.NET Brisbane, Australia : asp.net

The 300 Model

superedge — Wed, 28 May 2008 05:36:00 GMT

"Surrender, we are many, you are few. We won't lay down our weapons, you want them? Come get them! The Persians arrows will blot out the sun. Better this way, we will fight in the shadow."

The movie ‘300’ is like a big punch in the stomach and you have no time to fall. In '300', you see a comic book story that meets the entrepreneurship that meets the world history about the legendary battle of Thermopylae during the year of 480 BC where only 300 Spartans fought against millions of Persians for the future of Greece. Nobody knows exactly how many were really involved in the war; but everyone agreed: It was few against many!

Based on Frank Miller's graphic novel, the movie in its first week generated USD 70 millions in USA alone, with no Tom Cruise, Brad Pitt or a big-shot Hollywood star; instead the major roles were 'unkowns''; a Scottish called Gerard Butler as King Leonidas and a Brazilian called Rodrigo Santoro as King Xerxes.

Some might say that people go to see this movie because it shows sexy appealing scenes, rock music, violence and amazing special effects. That's a lie!

This movie captures the audience because it is about the eternal battle between the strong and the weak, between heroes and villains, between common people and powerful kings. This movie attracts people because every single one wants to know how to defeat a much powerful competitor when we have only too few resources; how to conquer the market when we have few people; how to make more out of few.

‘300’ is a bloody battle between a little small company carried on the shoulders of very talented warriors committed by the honor and a huge corporation machine maintained by millions of regular employees who, some of them, do not even know what are they doing in the company or why they are doing that.

This movie offers much more insights for your professional life than many MBA courses around there. Save yourself USD 500 and watch the movie for a few dollars.

You will learn :

a lesson about the leader who inspired others (even to admire him until his last breath),
you will learn about how to start a company where everyone wants to work on 24x7 (until their last moments),
How to create a brand, a history, a legend (that will overcome the death).
When the captain decides to punish the soldier, Leonidas - the Spartan King - teaches the manager the value of respect towards the lower ranks.
When in doubt of his own convictions, Leonidas asks his partner’s opinion, wife, and Queen - who always is treated equally as any other man - about how to deal with the business.
When busy, just a few days before facing millions and certain death, he finds himself quality time to spend with his little son and teach him the secrets of the business world that he knows so well.
When ready for battle, tie, computer and mobile, everything he does is to KEEP FOCUS ON THE REASON to make the best for the business and his employees.
When King Xerxes, try to seduce Leonidas with the benefits of a possible merge & acquisition of the little Spartan company by the mega-corporation Persia will bring to the shareholders, for him (by becoming CEO of Greece, palaces, women, higher salaries) and for his employees (who will set themselves free from slavery), Leonidas reminds Xerxes that the true slavery of the human being it is not the economical slavery or social, but is to lose the Spartan life style, their culture, their philosophy and the right to take decisions freely without need to justify to nobody.

In every scene you can learn something about you!

Forget the popcorn and the soft drinks, concentrate on the dialogues.

When the Spartan board of directors decides to surrender to Xerxes by not supporting Leonidas, they take the army command out from Leonidas, and tell him to kneel and behold the invisible; Leonidas instead, he does a spin-off in the army, creates himself his own company, he gathers 300 of his best soldiers and go to war against Xerxes' millions.

When he is asked about how he will defeat millions with just 300 soldiers he says he will use his brain when Xerxes uses his ego. He moves towards Thermopylae, a narrow passage where it will neutralize the enemy superiority in numbers.

When an incapable and mediocre Spartan asks him to join the army, Leonidas tells him to go home; in the other hand, Xerxes is sending his mediocre to the front to die first. In Leonidas' small company, only the best, the braves and the brilliants are accepted. He left out the weak, the average, and the non-team players.

Interesting, he brings all the married men with at least one son, meaning these are the most committed people when compared against young and singles. He does not want anybody to slow down his bests and show weakness to the enemy. He can not afford it.

During a very important moment of the battle, Leonidas meets Xerxes, the God-King asks: "How do you envision defeating me? I would kill anyone of my own men just to have you killed"; "I would die for anyone of my own men" Leonidas says.

When Leonidas notices that he will not be able anymore to defeat Xerxes' army, he decides to build a brand!!! He sends just one of your soldiers back home with a mission to make sure everyone knows about of what happened there and the history and glory of those 300 Spartans will live forever. 2.500 years later in the other side of the planet here we are talking about those 300 warriors. "The whole world will know that a handful of free men fought to their death against the tyranny, the whole world will know that few stand against many."

The marketing started by Leonidas worked. This viral inspired millions of Spartans, and produced the necessary proud to unite the Greek world who later ended the Persian invasion and Greece was never defeated by them in this war. And because of that, a new regime was being born, the Democracy.

