Tuesday, 27 December 2011

Best Practices of ASP.Net

 I always want a cheat sheet that has a best practices written in a classified manner so it will be easy to remember and also easy to refer. 

Below table for Best Practices of ASP.Net solves that problem. All the details given below are very SHORT and mostly solves PERFORMANCE issues. If you want to read about why the best practices should be followed, just type in the Google bar whatever it is written in the table with asp.net text concatenated. You can find why the particular best practices need to be followed. It is actually for people who have already worked in asp.net and they need a cheat sheet to remember when they are attending interview or reviewing code.


Level
DO's and Don’t's
.Aspx Level


Disable Session State if not needed

Disable View State if not needed, e.g.:- static page

Use Lesser Web Controls, try normal HTML Controls if possible

Scripts should be placed at the end of page, Scripts hinders loading

Try removing scripts from aspx page to separate JS file

Try removing styles from aspx page to separate Stylesheet file


.CS Level


Use Server.Transfer instead of Response.Redirect wherever possible

Use String builder instead of String concatenation using '+'

Handle exception in previous layer do not through till presentation layer

Use IsPostBack always in Page_Load and wherever possible

Always use Arraylist instead of Array

Use Page.IsValid for validating the whole page

Cache object if it is frequently used

Design using Value types.

Use ASCII Format instead of UTF

Use Format() instead of toString()

Remove unnecessary looping inside code

Check all loops. Identify any code that needs to be
outside loop and remove from the loop


Config Level


Disable Tracing in production environment

Set Debug = false in compilation tag


JS & Stylesheet


Remove scripts or Stylesheet that are never used from the respective files




Talk to you soon

IMPORTANT: Leave a comment to share what you learned, and hit the “like” button to let others know about it (make sure you’re logged into Facebook to like and comment).


Monday, 19 December 2011

Why DLL's Should be Signed




Ever been in a project where you are asked to create Strong Name for DLL and you created a Strong Name for one project and the compiling project solution started giving you weird compilation errors. I have been there many times. When facing those issues I had some questions that crossed my mind.  

·        What is Strong Name?
·        What is significance of a Strong Name?
·        Why we need strong name? Do all DLL's need strong names to be created?
·        What happens actually when Strong Name is created
·        How Strong Name is used in real time scenario?

Basics before Deep Dive

           Before deep dive let us brush through following basics. We will look into following
1.      Assembly
2.      Encryption
3.      Hashing
4.      Digital Signatures

Assembly 

        Assembly is a compiled code library used for Deployment, Security and Versioning. EXE and DLL are different type of assembly. It consists of Name, Culture, Version and Public key token.

Encryption

            Encryption is a process of converting information into unreadable using an algorithm and unreadable information can only be converted to readable format using special information called as key.

   They are of two types
a)     Symmetric Cryptography
b)     Asymmetric Cryptography
Let us concentrate only on Asymmetric cryptography since the symmetric cryptography is flat straight forward cryptography.

Asymmetric cryptography provides a very secure mechanism for encrypting and decrypting data, due to its use of a pair of keys called the private and public keys.

Private Key should never be passed to another entity.
 Public key is opposite it should be passed.

The private key is held by one entity and securely locked down. It should never be passed to another entity. The public key is the opposite; you can give the public key to anyone who requests it.


Let us consider an analogy, Gates and Steve wants to communicate with each other. They choose the Asymmetric way. Gates send an open box with automatic numeric padlock. This numeric padlock can be closed automatic but it needs key to open.

Open Box = Public Key
Numeric padlock key = Private Key


Open box is considered as public key where everyone can be aware of them. Steve places the message and closes the automatic open numeric padlock box. Here the key that is used to open the box is the private key.

Hashing

       What if the data is changed after the data is placed in the box (Even box along with content). To avoid the change of data after or before encryption, we use the process called hashing. A Cryptographic hashing function will take a block of data of arbitrary size and returns a fixed size of binary data known as Hash value. If you change the original block of data in any way, the calculated hash value changes. If a single bit is changed in the original data, at least fifty percent of the calculated hash value’s bits change. If the data has not changed and you calculate the hash value over and over, the hash value will be the same. If you copy the data and calculate its hash value, it’ll be the same.

Digital Signatures

A digital signature proves that a message hasn’t been modified and proves the identity of its author.

Combination of Asymmetric encryption and Hashing

This is an essential combination of two topics that have been already covered in this topic: asymmetric encryption using the private key, and hashing. A digital signature is created by calculating a hash of data, followed by encrypting the hash, with a private asymmetric encryption key.

Deep Dive is over guys let’s go back to surface to discuss about what we are really for.

What is Strong Name?

        Strong Name is Technology used to uniquely identify Assemblies. It consists of Name, Version Number, Culture, Public key token and Digital signature.

What is Significance of a Strong Name?

           Strong Name solves two purposes. 

1.      Versioning  
2.      Authentication.

Versioning solves the problem called “DLL Hell”. Since it is technology to uniquely identify assembly, the same DLL name can exist in same folder (GAC) with different version number.
Authentication, the process we want to ensure ourselves the origin of the code. This is solved since we sign the assembly, which solves the authentication issues.


Why we need Strong Name? Do all DLL's need Strong Names to be created?


As we have discussed the Strong Name solves the purpose of versioning and authentication, the Shared or public assembly when signed with Strong Name it can be published in GAC (Global Assembly Cache). Any one who uses our assembly can be sure that they are using correct version and assembly which is not modified by external sources.

Strong Name signing is only for Shared or Public Assembly

Strong Name signing is only for shared or public Assembly. We don’t need to sign the assembly with Strong Name if we are only using assembly in our own executables.

What happens actually when Strong Name is created? How it is used in real time scenario
                   Let’s separate the process of creation and utilization of strong Name. When you add a strong name to a library the compiler creates a hash over most of the assembly. The hash is encrypted with the publisher's private key to form the strong name signature. The strong name signature and the public key are then placed in the assembly.
  Compiler stores the full name of the signed assembly into the assembly it is creating

When you tell the compiler that you will use a strong named assembly, the compiler stores the full name of the signed assembly into the assembly it is creating. This is reason why two DLL with same name can exist in GAC Folder The full name includes the public key, and because this is large, the runtime uses part of the hash of the public key, called the public key token.









When .NET loads the referenced assembly it verifies that the assembly has specified the public key, and of course, it can do this by extracting the public key and hashing it to be able to extract the public key token. It also needs to verify the public key, and it can do this by generating the hash of the referenced assembly. The strong name signature is this hash encrypted with the private key, so only the correct public key can decrypt it.

 Thus the runtime extracts the strong name signature decrypts it with the public key and if the result does not agree with the hash it generated the runtime will not load the assembly.

Now we had close look at the DLL signing process with basic included. Hope this will be helpful even for people who are new to Encryption.



IMPORTANT: Leave a comment to share what you learned, and hit the “like” button to let others know about it (make sure you’re logged into Facebook to like and comment).

       




Understand and Implement Roles Vs Claims Based authentication in MVC Web API

In this blog, you will learn on how to Implement Roles and claims based authentication. You will also understand what is the difference b...