Daily Archives: October 28, 2012

WinJS Tricks Series: Custom MessageDialog buttons

In the last episode of the WinJS Tricks Series I showed you how you can create a simple message box in JavaScript in your Windows Store applications. In today’s episode we dive deeper and customize the buttons on the dialog, and you will learn how you can set the text, the keyboard hotkeys and the event handlers for your buttons.

Just like with message boxes, that are called message dialogs in Windows Store apps, buttons are not buttons any more, and button parameters are also have different names. Check the video to learn the new concepts:

(720p, full-screen view recommended)

Please rate or like the video if you are interested in the next episodes. Thanks!

 

Technorati-címkék: ,,,,

Cryptographic improvements in ASP.NET 4.5

Several features of ASP.NET were designed with security in mind –  see the ViewState protection for example –  from the early days of the platform, although those days were quite a while ago. The latest complex changes were introduced in version 2, but that happened about 7 years ago, and the world of cryptography, which serves as the basis of many security feature, can change a lot in so many years. The other problem with cryptography is that you have to use it correctly, which is sometimes absolutely not obvious, and misuse can lead to serious security vulnerabilities (see MS10-070).

Guided by these principles, ASP.NET 4.5 introduces important security changes and features. Some days ago Levi Broderick published an excellent 3-part article titled Cryptographic Improvements in ASP.NET 4.5 on the .NET Web Development and Tools Blog:

  1. Background regarding the use of cryptography in ASP.NET 4.
  2. Changes that were introduced in ASP.NET 4.5.
  3. Usage notes and miscellaneous Q&A.

I strongly recommend reading all three parts to everyone, especially to architects who design the security features of web applications. To quickly summarize:

  • The machine key has higher entropy, it is more secure to use, and new application isolation features are introduced.
  • The usage of machine key is separated by “purpose”, so a vulnerability in one usage area (eg. ScriptResource.axd) hopefully will not affect other areas (such as ViewState).
  • New MachineKey.Protect and MachineKey.Unprotect functions, where you can specify the “purpose”. These functions are “just protect”, you don’t have to worry about MAC and encryption. With the new functions the old Encode and Decode methods became deprecated.

As you may guess, these changes have effect in several areas of the framework, and sometimes they can even lead to compatibility issues as well. To minimize the effect, the ASP.NET team determined where they use the new system by default, and where they stay with the old one for compatibility reasons. These are all detailed beautifully in second and third part of the above series including the corresponding web.config settings, so they are definitely worth to read.

Please keep in mind that Windows Azure Web Sites are running on ASP.NET 4.5, which is an in-place upgrade!

 

Technorati-címkék: ,