Jambr - Articles

Automatic encryption of secure form field data

Karl — Mon, 31 Dec 2012 20:00:21 Z

Overview

My article on Throttling Requests got quite a bit of attention, so I thought I would continue the security theme and show you a simple method of automatically encrypting hidden form fields that you don't want the user to be able to change, or know the value of. I will be making use of an extension to the HtmlHelper, a custom ModelBinder to handle the decryption and also Rijndael encryption to secure your data (you could use any method of encryption you so desire).

I must stress that this is simply one measure to ensure the security of your data, you should always still be validating the action at the code and finally database level, to ensure you have a secure application!

Example

A really simple example of this would be on a CMS system, lets say user can only edit posts that they created. You may have something like this in your view:

        <%Using Html.BeginForm  %>
            <%:Html.HiddenFor(Function(m) m.DatabaseID)%>
            <!-- Other Editing fields here-->
            <input type="submit" value="Submit!" />
        <%end using %>

If we inspected the code that is generated, we would get this:

        <form action="/Home/Test" method="post">
            <input data-val="true" id="DatabaseID" name="DatabaseID" type="hidden" value="2012" />
            <input type="submit" value="Submit!" />
        </form>

As you can quite clearly see, the database ID is 2012, and I could quite easily edit it to be able to submit against say, record 2013, which was posted by another user, if (god forbid) there was nothing checking in the back end that the user posting back actually has permissions to edit the post, you could malliciously edit other peoples data.

Rijndael

As I mentioned previous, I am going to be using Rijndael to handle my encryption, I'm not going to post all of the code here, you can use any encryption method you want, I personally grabbed this example, and made a few modifications to suit. Make sure you have a suitable encryption class in your project before you read past here!

Encryption

The first thing we want to do is create the part which handles encryption. We want to simply be able to replace the "HiddenFor()" with "EncryptedFor()". To do this we need to create a HtmlHelper extension which accepts a Linq expression of the targeted field, so it works in much the same way as HiddenFor.

        ''' <summary>
        ''' Creates an encrypted version of the field
        ''' </summary>
        <System.Runtime.CompilerServices.Extension> _
        Public Function EncryptedFor(Of TModel, TProperty)(htmlHelper As HtmlHelper(Of TModel), expression As Expression(Of Func(Of TModel, TProperty))) As MvcHtmlString
            Dim name As String
            If TypeOf expression.Body Is MemberExpression Then
                name = DirectCast(expression.Body, MemberExpression).Member.Name
            Else
                Dim op = (CType(expression.Body, UnaryExpression).Operand)
                name = DirectCast(op, MemberExpression).Member.Name
            End If

            'Get the value, and then encrypt it
            Dim value = ModelMetadata.FromLambdaExpression(expression, htmlHelper.ViewData)
            Dim encvalue = RijndaelSimple.Encrypt(value.Model, HttpContext.Current.User.Identity.Name)
            Return New MvcHtmlString("<input type=""hidden"" name=""" & name & "-encrypted"" value=""" & encvalue & """>")
        End Function

So now, if we go back to our form, we should be able to switch to EncryptedFor, which will generate the hidden field:

        <form action="/Home/Test" method="post">
            <input type="hidden" name="DatabaseID-encrypted" value="3JSlRkRb98Ow11HkGRb1XQ==">
            <!-- Other Editing fields here-->
            <input type="submit" value="Submit!" />
        </form>

As you can see, the field name has been appended with "-encrypted", and the value is the encrypted string.

Decryption

The next thing we need to do is to handle the decryption and setting of the value. The MVC model binder will obviously not know that the field "DatabaseID-encrypted" is actually for the field "DatabaseID". What we need to do is create a custom model binder, which looks for the field in the Request.Form, decrypts it, and then sets the property.

