Wow.  If this is what a "Professional" is now expected to know, I'm sad for .Net.

[more]

Last month an alert went out from Microsoft about a severe vulnerability in ASP.Net.  A quick workaround was stepped through but the kernal of the issue remained.

I just got this email blast from the DotNetNuke folks (very very nice of them even as I am no longer a Nuke user) about the official patch now being available as direct download AND NOW Windows Update.

No matter your OS, if you run ASP.Net you should get the updates.  If money is on the line then of course you have to check the fine print and scan the comments of Scott Guthrie's blog post and do extra testing ASAP in case you are doing some off-kilter code that hits a boundary of the patch. 

Just got an e about ELMAH.  Yes, I think its pretty fine.  Saves a lot of time, does fine with vs2010 asp.net4 for us so far... but let me tell you why we took the plunge.

Need to reduce those one-off cookies, session vars or visible query strings?  This is a library that I trust (and I trust very very few these days)

Remaking this site to run on IIS... ELMAH quickly reminded me of that IIS issue:  ignoring custom error handling when spaces or hijack scripts are in the url.

Mostly these come from those cute little korean/slav/russian php scripties, you know the ones, all the variations of: http://[domain]/page%20/index.php?errors=http://www.imajerkwithasmallpenis.tjdhosp.co.kr/1.txt?

IIS and web.config customErrors will take care of most odd url requests.. but embed a space and your customError configuration section won't get called... you need to handle it in the olde Global.asax

The logs show that your pages are redirecting correctly... but a spider type test app shows everything as being status 200 OK... dagnabbit, don't forget that one little property

Now that your Oracle XE server is installed and running, you might like to hit it with a web page or two. You'll need to get a couple of extras for that, the System.Data.Oracle dll that's part of the MS.Net installation but not the Mono core and also a bit of middleware that will route your application calls through that dll to the Oracle server.

Like most things, this is all really easy once you've done it wrong a few times. Lucky for you, I've made all the mistakes already so all you have to do is just follow the bouncing ball.

Get and install the Mono System.Data.OracleClient - Get and install the Oracle Instant Client "middleware"

You don't want to expose a web server to the wild without setting up logging. We all know this. We sometimes forget this. Don't.

Windows developers over the years get cushy with IIS's protection and we take it for granted, but now we're on Apache and going back to our roots of not trusting the core is a good thing.

Our current virtual hosts file is quite a bit different from the Apache default file, if we look to that original we'll see the recommended minimum log lines.

God Forbid

The default behaviour for Apache is to give any user any file that they ask for but you can protect files based on any common or custom file extensions you need.

So far all of our examples have shown a pages-only webapp, no mentions of javascript files, css or images. What all these external resources have in common is that they're typically going to be held in subfolders off of the root.

Related to forbidding folder browsing is forbidding remote access to private files. It's not uncommon to have some quick server-cached lookup data that you want to hold as a file and let the .Net/Mono service work with but not expose to the whole world.

Because the Mono Team knew that most of their new users would be coming over from Windows and usually doing their first tests by dumping some previously written web apps on a Linux box 'just to watch it all fail', they created a one-line compatibility command called Mono IOMAP.

Unfortunately for new users, the setting is not the default (but experienced users would probably not want it bo be). It is turned on at the overall Apache service level by adding the following line to the top of the /etc/apache2/httpd.conf file: