system that runs this blog right here. DasBlog is very old, and used to be very actively developed. The question "is DasBlog dead" is asked a lot, but the answer is really "DasBlog is done." For years it has been very feature-full and feature-complete. However, this blog has been running on .NET 2.0 for years. Mark and I thought it would be nice to upgrade DasBlog to .NET 4.6, so we did. We've also moved DasBlog over to GitHub. You'll find it at http://github.com/shanselman/dasblog.

Now, to be clear, DasBlog was amazing in 2004 and 2008 but it's aging now. Mark and I think that's the fun of it, though. Mark's added Twitter Card and Facebook Open Graph support, and together we've fixed a few oddities and bugs that have popped up in the leap from 2.0 to 4.6. However DasBlog remains idiomatic .NET 2.0 which means it's C# 2.0, and doesn't even make good use of Linq or generics. We're thinking about a few updates, moving the Templating system to RazorEngine, updating to Linq queries, smarter threading for collections, better caching, as well of Mark's ideas around social.

You might think it's weird to use Visual Studio 2015 to work with a .NET 2.0 app, but it's useful to remember that you get to use new Visual Studio features even with older frameworks. One of the most useful new features is the Diagnostic Tools toolbox. It's a boring name for an amazing new part of VS. I'm not sure what they could call it other than Diagnostic Tools, but it's insanely convenient.

Diagnostics Tools in Visual Studio 2015

Often we think of Debugging and Profiling as two separate activities, and honestly, I talk to developers all the time that have never Profiled an app. They know that Profiling exists as a tool and a concept, but for whatever reason they forget about it, don't get around to it, or haven't adopted it as a fundamental part of their daily workflow.

The Diagnostic Tools in Visual Studio 2015 bring in data from a number of sources, Breakpoints, the Debugger, Tracing and Debug out, as well as Intellitrace Events and Historical Debugging (on supported SKUs).

Notice in the screenshot above, I can even see a little tip showing how many milliseconds has elapsed between two breakpoints. It's little features like this that take data that has long been available but not in front of your face. Why dig for it?

You can see how many milliseconds between calls

I can even go back in time with Historical Debugging. See how I can backup and see the state of Local Variables and the Call Stack when I'm at a Breakpoint?

Historical Debugging

If you have a SKU with IntelliTrace, you can get extra info if you'd like to enable Historical Debugging.

IntelliTrace

See how I've got Memory and CPU graphs, and I didn't have to do anything? This pops up automatically when Debugging:

Diagnostic Tools gives you all these lovely charts

I can take Memory Snapshots, go to the next Breakpoint, take another and compare!

Memory Snapshots

If you've got Visual Studio 2015 and haven't started using these tools, I'd suggest you start exploring. They're useful enough that they've got me using VS2015 RC for all my projects, even older .NET 2.0 ones.

NOTE: Remember that Visual Studio Community is free for Open Source projects, and supports extensions! http://www.visualstudio.com/free

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Visual Studio Web Development Tip - Add Chrome Incognito Mode as a Browser

June 17, '15 Comments [37] Posted in VS2015
Sponsored By

Here's a little Visual Studio web development tip that I've been using lately. You know how Visual Studio picks up your installed browsers and has them available as a dropdown list?

List of Browsers in Visual Studio

I found it very useful when debugging to add Google Chrome's Incognito Mode as a browser of its own.

Pull down the chevron and click Browse With...

Browse With Menu

Add Chrome from either it's standard or user location:

  • System: C:\Program Files (x86)\Google\Chrome\Application\
  • User: C:\Users\UserName\AppData\Local\Google\Chrome\Application

Then add --incognito as command line switch and name the browser something like "Google Chrome - Incognito."

You can do the same thing with Firefox and Internet Explorer.

Here I'm adding Internet Explorer with the -private option.

Internet Explorer Private mode

This is a useful thing for developers if you're doing anything with cookies or caching and you've found yourself clearing the cache or browser history a lot.

Added Internet Explorer Private Mode to Visual Studio

Question for you dear Reader - Is this a feature you would want by default? Would you want not just every browser added, but also the Private Mode for each as well?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Software and Saving Babies

June 10, '15 Comments [56] Posted in Musings
Sponsored By

I used to have a saying to put things into perspecive when things were getting really crazy at work and we were freaking out over the Daily Crisis:

Breathe. It's just software, we're not saving babies here.