Public Class EncryptedModelBinder
    Inherits DefaultModelBinder

    Protected Overrides Sub BindProperty(controllerContext As ControllerContext, 
                                         bindingContext As ModelBindingContext, propertyDescriptor As System.ComponentModel.PropertyDescriptor)

        If propertyDescriptor.Attributes.OfType(Of EncryptedAttribute)().Count > 0 Then
            'Look for the encrypted field
            If controllerContext.HttpContext.Request.Form(propertyDescriptor.Name & "-encrypted") IsNot Nothing Then
                Dim decvalue = controllerContext.HttpContext.Request.Form(propertyDescriptor.Name & "-encrypted")
                decvalue = RijndaelSimple.Decrypt(decvalue, "Some unique key")
                propertyDescriptor.SetValue(bindingContext.Model, If(IsNumeric(decvalue), CInt(decvalue), decvalue))
                MyBase.BindProperty(controllerContext, bindingContext, propertyDescriptor)
            End If
        Else
            'Normal binding
            MyBase.BindProperty(controllerContext, bindingContext, propertyDescriptor)
        End If

    End Sub
End Class

You'll notice here that I am looking for an EncryptedAttribute. This is because we want to prevent people just inspecting the code and posting back to the database ID. We decorate the properties that are expected to be encrypted with a simple attribute which basically says "Only set me using the -encrypted post back value, ignore anything else"

Public Class EncryptedAttribute
    Inherits Attribute
End Class

We just need to register this in our Gloabl.asax.vb file as well:

ModelBinders.Binders.DefaultBinder = New EncryptedModelBinder

And that's it!

The Result

I created a simple method which dumps out the request.form contents from the post back, and also outputs the value of the field. As you can see the encrypted value was passed back, but the property has correctly been set!

Content of the request.form: 
DatabaseID-encrypted: SVwvHJ8kzCeIjIN4VZeJLw==

The DatabaseID on the model is set to: 2012

Conclusion

The aim of this article was to give you another tool to secure your websites, and that's all it is, a tool. You should be secure your website every step of the way! As usual, any questions, please leave a comment.

Generating a valid sitemap automatically with .NET

Karl — Sun, 30 Dec 2012 14:29:33 Z

Overview

Jambr is still a baby, as such it's content and structure is changing.

It originally existed on two urls (www and non-www), and google was indexing both of them and to add to it not long ago I changed the url structure for Articles to be more, SEO friendly.

All of these changes confuse search engine indexers and one way to help them out is to provide them with a Sitemap. My rough list of requirements were:

To comply fully with the Sitemap protocol
To generate automatically, when /sitemap.xml was called
To be able to decorate fixed controller actions with an attribute which would include them in the map.
To provide a simple way of adding the dynamic content
To cache the output for a period of time

Implementation

First things first, we need to create an XML document which matches the Sitemap protocol. So we create a new XmlDocument and from there, we add the xmlns for the Sitemap protocol, and add the root element "urlset"

        ''' <summary>
        ''' The scheme we add to the document
        ''' </summary>
        Private Const SiteMapSchemaURL As String = "http://www.sitemaps.org/schemas/sitemap/0.9"

        ''' <summary>
        ''' The full URL to your website, for example http://www.jambr.co.uk
        ''' </summary>
        Private Property FullyQualifiedUrl As String

        Private _document As XmlDocument
        ''' <summary>
        ''' Returns the XML document
        ''' </summary>
        Private ReadOnly Property Document As XmlDocument
            Get
                Return _document
            End Get
        End Property

        ''' <summary>
        ''' Create a new instance of the SiteMapGenerator, initialise the XML document
        ''' and add the required namespaces
        ''' </summary>
        ''' <param name="FullyQualifiedUrl">The full URL to your website, for example http://www.jambr.co.uk</param>
        Public Sub New(ByVal FullyQualifiedUrl As String)

            Me.FullyQualifiedUrl = FullyQualifiedUrl.Replace("\", "/")

            _document = New XmlDocument
            Document.AppendChild(Document.CreateNode(XmlNodeType.XmlDeclaration, Nothing, Nothing))

            'Create the root element and add the sitemap namespace
            Dim rootelement = Document.CreateElement("urlset", SiteMapSchemaURL)
            Document.AppendChild(rootelement)

        End Sub

Next I wanted to create a flexible method to add new urls, that accepted all the valid options for the url child elements, on an optional basis, and only adding them if they're passed:

        ''' <summary>
        ''' Adds a URL to the site map
        ''' </summary>
        ''' <param name="Location">The URL to the page, will check for your domain and add if required.</param>
        ''' <param name="LastModified">Optional: The date the URL was last modified</param>
        ''' <param name="ChangeFrequency">Optional: The expected change frequency of the URL</param>
        ''' <param name="Priority">Optional: The priority of the page, ranging from 0.0 to 1.0, default is 0.5</param>
        Public Sub AddUrl(ByVal Location As String,
                          Optional ByVal ChangeFrequency As ChangeFrequency = Nothing,
                          Optional ByVal Priority As Decimal = Nothing,
                          Optional LastModified As DateTime = Nothing)

            'sanitise the url
            Location = Location.Replace("\", "/")
            If Not Location.ToLower.Contains(FullyQualifiedUrl.ToLower) Then
                Location = FullyQualifiedUrl & If(Left(Location, 1) = "/", Location, "/" & Location)
            End If

            'check we haven't added it already in a stored list of urls we've added
            If AddedUrls.Contains(Location) Then Exit Sub
            AddedUrls.Add(Location)

            'Required elements
            Dim newUrl = Document.CreateElement("url", SiteMapSchemaURL)
            newUrl.AppendChild(CreateTextElement("loc", Location))

            'Optional Elements
            If Not LastModified = Nothing Then
                newUrl.AppendChild(CreateTextElement("lastmod", LastModified.ToW3C))
            End If

            If Not ChangeFrequency = Nothing Then
                newUrl.AppendChild(CreateTextElement("changefreq", ChangeFrequency.ToString))
            End If

            If Not Priority = Nothing Then
                newUrl.AppendChild(CreateTextElement("priority", Priority))
            End If

            Document.DocumentElement.AppendChild(newUrl)

        End Sub

Reflection

I mentioned previously that I wanted an easy way to add URLs, I didn't want to create a class which needed me to call AddUrl() over and over for all my pages. I decided to go down the route of creating a custom SettingAttribute, that I could just stick at the top of the controller actions I wanted to map, like this:

    <SiteMap(ChangeFrequency:=ChangeFrequency.daily, Priority:=0.7)>
    Function Index() As ActionResult
        Return View(New HomeViewModel)
    End Function

Next huh? Now you've probably realised that this would only work for static URL's, dynamic actions that require parameters like this, wouldn't work. In the context of Jambr I have two controllers which serve dynamic content, Articles and News. I decided to go down the route of creating an interface, which allowed me to have a sub routine that could be called by the site map generator, like this:

    ''' <summary>
    ''' Populate the site map with the dynamic data
    ''' </summary>
    ''' <param name="generator">the generate object that gets passed</param>
    Public Sub PopulateSiteMap(ByRef generator As SiteMapGenerator) Implements ISiteMap.PopulateSiteMap

        'We need to initialise the UrlHelper because of the way we've invokved this method
        Url = New UrlHelper(System.Web.HttpContext.Current.Request.RequestContext)

        Using db As New JambrDBContext

            'Lets add dynamic data, starting with my articles
            Dim articles = (db.
                           ArticlePosts.
                           Where(Function(w) w.IsLive = True).
                           OrderByDescending(Function(o) o.LastUpdated).
                           Select(Function(s) New With {.SEOUrl = s.SEOUrl,
                                                        .LastUpdated = s.LastUpdated})).tolist

            'Add my root element, with a last modified date of the latest article
            generator.AddUrl(Url.Action("Index", "Article"), ChangeFrequency.daily, Nothing, articles.First.LastUpdated)
            'Add the RSS feed, as it has the same last udpated date
            generator.AddUrl(Url.Action("RSS", "Article"), ChangeFrequency.daily, Nothing, articles.First.LastUpdated)

            'Add my other elements
            For Each post In articles
                generator.AddUrl(Url.Action("View", "Article", New With {.SEOUrl = post.SEOUrl}), Nothing, Nothing, post.LastUpdated)
            Next
            articles = Nothing

        End Using

    End Sub

We just look for either the SiteMapAttribute, or the Implementation of ISiteMap using reflection and get the associated details like so:

    ''' <summary>
    ''' When called, the site map generator will attempt to load any action methods
    ''' that are decorated with the SiteMapAttribute from your controller classes and
    ''' add a url for them based on it
    ''' </summary>
    ''' <remarks></remarks>
    Public Sub LoadFromAttribute()

        'Get all the controllers in the project
        Dim controllers = Assembly.
                          GetExecutingAssembly.
                          GetTypes().
                          Where(Function(t) GetType(System.Web.Mvc.ControllerBase).IsAssignableFrom(t))

        'First we want to get all controllers that implement the ISiteMap interface and fire the method
        For Each c In controllers.Where(Function(t) GetType(ISiteMap).IsAssignableFrom(t))

            'Create an instance
            Dim obj As ISiteMap = Activator.CreateInstance(c, True)
            obj.PopulateSiteMap(Me)

        Next

        'Now get all the methods which are decorated with the SiteMapAttribute
        Dim objs = (From c In controllers
                   From act In c.GetMembers
                   Where act.GetCustomAttributes(True).OfType(Of SiteMapAttribute)().Count > 0
                   Select New With {.controller = c,
                                    .action = act,
                                    .actionnameattribute = act.GetCustomAttributes(True).OfType(Of ActionNameAttribute)().FirstOrDefault,
                                    .sitemapattribute = act.GetCustomAttributes(True).OfType(Of SiteMapAttribute)().FirstOrDefault}).ToList

        'We need a url helper to help us generate the url path
        Dim UrlHelper = New UrlHelper(HttpContext.Current.Request.RequestContext)

        For Each p In objs
            'Now we have the objects, we need to build the url.  We need to look out for the ActionNameAttribute in case people are using it
            'to name their action methods, we also need to remove Controller from the name of the controller
            Dim url As String = UrlHelper.Action(If(p.actionnameattribute Is Nothing, p.action.Name, p.actionnameattribute.Name),
                                                 p.controller.Name.Replace("Controller", ""))

            'Add the object
            AddUrl(url,
                   p.sitemapattribute.ChangeFrequency,
                   p.sitemapattribute.Priority,
                   If(p.sitemapattribute.LastModified Is Nothing,
                      Nothing,
                      DateTime.Parse(p.sitemapattribute.LastModified, (New CultureInfo("en-us")))
                      )
                   )
        Next

    End Sub

Now add a route for sitemap.xml (remember this programming article is based around .Net MVC) in your RouteConfig.vb

        'This is to overwrite the sitemap request
        routes.MapRoute( _
            name:="SiteMap", _
            url:="sitemap.xml", _
            defaults:=New With {.controller = "SiteMap", .action = "Index"})

Set the controller and action to wherever you're going to put your method, I decided to put mine in a new controller. Finally create your action method, I've decorated mine with the OutputCache attribute and set it to 6 hours, with the ability to clear the cache by using the query string parameter ClearCache

    ''' <summary>
    ''' Returns the site map
    ''' </summary>
    <OutputCache(Duration:=21600, VaryByParam:="ClearCache", Location:=OutputCacheLocation.Server)>
    Function Index() As ActionResult

        'Create our site map
        Dim p As New SiteMapGenerator("http://www.jambr.co.uk")

        'Load any methods which are tagged with the attribute
        p.LoadFromAttribute()

        'Return the content
        Return Content(p.ToString, "text\xml")

    End Function

Something to note here is that I have created a ToString method, which takes the XmlDocument and outputs it as a UTF8 string, UTF8 is important so there is another class in the source code which creates a UTF8 based string writer.

Conclusion

I hope this article has shown you a clean way to implement a dynamic site map in .NET MVC using flexible attributes, full source code can be downloaded from Here, if you want to see my sitemap, check it Here and as usual - any questions please drop me a comment!

Throttle requests to a .NET MVC action with a custom Action Filter

Karl — Fri, 28 Dec 2012 11:38:36 Z

Overview

In my day job I work for HP Enterprise Security Services, part of my role is building secure and robust web applications which do everything possible to prevent malicious attacks.