The Spartan society left nothing behind except the stories of their battles. No art, no music, no dance, no knowledge, no invention, no technology to enlighten the path...they left the unconditional dedication and the strong discipline of his people to become the best warriors ever seen in this world as legacy. Sparta did not produced an Einstein, a Michelangelo, or a Leonardo da Vinci, but they gave birth to the expression "Spartan Life" that is today related to the lifestyle where a person give up privileges and personal benefits to embrace (with body, mind and soul) and surrender his life to a higher cause.

File Upload and Canonical Issues

superedge — Fri, 02 May 2008 03:57:00 GMT

Never trust the user input. The incoming data can be the source of many devils and a security flaw can be there just waiting for the right moment and the right person to break your application.

After finishing my upload control I finally did the integration with the website. Now the users can select the files and send it to the website to be processed.

What are the security risks here? Something that can be called 'canonicalization issue'.

For a start all data can be seen on its canonical form. A canonical form is the most simple and most stardard form that any data can be represented, thus canonicalization is the process of converting the data to its canonical form.

Proficient JavaScript programmers are very aware of what I am talking about, and as a matter of fact in our system the user can search for a name using wildcards. So you can ask him: "Retrieve me a list of all the instances where its canonical form includes Bill as mandatory prefix" The user will probably say: "Retrieve what???" but if you ask them: "Give me a list of all the users where their names start with Bill" they will type in the system 'bill*'. The user normally does not know that but he is doing is performing a 'type of canonical query'.

Now, back to our file upload issue. A file name is a very common canonical type. You can call the same file as:

thairecipes.doc
c:\recipes\thairecipes.doc
c:\\recipes\\thairecipes.doc
c:\ recipes\thairecipes.doc
c:%3A%5Crecipes%5Cthairecipes.doc

As you probably figured the last one is the issue. Your Windows operating system will recognize the symbols %5C and %3A.

You see now because we are giving to the user the option to save in our system just about any file name he wants to at the same time we are also opening a door for a sort of canonical attack. Remember : Never trust the user. And by user I am not only talking about a person. In our context an user is any entity who uses a given resource or service, and for that matter an user indeed can be another system or another application.

A hacker would think: "how can I break into this site? Does it allow any easy access to any of its resources?". In our case, yes our website must allow the user to upload files.

What to do now? How to handle a file upload to a web server?

Well, first as a general rule you must not design a website that accept just about any file names created by the user and save it like that. As a matter of fact, any input must be validated and sanitized if possible, not only in client-side but on the server-side as well.

A better design: Do not allow the user to save the file in the web server with the filename that he wants to use. Accept the file, keep the original filename somewhere and let the application rename that file with another name and then save it. I would suggest you to use a GUID string for that matter. That way you are not only closing the doors for a possible canonical attack but also you do not give a chance to a malicious user to try to find out the filenames you might have in your server. For example, If a hacker knows that there is a file called http:\\mywebsite\mydocs\clientid1\file1.doc he will try something like http:\\mywebsite\mydocs\clientid1\file2.doc, and then http:\\mywebsite\mydocs\clientid1\file3.doc and so on. By using an internal name rule creation you minimize his surface.

Another thing to observe: You don't have to fight against and defeat a malicious user, probably there can be hundreds of hackers trying to break your code and you are just one guy against them ( and you don't want to have any sleepless nights during weekends, do you? ) They always find a way to break your code. The best option is to minimize their attack surface. Chances are they are going to move on and concentrate their efforts to break a "weaker website" if your site if strong enough for the first rounds of attack.

These would be some instinctive considerations and additionally I would suggest to take a look at implementing File I/O guidelines as well. At the end of the day, it all depends about how secure you want to be, how much time you have available to implement it and how rigid the specifications were given.

See you later.

Why adding more memory won't fix your Out of Memory error ?

superedge — Sat, 05 Apr 2008 15:52:00 GMT

Here an interesting case. Consider there 2 scenarios:

Both are running the same website, both have the same amount of users connected.

Now imagine this website has a page to upload pictures, just like any regular photo-album website.

For some reason, at some point the users complain that they see an error page indicating out of memory error.

So, you wonder: How come? they are just uploading a photo to my website, and I still have plenty of memory in my server anyway.

Anyhow, you stop thinking about this and go for the easiest, quick and dirty solution: If the system tells me that my computer does not have enough memory then I just need to add more memory. Right?

And guess what? you still will get the error message.

That's a very common mistake. Having a machine with 10GB of memory does not mean you will have 10GB of memory available. I explain.

It does not matter if your computer or server has 512 MB, 1 GB, 2 GB, 4 GB or 8 GB of RAM. If your machine is a 32-bit machine it will only be able to see/manage 4 GB. That's mathematics, that's life, that's the way things are and you can't do nothing about it. A 32-bit machine can not do more than that.

Additional memory may increase your system performance, but it won't increase the memory availability. Sure your computer will use less the hard disk for swapping operations and will be able put more stuff in memory and start some programs faster, but 4GB is the limit; after this point the memory management module will start doing disk swap and to use the famous page file.

And here comes more bad news: Your Windows system on a 32-bit machine requires 2 GB allocated only for it.

So, if you have 4 GB installed, effectively you will have 2 GB only for applications; your windows will be using alone 2 GB.