Now, to be clear, if you ARE saving babies or working on software that does, for crying out loud, don't breathe and make sure you've got unit tests!

Baby Squirrel by Flickr User Audreyjm529 used under CC

But for the majority of us, we're not saving babies. We're not writing Mars Rover code. We're making insurance systems, shopping carts, the next Facebook or Uber, or just doing CRUD. Perspective helps. Sometimes you just need to go for a walk, take a vacation, or well, quit. You've got your health, family, and little else.

His father asked Ethan in a raspy voice, "You spend time with your son?"

"Much as I can," he’d answered, but his father had caught the lie in his eyes.

"It’ll be your loss, Ethan. Day'll come, when he’s grown and it’s too late, that you'd give a kingdom to go back and spend a single hour with your son as a boy. To hold him. Read a book to him. Throw a ball with a person in whose eyes you can do no wrong. He doesn't see your failings yet. He looks at you with pure love and it won't last, so you revel in it while it's here."

Ethan thinks often of that conversation, mostly when he's lying awake in bed at night and everyone else is asleep, and his life screaming past at the speed of light—the weight of bills and the future and his prior failings and all these moments he's missing—all the lost joy—perched like a boulder on his chest.

- Pines (The Wayward Pines Trilogy, Book 1)

It's cliché, sure, but sometimes clichés need to be said more. Wisdom is the comb you get when you hair is gone, right?

There's a post on Hacker News today called "I quit the tech industry" that you should read. The TL;DR is that working in software for money just wasn't working for this person. It wasn't feeding their spirit, so now they're going to try to make something else work. What a challenging decision it must have been, but at the same time, if something isn't working, why keep doing it? Perhaps it's burnout, but perhaps it's something else. More power to this person for taking care of themselves, and I wish them all the best.

How do you avoid burnout? How do you stay passionate? Sound off in the comments.

* Baby Squirrel by Flickr User Audreyjm529 used under CC

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

How to enable HTTP Strict Transport Security (HSTS) in IIS7+

June 6, '15 Comments [17] Posted in IIS
Sponsored By

I got a report of a strange redirect loop on a website I (inherited, but help) manage. The reports were only from Chrome and Firefox users and just started suddenly last week, but the code on this site hadn't changed in at least 3 years, maybe longer.

Chrome shows an error "this webpage has a redirect loop"

What's going on here? Well, it's a redirect loop, LOL. But what KIND of redirects?

We know about these redirects, right?

  • 302 - Object Moved - Look over here at THIS URL!
  • 301 - Moved Permanently - NEVER COME HERE AGAIN. Go over to THIS URL!

A redirect loop builds up in the Chrome Developer Tools

But there's another kind of redirect.

  • 307 - Internal Redirect or "Redirect with method" - Someone told me earlier to go over HERE so I'm going to go there without talking to the server. Imma redirect myself and keeping using the same VERB. That means you can redirect a POST without the extra insecure back and forth.

A 307 Internal Redirect

Note the reason for the 307! HSTS. What's that?

HSTS: Strict Transport Security

HSTS is a way to keep you from inadvertently switching AWAY from SSL once you've visited a site via HTTPS. For example, you'd hate to go to your bank via HTTPS, confirm that you're secure and go about your business only to notice that at some point you're on an insecure HTTP URL. How did THAT happen, you'd ask yourself.

But didn't we write a bunch of code back in the day to force HTTPS?

Sure, but this still required that we ask the server where to go at least once, over HTTP...and every subsequent time, user keeps going to an insecure page and then redirecting.

HSTS is a way of saying "seriously, stay on HTTPS for this amount of time (like weeks). If anyone says otherwise, do an Internal Redirect and be secure anyway."

Some websites and blogs say that to implement this in IIS7+ you should just add the CustomHeader require for HSTS like this in your web.config. This is NOT correct:

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>

This isn't technically to spec. The problem here is that you're sending the header ALWAYS even when you're not under HTTPS.

The HSTS (RFC6797) spec says

An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the
Strict-Transport-Security HTTP response header field over secure transport (e.g., TLS).

You shouldn't send Strict-Transport-Security over HTTP, just HTTPS. Send it when they can trust you.

Instead, redirect folks to a secure version of your canonical URL, then send Strict-Transport-Security. Here is a great answer on StackOverflow from Doug Wilson.