One of the most simple things you can do in your MVC project is to prevent repeat requests to a page. This is primarily used in form submissions, for example in the comments box you see on Jambr, I don't want people to be able to repeatedly post to it over and over again, I want to introduce a time limit in-between these requests.

Also, there are going to be a lot of places on a typical site you want to limit such behaviour, but don't want to repeat the code everywhere. This is where custom Action Filter Attributes come in.

Creating an Attribute

Creating a custom attribute is easy, take a look at this piece of code, i'll explain what it does below:

<AttributeUsage(AttributeTargets.Method, AllowMultiple:=False)>
Public NotInheritable Class RequestThrottleAttribute
    Inherits ActionFilterAttribute

    Public Overrides Sub OnActionExecuting(filterContext As ActionExecutingContext)
        'Do some logic in here to decide what is going to happen
    End Sub
End Class

What we're doing here is inheriting from the ActionFilterAttribute, class and overriding the OnActionExecuting method, which is where we will put our logic.

I have decorated this class with some attributes of there own, AttributeTargets.Method states that this attribute can only be used on methods, and AllowMultiple states that there can only be one instance of it.

Expanding on the base Attribute

The next thing to do is expand our logic out a bit. Lets make this attribute as flexible as possible, so for example lets make the amount of time between requests flexible, give the option to either Redirect when an error occurs or simple add an error to the ModelState dictionary.

Start by adding some properties to represent our customisable options:

    ''' <summary>
    ''' The amount of time between each request
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property TimeBetweenRequests As Integer = 5

    ''' <summary>
    ''' The name of the object in the ModelState to add an error too
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property ModelErrorName As String = Nothing

    ''' <summary>
    ''' The message to add to the ModelState object specified in ModelErrorName
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property ModelErrorValue As String = "Maximum number of requests exceeded"

    ''' <summary>
    ''' A URL to redirect to
    ''' </summary>
    ''' <value></value>
    ''' <returns></returns>
    ''' <remarks></remarks>
    Public Property RedirectOnError As String = Nothing

So in order to add an error to the ModelState dictionary, we need need the name of the object to associate the error to (of course, this could just be an empty string for a generic error) - this is passed as ModelErrorName, and we also need the message to set - this is passed in ModelErrorValue.

If we wanted to redirect instead, we would set RedirectOnError.

Caching and Cache Expiration

Next, we need to customise the OnActionExecuting method to do our throttling. We need to store somewhere the fact that a given user (lets define a user by their IP address as well as their user agent) has been to the page recently. I decided to generate a unique key from the information given, and store it in the HttpContext.Cache and set it to expire on a time which is equal to the TimeBetweenRequests parameter of our attribute. That way on the next request, all we need to do is check for the existence of the same key in the cache.

Take a look at the code below of the OnActionExecuting method:

    Public Overrides Sub OnActionExecuting(filterContext As ActionExecutingContext)

        Dim HttpContext = filterContext.HttpContext

        'Get the details of the path they're requesting
        Dim pathInfo = HttpContext.Request.ServerVariables("PATH_INFO") & filterContext.HttpContext.Request.ServerVariables("QUERY_STRING")
        
        'Get who requested it, get their user agent as well, as multiple people in the same room could be coming from the same IP
        Dim requestedBy = HttpContext.Request.ServerVariables("REMOTE_ADDR") & HttpContext.Request.ServerVariables("HTTP_USER_AGENT")

        'Generate a unique key based on it
        Dim key = MD5(pathInfo & requestedBy)

        'Check to see if that key is in the cache
        If HttpContext.Cache.Get(key) IsNot Nothing Then
            'Reject the request
            If ModelErrorName IsNot Nothing Then
                'Add it to the modelstate
                filterContext.Controller.ViewData.ModelState.AddModelError(ModelErrorName, ModelErrorValue)
            End If
            If RedirectOnError IsNot Nothing Then
                'Redirect
                filterContext.Result = New RedirectResult(RedirectOnError, False)
            End If
        Else
            'Add it to the cache
            HttpContext.Cache.Add(key, New Object, Nothing, Now.AddSeconds(TimeBetweenRequests), Cache.NoSlidingExpiration, CacheItemPriority.Normal, Nothing)
        End If

