Scott Hanselman

Just a quick tip here. Thanks to John Batdorf for bringing it up. In order to prevent Session Hijacking, when you've got a secure site, it's a good idea to mark your cookies as "secure," meaning that they can't be accessed over HTTP. This prevents folks from being issued cookies over HTTPS then switching to HTTP in order to access the cookie with sniffers or other evil.

There's a few ways to do this in ASP.NET 1.1, here's an easy one. Under 2.0 you can say requireSSL="true" as well and avoid this code altogether (see below). For 1.1, add a handler for End_Request to your Global.asax.

This chunk of code is multipurpose, so don't blindly copy-paste. Note that it code also sets the Forms Auth cookie and Session cookie to HttpOnly, but that's not required.  If you have JavaScript DOM code that accesses cookies, you won't want those marked HttpOnly.

protected override void Application_EndRequest(Object sender, EventArgs e) 

{

      string authCookie = System.Web.Security.FormsAuthentication.FormsCookieName;

      foreach (string sCookie in Response.Cookies) 

      {

            if (sCookie == authCookie || sCookie == "ASP.NET_SessionId")

            { 

                  if(System.Environment.Version.Major<2)

                  {

                        // Force HttpOnly to be added to the cookie header under 1.x

                        Response.Cookies[sCookie].Path += ";HttpOnly";

                  }

            }

            //Force all cookies to SSL regardless of web.config settings!

            Response.Cookies[sCookie].Secure = true;

      }

}

The check if we're running under 2.0 is to prevent doubling up on the HttpOnly attribute if code compiled under 1.1 is run under 2.0 and you've set  httpOnlyCookies to true.

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" />

If you're using older versions of IIS, make sure you have this hotfix (274149) to ensure that IIS respects your secure cookies, or better yet, don't serve traffic on port 80.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

My fiftieth podcast is up. This one was about the OpenID/Microsoft Annoucement and how OpenID will affect Identity 2.0 possibly more than CardSpace - certainly in the short term.

ACTION: Please vote for us on Podcast Alley!

Links from the Show

My OpenID (lu2)
ZDNET on the Announcement (lu7)
OpenID Screencast (lu3)
Historical Background (lu8)
Notes on Bill Gates’ Identity Keynote (luc)
OpenID Explained (lu4)
CardSpace / OpenID Collaboration Announcement (lu9)
TailRank on OpenID (lud)
Identity 1.0 (lu5)
Scott Kveton on CardSpace and OpenID (lua)
Integrating OpenID and Infocard - Part 1 (lue)
OpenID Commentary (lu6)

Subscribe:

Do also remember the archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

Our sponsors are /n software and the .NET Dev Journal.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

• The basic MP3 feed is here, and the iPod friendly one is here. There's a number of other ways you can get it (streaming, straight download, etc) that are all up on the site just below the fold. I use iTunes, myself, to listen to most podcasts, but I also use FeedDemon and it's built in support.
  • Some other clients are Doppler (also suppose Windows CE), FireAnt, Nimiq, and PrimeTime Podcast.
• Note that for now, because of bandwidth constraints, the feeds always have just the current show. If you want to get an old show (and because many Podcasting Clients aren't smart enough to not download the file more than once) you can always find them at http://www.hanselminutes.com.
• I have, and will, also include the enclosures to this feed you're reading, so if you're already subscribed to ComputerZen and you're not interested in cluttering your life with another feed, you have the choice to get the 'cast as well.
• If there's a topic you'd like to hear, perhaps one that is better spoken than presented on a blog, or a great tool you can't live without, contact me and I'll get it in the queue!

Enjoy. Who knows what'll happen in the next show?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

It moves fast, so pay attention, but this is the single best 5-minute explanation of Web 2.0 I've seen. It was created by Michael Wesch, Assistant Professor of Cultural Anthropology at Kansas State University.

It's absolutely worth your five minutes.

I'm personally interested in what your spouses and parents thinks about it.

Too fast? Too intense? To many concepts too fast? Or does it open their eyes and help them to "get" Web 2.0? 

Dad, what do you think?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

UPDATE: It appears that what we suspected is true, Windows understands one set of DST rules. Whatever the current DST rules are are applied to all dates. This doesn't make sense to me as that would make the 2005 test below fail also, and it doesn't. More as it comes in.

UPDATE#2: Seems that a new "Dynamic DST" section is added for future OS's, like Vista, for handling future DST time changes. This change will affect all Windows OS's equally - that is, you don't need to custom code for one OS versus another. If congress, in their infinite wisdom, decides to change the laws of Time and Space again, Vista and other OS's will require only a registry change, and past time rules will still apply. Thanks to Tim Heuer for helping puzzle through it all.

One of our Architects at Corillian, Paul Gomes, led the team that designed our .NET-based OFX Banking Server. That product happens to have ridiculously good Code Coverage and a metric-crapload of Unit Tests. Recently a build server had the Daylight Savings Time (DST) Windows KB928288 patch applied. Immediately an internal Date-related test failed. 

Paul dug into it and boiled it down to this simplified test that takes a date in March of 2006 and converts it to GMT.

   1:  [TestFixture]

   2:  public class DSTTest

   3:  {

   4:        private const string DATEFORMAT = 
                  @"yyyyMMddHHmmss.fff[0\:G\MT]";

   5:   

   6:        public DSTTest(){}

   7:   

   8:        [Test]

   9:        public void TestDateInThePast()

  10:        {

  11:              DateTime myDate = DateTime.ParseExact(
                       "2006/03/17 11:42:33", 
                       "yyyy/MM/dd HH:mm:ss", 
                       CultureInfo.InvariantCulture);

  12:              string myDateAsString = myDate.ToUniversalTime().ToString(
                       DATEFORMAT, CultureInfo.InvariantCulture);

  13:              Assert.AreEqual("20060317194233.000[0:GMT]",
                       myDateAsString);

  14:        }

  15:  }

The output is interesting. Note that we're comparing strings in this case for clarity.

Output from unit test:

TestCase 'DSTTest.DSTTest.TestDateInThePast'
failed:
String lengths are both 25.
Strings differ at index 9.
expected: <"20060317194233.000[0:GMT]">
but was:  <"20060317184233.000[0:GMT]">
---------------------^
c:\dsttest\dsttest.cs(19,0): at DSTTest.DSTTest.TestDateInThePast()

I first thought that this was no problem and I said to Paul:

Makes sense…that date in your test is inside the DST boundary, so we switch from -8 to -7.  11:00 becomes 18:00, rather than 19:00. We “sprung forward.”

However, Paul reminded me that we were testing a date within 2006! We're testing the 17th of March, 2006, outside of DST. Note the table below. I'd expect that day to be DST for 2007, but not 2006.

Here's where it gets really weird. Let's try the 12th of March, and try dates in 2005, 2006, and 2007. Note that when the time is 02:59:59am on March 12th, 2006, the test succeeds, but it fails at 3am, one minute later. Again, note that this is using a date in 2006, where DST started in April.

   1:              [Test]

   2:              public void TestDateIn2007Succeeds()

   3:              {

   4:                    DateTime myDate = DateTime.ParseExact(
                             "2007/03/12 03:00:00", 
                             "yyyy/MM/dd HH:mm:ss", 
                             CultureInfo.InvariantCulture);

   5:                    string myDateAsString = myDate.ToUniversalTime().ToString(
                             DATEFORMAT, CultureInfo.InvariantCulture);

   6:                    Assert.AreEqual("20070312100000.000[0:GMT]",myDateAsString);

   7:              }

   8:   

   9:              [Test]

  10:              public void TestDateIn2006Succeeds()

  11:              {

  12:                    DateTime myDate = DateTime.ParseExact(
                             "2006/03/12 02:59:59",
                             "yyyy/MM/dd HH:mm:ss", 
                             CultureInfo.InvariantCulture);

  13:                    string myDateAsString = myDate.ToUniversalTime().ToString(
                             DATEFORMAT, CultureInfo.InvariantCulture);

  14:                    Assert.AreEqual("20060312105959.000[0:GMT]",myDateAsString);

  15:              }

  16:   

  17:              [Test]

  18:              public void TestDateIn2006Fails()

  19:              {

  20:                    DateTime myDate = DateTime.ParseExact(
                             "2006/03/12 03:00:00", 
                             "yyyy/MM/dd HH:mm:ss", 
                             CultureInfo.InvariantCulture);

  21:                    string myDateAsString = myDate.ToUniversalTime().ToString(
                             DATEFORMAT, CultureInfo.InvariantCulture);

  22:                    Assert.AreEqual("20060312110000.000[0:GMT]",myDateAsString);

  23:              }

  24:   

  25:              [Test]

  26:              public void TestDateIn2005Succeeds()

  27:              {

  28:                    DateTime myDate = DateTime.ParseExact(
                             "2005/03/12 03:00:00", 
                             "yyyy/MM/dd HH:mm:ss", 

                             CultureInfo.InvariantCulture);

  29:                    string myDateAsString = myDate.ToUniversalTime().ToString(
                             DATEFORMAT, CultureInfo.InvariantCulture);

  30:                    Assert.AreEqual("20050312110000.000[0:GMT]",myDateAsString);

  31:              }

  32:        }

  33:  }

What are we missing, dear reader? Is there a problem (bug?) with the registry-based Windows DST Patch?