Note the first rule directs to a secure location from insecure one. The second one adds the HTTP header for Strict-Transport-Security. The only thing I might change would be to formally canonicalize the www. prefix versus a naked domain.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

Note also that HTTP Strict Transport Security is coming to IE and Microsoft Edge as well, so it's an important piece of technology to understand.

What was happening with my old (inherited) website? Well, someone years ago wanted to make sure a specific endpoint/page on the site was served under HTTPS, so they wrote some code to do just that. No problem, right? Turns out they also added an else that effectively forced everyone to HTTP, rather than just using the current/inherited protocol.

This was a problem when Strict-Transport-Security was turned on at the root level for the entire domain. Now folks would show up on the site and get this interaction:

  • GET http://foo/web
  • 301 to http://foo/web/ (canonical ending slash)
  • 307 to https://foo/web/ (redirect with method, in other words, internally redirect to secure and keep using the same verb (GET or POST))
  • 301 to http://foo/web (internal else that was dumb and legacy)
  • rinse, repeat

What's the lesson here? A configuration change that turned this feature on at the domain level of course affected all sub-directories and apps, including our legacy one. Our legacy app wasn't ready.

Be sure to implement HTTP Strict Transport Security (HSTS) on all your sites, but be sure to test and KNOW YOUR REDIRECTS.

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

What's the deal with Windows 10 for the Non-Technical Friend

June 4, '15 Comments [49] Posted in Win10
Sponsored By

The calls are starting to come in, as I, like you, Dear Reader, am the head of IT Support for my friends and family. You'd think my cell phone was an IT helpline, and my email is filled with Word documents with pasted in screenshots along with subject lines like "Is this safe?!?!?"

Anyway, Window 10 is coming soon, and this little icon (the Windows icon) is stating to show up in folks' taskbars. For the techies, it's called GWX (Get Windows 10) and it's there to prep your machine and possible download Windows 10 if you want to reserve a spot. It's added by KB3035583.

image

If you click it, you'll get this screen where you can add your email and when July comes around your system will start downloading Windows 10 automatically.

You may also see this in Windows Update if you run Windows Update manually as I do.

Windows 10 is coming soon

You get to decide when you want to install it, it's not automatic.

Free Upgrade to Windows 10

The important part you and your non-technical friend should know and explore is the "Check your PC" section. Click the "hamburger" menu in the upper left corner, then click "Check your PC." Here's mine. Looks like I need to update or uninstall one program that isn't yet compatible, but my devices (video, usb stuff, etc) are cool.

Windows 10 will work on this PC

There's a great FAQ (Frequently Asked Questions) on Windows 10 here that you should check out.

Here's my personal translation/take on the most important parts:

  • Windows 10 upgrades start July 29th and you can choose to upgrade for free until July 29, 2016 so no rush. If you want wait and see, you can.
  • The upgrade is free for that period (July 29th 2015 until 2016, a year later). Upgrading after July 29th, 2016 will cost something.
  • You can upgrade machines running 7 and 8.1.
  • You machine should have these specs, which are pretty low and reasonable. Most anyone with a running PC can upgrade.
  • Yes, Solitaire and Minesweeper and Hearts will be removed BUT you can download the new versions of Solitaire and Minesweeper free in the Windows Store. They are pretty nice versions.
  • You'll move to either Windows 10 Home or Windows 10 Pro, according to this table:
    What Windows 10 version will I get?
  • You apps will keep running. I'm running all sorts of apps, many quite old, on Windows 10 and I have had no issue. The Compatibility Wizard still exists, though, so you can "lie" to really old apps and tell them they are running on Windows 95, or whatever. Just right-click the App that isn't working and click "Troubleshoot Compatibility," or right-click, Properties, then Compatibility. I haven't had to do this myself, yet, so consider this a rare thing.

So far it's been pretty interesting and I think that if non-technical friend liked Windows 7 and tolerated Windows 8 that they will like Windows 10. I've been doing "Windows 10 Build to Build" upgrade videos over at my YouTube and I would love it if you'd subscribe to my YouTube as well.

It's amazing that Windows 7 users and Windows 8 users will all be able to upgrade and come forward to a single version of Windows. As a developer (both web and apps) it'll be nice to have people on an "evergreen" Windows where I can do things like Feature Detection and not think as much about versioning.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.