    End Sub

In case you don't already have code to create an MD5 of a string, here it is, you'll need to import System.Security.Cryptography:

        Public Shared Function MD5(ByVal strToHash) As String
            Dim bytToHash As Byte() = ASCIIEncoding.ASCII.GetBytes(strToHash)
            Dim tmpHash As Byte() = (New MD5CryptoServiceProvider).ComputeHash(bytToHash)
            Dim i As Integer
            Dim sOutput As New StringBuilder(tmpHash.Length)
            For i = 0 To tmpHash.Length - 1
                sOutput.Append(tmpHash(i).ToString("X2"))
            Next
            Return sOutput.ToString()
        End Function

Using the new Attribute

Now that your attribute is complete, all you need to do is implement it by decorating a given method with it. Take these two examples:

    <HttpGet>
    <RequestThrottle(TimeBetweenRequests:=10, RedirectOnError:="/Error/Throttle")>
    Function TestThrottle()
        Return View(New TestThrottleViewModel)
    End Function

This action method will only allow one request per 10 seconds to the url /TestThrottle, before it redirects to an error page.

The next example will add the error to the ModelState instead, so you can return to the user on the same page:

    <HttpPost>
    <RequestThrottle(TimeBetweenRequests:=10, ModelErrorName:="Comment", ModelErrorValue:="There is a 10 second wait between posts")>
    Function TestThrottle(ByVal model As TestThrottleViewModel)
        If ModelState.IsValid Then
            Return Content("Thanks")
        Else
            Return View(model)
        End If
    End Function

The simple view model that I have created for the post back contains just one item, "Comment", from there I've created a form using the .NET Html Helpers:

    <% Using Html.BeginForm() %>
        <%: Html.ValidationSummary(True) %>
    
        <fieldset>
            <legend>TestThrottleViewModel</legend>
    
            <div class="editor-label">
                <%: Html.LabelFor(Function(model) model.Comment) %>
            </div>
            <div class="editor-field">
                <%: Html.EditorFor(Function(model) model.Comment) %>
                <%: Html.ValidationMessageFor(Function(model) model.Comment) %>
            </div>
    
            <p>
                <input type="submit" value="Create" />
            </p>
        </fieldset>
    <% End Using %>

The first post back works fine, the second will result in the user being greeted with the error:

Conclusion

I hope this simple tutorial has helped you to think a little about your site security, as well as how to utilise custom Action Filters to reuse code across your website.

As always, any questions please ask.

Creating an RSS 2.0 feed with .NET Syndication Namespace

Karl — Thu, 27 Dec 2012 22:20:15 Z

Overview

In my Previous Post I demonstrated how to create an RSS feed using an XML Document.

This got some attention as it was pointed out to me that I could achieve the same result using the .NET Syndication classes. As a result I have created this programming article with an alternate version of the class, which does away with the XMLDocument manipulation and uses these Syndication classes.

As with any default namespaces and classes in the .NET framework, they expose a lot of things that I quite simply don't need for my simple News or Article RSS feed, so I have wrapped them up as I did last time into a utility class, which enables you to quickly and easily create your feed.

Using the code

The code is available for download here, simply put it into your project and add a reference to yourprojectnamespace.Syndication. Using the code is very simple, see this example:

'Create your feed
Dim rssfeed As New RSSFeed("Your RSS Feed Title",
                           "The description of your feed",
                           "The URL to the feed",
                           "A unique identifier for your feed",
                           Now,
                           "en-GB")

'Add a category to the main channel
rssfeed.AddFeedCategory("CodeProject", "http://www.codeproject.com", "CodeProject")

'Add an item
dim item = rssfeed.AddItem("Item Title",
                           "Item Description",
                           "Item Body",
                           "Item URL",
                           "A unique identifier for your item",
                           Now,
                           "The author name")

'Add a category to the item
item.Categories.Add(New SyndicationCategory("CodeProject","http://www.codeproject.com","CodeProject"))

'Output the result
Return Content(rssfeed.ToString(rssfeed.OutputType.RSS2), "text/xml")

Notes

Because we're now using the syndication provider, you can chose to output as RSS2 or Atom1 by changing the parameter in the ToString method.