I'm leaning towards assuming it's us, but I wanted to ask you. It seems that the data points towards this patch not working with dates in 2006. Not a huge deal, but non-trivial,IMHO.

As an aside, but very slightly related note, Steve Harman had an interesting bug where his Unit Tests were expecting to see "Tijuana" at the end of his TimeZone's Display Name. Since Mexico isn't following our lead (if it could be called a "lead") and changing their DST, so Tijuana isn't in PST proper anymore.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

I totally stole the picture at right from Ashish Jain's blog post on CardSpace/OpenID Integration. It's a great image. Ashish works for PingIdentity and is down at the RSA Conference right now, along with Corillian it turns out. Ping is demonstrating a prototype OpenID IdP server that uses CardSpace for authentication at runtime.

Today JanRain, SXIP, Verisign and Microsoft announced that they'd collaborate on interoperability between OpenID and CardSpace. It's so refreshing to see folks in Web 2.0 getting along so well and moving the ball forward.

While some are surprised that folks are actually getting along, Dare puts it best when he says:

"With OpenID it didn't take as long for us to go through the NIH<->FUD<->Acceptance<->Approval<->Adoption cycle that I've come to expect from my fellow B0rg. It seems we have adapted."

Corillian (my company) was involved in the Identity Press Release today as well with a joint demo between Corillian, Wachovia and Arcot, led on the Corillian side by the tireless Stuart Celarier.

To further enable the vision of secure and easy anywhere access, Microsoft today announced the following product milestones and industry alliances:
...
On the heels of the Windows® CardSpace™ general availability launch in Windows Vista™, Microsoft demonstrated momentum with industry partners that are working to apply this technology to help consumers realize a more confident online experience. This includes the announcement of collaboration on use of Windows CardSpace with the OpenID 2.0 specification. Through the support of the WS-Trust-based Windows CardSpace experience, consumers can take advantage of increased security against phishing attacks without adding complexity to their identity management experience. Also at the conference, Wachovia Corp., Arcot Systems Inc. and Corillian Corp. showcased a proof of concept demonstration using Windows CardSpace to deliver a simpler and safer online banking experience for customers.

We've been looking at Digital Identity 2.0 solutions for at least 2 years now at Corillian led in part by our multi-factor authentication product and other identity solutions, all designed to stop phishing. We've integrated our suite with CardSpace, and that's what we're demoing at RSA. OpenID was next on my list. If you're not familiar, OpenID is different from CardSpace, as explained by Kim Cameron in that it assumes two things:

1. Every person has a URL to which they lay claim.
2. Every URL has an identity provider that “speaks for” it.

He summarizes:

"All in all, the closest analogy is to using an email address as an identifier by asking what email address you own, sending you the email, and getting you to click a link showing you own the email.  In this case the relying party depends on the underlying mail system, DNS, and all that.  OpenID replaces email with web URLs.  So it’s a lot more direct."

Digital Identity is getting closer with InfoCard/CardSpace, OpenID and i-names starting to converge on something very real. Here's some fun links to check out for yourself:

• Sxore (score) from Sxip identity using WhoBar to spackle cleanly over OpenIDs and i-names as well as CardSpace/Information Cards. I was able to login using my own blog as my OpenID.
• My i-Name is =scott.hanselman
• I use http://www.hanselman.com for my OpenID and that gets redirected to  http://scotthanselman.myopenid.com/ (Do a view source, and notice my OpenID meta tags)
• JanRain runs MyOpenID and has a fun claims site called Jyte. It's a silly but fun reputation building exercise that's built on OpenID.
• Aside: JanRain is also in Portland, just a few miles away, on a street I worked on for six years.
• Try out Sxipper for FireFox. It uses OpenIDs as an authorization technology to manage a local wallet.
• Here's a great protocol flow diagram for OpenID that helped crystalize it for me.
• Read the very good aggre-blog at planet OpenID. There's lots of commentary and context.
• Read Mike Jones' notes on Bill Gates' Identity Keynote.
• Note in the FireFox 3.0 Requirements, support for OpenID and CardSpace are listed as mandatory. That's good for everyone.

OpenID and CardSpace together are going to cover the maximum number of platforms, the maximum number of browsers and make the end-user experience (like my Mom's) more secure and easier to use that ever before. I'm stoked that Corillian's involved in the banking back-end side of things with folks like Arcot and Wachovia and I'm jazzed to be architecting, in a small way - along with my fellow wonks here at Cori - something called Banking 2.0. I'm looking forward to logging into a Corillian bank using OpenID and/or CardSpace. If you're down in SFO at the RSA Conference, go see our InfoCard Banking Demonstration!

Also, one of these days we'll get another DasBlog release that includes Kevin Hammond's good CardSpace work as well as OpenID. It's only a matter of doing it. You can also CardSpace-enable Community Server if you like.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By