Web acceleration protocol nears completion

I got lucky and got waved through the PreCheck (I refuse to type it with the cute check mark) line when it was first starting. You can leave your shoes on, your laptop can stay in your bag, and I think liquids can stay in your bag too, but I could be wrong on that one as I make it a point to not have any liquids in my carry on. It was nice, but I wouldn't pay for it. Maybe if I travelled every week and it was more widespread.

I will second this. I have only submitted one article and when I did I went through what seemed like heavy moderation. I really didn't know what I was doing, so it came back more than once with suggestions which I was happy to implement as they made the article not only look better, but higher quality. Since then though I have seen multiple articles that are worse than my first draft ever was, but still somehow made it through. Consistent rules and moderation are really needed for everyone, whether it is your first article or you 1,000th. As for ads. I'm with the people who said "CP has ads?". I can't say I noticed them at all. I'm not on here a ton, I log on every morning check the Insider News and read through the article headlines, but that's about it unless I'm researching something. Keep up the good work, Chris and team! The site is great.

I clearly need more sleep. I read that headline as "Usng sweater to create jet fuel" :sigh: That would certainly have been magic.

Is anyone here signing up for Progvember? The idea, for those who don't know, is to challenge yourself in November to complete a project you've been putting off forever. http://progvember.com/[^] Also, what is it with November being the month for weird things? Movember, National Novel Writing Month, now Progvember?

I am missing something with these frameworks. They seem pretty cool for some things, but how do you secure the REST service? With these frameworks you have the URLs for your REST service sitting in JavaScript code on the client, in theory anyone could check the URL for your call to, say, change your password. How do you secure the service so that I can't check the URL and just try to call the REST service directly and affect other users? A GUID user ID that is passed in might help, but is this the best/only method for securing your REST service from a client?

OriginalGriff wrote:

The dealers tactics with CM are different though: free (very high quality) tasters to get you hooked, then hike the price to gouge you when you need the stuff. Since it is apparently seriously addictive, it doesn't take much to build up a "clientele" apparently.

I don't care how much of any kind of drug I know or don't know of you offer me for free, I'm not taking it. So because someone offered it to you for free and you took it and are now hooked, you can't really blame that person 100%.

I have a jQuery script that is listening for keydown on a textbox, like so:

$(document).ready(function () {
$("#result").on('keypress', function (e) {
...
});
});

My problem is that I have written this for a site architected and hosted by a 3rd party. This site allows you to move modules around the page if you wish. When my module is moved (sometimes! not all the the time) it appears as if the page creates more instances of my code. As a result the code in the keydown function fires multiple times. A few things: 1. I put an alert in the document.ready and can see it pop up multiple times, so I know the page it loading more instances of my javasvript. 2. When looking in the debugger in IE or Firefox I can't find more than one instance of the script, but a breakpoint on the one I can find will be caught only once. Whereas the code does run multiple time. Again and alert in the function can be seen multiple times. I've tried unbinding events from my textbox before binding, but it doesn't work. Does anyone have any ideas of how I can prevent my code from being instantiated or triggered multiple times?

The cnt is because this was inside a for loop. Perhaps whoever coded it thought the code could lie the first two times you ask if a value is empty, but not a third. Looking at the HTML I think they meant to find two other controls and add them to the IF statement, but never got around to it. *sigh*

I just found this wonderful tidbit in a .NET app I'm supporting.

TextBox tbRoute = (TextBox)FindControl("ChkRoute" + cnt.ToString());

if ((tbRoute.Text != "") && (tbRoute.Text != "") && (tbRoute.Text != "")) {

...

}

I agree that any given law will never 100% solve a problem. But either you think laws help when dealing with a problem, or you think all laws should be thrown out. In general when this type of argument comes up it tends to be because the person doesn't want that law because it will impact their life or apply to them in some way. For (ridiculous) example, a person might be fine with a law restricting the purchase of high end sports cars, but that's fine because they don't own nor want one. That person might completely rebel against a law saying you can't put a sweater on your dog, and it turns out they own 3 dogs and 300 dog sweaters. By and large we're a society of laws. They don't solve crime, but they do outline what we think is acceptable as a society. That's the real purpose of laws isn't it? Defining the currently acceptable norms and moral boundaries of a culture. The criminals will break them, and in theory, get punished for doing so. But it amounts to "do we think it is ok for a drunk person to drive?" No? Then make it against the law.

Quote:

Banning guns is like saying do not fart, if someone wants to, it will happen.

Gun control arguments aside, this kind of logic in any argument always baffles me. Speed limits are dumb, if someone wants to speed they will. There's no reason for a law against drinking and driving, if someone wants to do it they will. Murder shouldn't be illegal, if someone wants to kill another person they will. It's pointless to make littering against the law, I see people throw stuff out of their car all the time. Just because people are willing to break a law doesn't negate the reason for, or the validity of, the law.