So, what does out of memory means?

Well, according to some people at Microsoft, this limit for an average configuration is reached between 600 MB and 800 MB of utilization. That 800 number is NOT A RULE, is a baseline. Generally speaking the largest majority of configurations with website, .NET and SQL Server database might have a problem around this point. Of course, this can vary from system to system...as a matter of fact a system can be out of memory at just 600 MB.

Yes, it does sounds crazy. You look so happy now that you just bought a 4GB RAM notebook and your computer is breaking with just 800MB, hun?

Here is another point for you. Have you ever seen someone bragging that he/she bought a 10-megapixel camera and now he/she believes their pictures are going to be better because of this?

Well, guess what? Just like the number of megapixels in a camera box does not have much to do with picture quality, RAM memory does not have much to do with hard disk space.

That's a common mistake: People buy RAM as if they were buying a hard disk.

RAM usage needs to me continuous, unlike hard disk. A simple 5MB Microsoft Word document when saved in a hard disk can be split up in hundreds of pieces; When you open this file in memory, the RAM requires those 5MB to be allocated continuously.

Can you see now the reason for the 'out of memory' message?

Yes, it really means 'there is not enough continuous memory to place that file in memory'. Your system might have 2GB of RAM but unfortunately it might be too busy with stuff running and there is no enough continuous memory to put the picture you are uploading.

Yeah, you can not do much but you can buy a 64-bit machine then when you add more memory you can really use it more efficiently. And yes, we have Microsoft Windows systems for 64-bit machines.

If you do not want to buy a new system of upgrade you current server to a better version then you should think other solutions in the business process, such as to avoid users upload pictures with more than 1 MB in size to be uploaded.

See you later.

ASP.NET Login is lost when I refresh the page. How come?

superedge — Mon, 25 Feb 2008 13:58:00 GMT

Hi guys,

Here another interesting problem. Crazy logins loosing their tokens. I had a chat with a friend that happens to work in an online shop website. He knew that I've developed once the authentication/authorisation mechanism for a similar company then he asked me that:

Edge, my ASP.NET website was running fine using SQLExpress 2005. My development and test environments are fine and my tests look OK, but since I moved my website to a better host using SQL Server 2005 I keep getting complaints from my customers; they say all of sudden while navigating the website they get logged out and because of that they are forced to login again. Just like that, out of nowhere. They say they can even add items to the shopping cart but when they start navigating the catalog somehow they realize they are not logged in anymore. That's causing me a lot of stress because ultimately I am loosing revenue. So I am suspecting that it could be some page that is forcing them to logout or doing some crazy redirect. I don't know.

But wait, there is more. Some customers say that after they are logged out, they wait a few minutes and then they refresh the page. They say this will bring their login back (???) Tha's crazy. How come they are logged in my website, then they get kicked out, then a few minutes later they are automatically logged back in? The only new variable is the SQL Server 2005. Is this a MS SQL Server 2005 bug?

My dear friends, I completely understand this case and I know the pain to debug and trace such a environment. Sometimes these problems can drives us crazy during long weekend nights.

So here a little diagram for us to start our case study:

So his environment is a ASP.NET website setup on a web farm, running IIS and having as backend a single instance of SQL Server 2005. The users were able to login to the website but then after a page refresh, that could not be determined for sure when or where, they get logged out. According to him, the only new variable was the setup of a new SQL Server, since before he was running using SQL Express; Interesting to note here: you might be surprised to see how many people actually can use SQLExpress as their backend. Based on that, I had a feeling that it was not going to be a code issue, but most likely a setup or environment issue.

I noted that he heavily uses ASP.NET Sessions tables for his product. So, this gave me a good clue for us to look at the problem.

For those who don't believe me, ASP.NET session state really works flawlessly on web farms. If you have one and are not using it, I would say : give it a go. And I would go even further, use a database to store the session state. It does not have to be SQL Server database, it can be a MySQL, for example. I highly recommend MS database anyway. Why? Because if you use SQL Server you can replicate the database and it is going to integrate beautifully with you ASP.NET application. Try to do this using any other database and you are in big trouble. (Or not, if you don't like weekends with the family anyway). Now add to this the amazing caching capabilities provided by SQL Server 2005. My friend, you are set for a very stable environment.

His host provider uses ASP.NET session in a web farm and a load balancer. Now we saw a likely breaking point. Did he setup correctly the web.config file for the new environment? Did he make sure all the servers were running the required service for state server? Ultimately, of course, we should rely in the hosting company to do this for us, but double-check just in case before doing any release like this one.

So, in my head I pictured this: The user was going back and forth, loosing and getting back his login token. Like if every time he did a refresh, his request would be transferred to another server which did not have the state server running, therefore no information about his login.

Then he refreshed again at some point, his request was redirected to a machine with the state server running, and the login was back again.

We tried this. Double-checked if the web.config was correct for state servers and we made sure that every server in the farm had the service on. The infra-guy fixed those and voilla…back in business.

Hopefully this was the solution. So far, so good.

See ya later.