I'm doing a post to a WebAPI that passes a JSON object. Here's how the Post is set up:

var jsonContent = new JavaScriptSerializer().Serialize(myObject);
var request = (HttpWebRequest)WebRequest.Create(apiUrl);
request.Date = dateOffset.DateTime;
request.Method = method;
using (var streamWriter = new StreamWriter request.GetRequestStream()))
{
streamWriter.Write(jsonContent)
streamWriter.Flush();
streamWriter.Close();
}
}

In my WebAPI I have an attribute on my controller that inherits from ActionFilterAttribute. This serves to do some authentication and security checks before the controller is called. Ideally I'd like to retrieve the JSON string from the Request, but I can't figure out how. I tried this, but it didn't work:

var contentTask = actionContext.Request.Content.ReadAsStringAsync();
contentTask.Wait();
var jsonContent = contentTask.Result;

However, the content is always empty. What am I doing wrong? EDIT: For what it is worth, if I comment out this problematic code and let the call go on to my controller, the object is passed in and deserialized just fine.

I owe you a beer! Thank you!

Unfortunately I don't always know which node the password will be in which is why I went with treating it as a string.

I just ran into a real headscratcher. I have code that does the following:

var textReader = new StreamReader(path + "\\\\web.config");
var fileContents = textReader.ReadToEnd();
if (fileContents.IndexOf(oldPwd, StringComparison.Ordinal) == -1)
{
    Log("Old Password Not Found.", 0);
}
else
{
    Log("Replacing old password", 1);
    fileContents = fileContents.Replace(oldPwd, newPwd);
}

What I've found is that if the oldPwd contains ^ then things get weird. 1. If the old password ends in a ^, e.g. 123^ then the IndexOf works, but the Replace does will keep the ^ intact. So, with oldPwd = 123^ and newPwd = 456 then Replace will leave the file looking like 456^ 2. If the old password has a ^ in the middle of it then IndexOf will return a -1. I'm baffled to be honest and not sure if it has to do with how I'm reading the file in or what. But I tried this on an online compiler and it worked just fine. So it has to be me, right? EDIT: I also tried it in my code with hard coded strings and it behaves just fine:

var mystring = "this is a password 123^ yeah";
Console.WriteLine("Did it find it: " + mystring.IndexOf("123^", StringComparison.Ordinal).ToString());
Console.WriteLine("Did it replace it: " + mystring.Replace("123^", "456"));
mystring = "this is a password 123^456 yeah";
Console.WriteLine("Did it find it: " + mystring.IndexOf("123^456", StringComparison.Ordinal).ToString());
Console.WriteLine("Did it replace it: " + mystring.Replace("123^456", "abcdefg"));

FURTHER EDIT: Apparently if I run this through Visual Studio and step through the code it works fine. When I compile the code and run it from the command prompt it exhibits the behavior I outlined above.

Good perspective, thanks. The Soapbox says it is for rants, or complaining about someone. This was a little bit of both.

I've rewritten 4 of the legacy in my "spare time" and the old ones are now gone, as well as a few superfluous web services these app relied on for no good reason. I've got 5 more to go. In 10 years maybe I'll be the person someone is coming on CP to complain about the (then) legacy apps that I wrote :-D

I am all for a security review and suggestions to make anything I'm coding more secure. Sometimes it's just hard to ignore that the person doing the security review never really bothered with it when he was coding.

It is hateful and vile and I hope they find out who did it and that they get so many similar letters and are so reviled in their community they have to move. However, I don't think writing a letter that spews hate should be a crime. They have the freedom to speak, and we all have the freedom to speak right back. If there were a specific threat in the letter that would be a different issue.

Im relatively new at my company (just over 18 months). I've inherited several legacy apps (ASP classic, all over 7 years old) written by someone who is now a manager in the networking side of the house and in charge of security. I just had to clear my plans for a secure RESTful API through him. IP Filtering, a secure VPN connection, HMAC signature on the request. He then proceeds to poke and prod, why hash and not a public/private key? Why not also use a client cert? Etc. I have no problem with constructive criticism, especially if it can make the application more secure, however it burns me at some level to have this person doing it. Here's a small list of what I've found in his legacy apps: 1. Unencrypted connection strings inline in the ASP file, not in the web.config 2. Inline SQL in the ASP files with no input sanitization or parameterization 3. Try/Catches that do nothing but catch. No logging, no UI notification, just keep going. 4. SQL Accounts (with unencrypted passwords in the file, see #1) that have full dbo owner access to the database. Sometimes I just want to politely, but firmly point out that I would have to actually work fairlly hard to make my applications less secure than the ones he's written. End of rant. I feel better already :-D