This is utilising the helper class as previous to ensure the xml document is UTF8, the resultant XML passes the RSS Feed Validator, and works perfectly with Code Project.

As usual, any questions please ask.

Creating an RSS 2.0 feed with .NET

Karl — Wed, 26 Dec 2012 14:28:34 Z

Overview

Rather than post another article about setting up and using third party tools with .NET MVC, I thought I would take a slightly different approach this time and write a Programming with .NET article based on something I have had to do whilst creating Jambr.

I had the requirement to create an RSS feed for both the Articles and News sections of the site so you lovely readers could subscribe to either of them, I haven't actually had to create RSS feeds before so had to do some digging to find the best route to go down. I read numerous programming articles on line and compiled a simple class which enables me to create an RSS2.0 compliant feed, as seen here.

Using the code

Rather than putting all 237 lines of code in here I have uploaded the class for you, you can download it from here. Just pop it into your project and use it like this:

Firstly you need to create an instance of the object (apologies if i'm teaching you to suck eggs!):
```
Dim rssfeed As New RSSFeed()
```
Next, you need to create the channel. RSS2.0 feeds can only have one channel so you're only able to call this method once
```
rssfeed.CreateChannel("Jambr - News"
"Http://www.jambr.co.uk/News",
"Jambr News",
Now,
"en-GB")
```
And now, you add your items. Obviously you need to loop through the objects you want in your feed and add them, but we'll add just one example here:
```
rssfeed.WriteRSSItem("This is an item",
"http://www.yoursite.com",
"Karl",
Now,
"This is the description",
Guid.NewGuid.ToString)
```
Finally, after you've added your items you can return the string of the XML document. I'm coding around .NET MVC 4 so as a result I return the XML document to the user like this:
```
Return Content(rssfeed.ToString, "text/xml")
```

It is worth noting that I have included additional parameters on both the CreateChannel and WriteRSSItem methods which enables you to add Categories (in the context of Jambr, I Tag all articles to enable them to be categorised) and Content (which will be added to the content:encoded tag).

To add category tags, pass them as an array of KeyValuePair(of String, String) objects.

To add the content, pass it as a string.

rssfeed.WriteRSSItem("This is an item",
"http://www.yoursite.com",
"Karl",
Now,
"This is the description",
Guid.NewGuid.ToString,
"This is the full body of the post",
{New KeyValuePair(Of String, String)("Tag1", "/Articles/?Tag=Tag1")})

A few issues I encountered

There were a few issues I encountered whilst trying to ensure the feed was RSS 2.0 compliant which are sorted in this code, for example:

Date Times needed to be in the correct format (Sat, 07 Sep 2002 9:42:31 GMT), luckily .ToString("r") on a datetime object handles that.
Adding custom namespaces to the root rss element of the document, and then actually enabling me to write tags which reference that namespace. for example <dc:creator> tags

I hope that helps! Any questions, please ask.

Elmah - Installation and Setup

Karl — Mon, 24 Dec 2012 11:53:57 Z

Overview

As promised, here is my next article regarding another tool I find completely invaluable in my life as a developer, Elmah.

Basically Elmah sites quietly on your site, logging any exceptions (Code based or Web Server, for example, 404) which occur to (in this example) a database. It then provides a nice neat GUI front end to allow you to view the details of these errors, including stack traces.

If you're anything like me, and are tired of conversations which go like this:

User: "Karl, the website crashed earlier"
Karl: "Oh right, what were you doing"
User: "I don't remember, I was just on it, can you fix it please"
Karl: "Well I could do with reproducing it...

You will be happy Elmah exists!

Installation

Installation is easy, just follow these steps. Remember, this guide is based around .NET 4.5 MVC 4 and the associated caveats, it may not be exactly what is required for your configuration but should be near as dammit.

Ok, so firstly, install the Elmah package from the Package Manager console in Visual Studio:
```
Install-Package elmah
```
We use the package manager as it will handle the installation of any dependencies, and also add the required sections to your web.config (well, almost).
Now open your web.config and find the <elmah> section. You'll need to modify it to use SQL logging. Make that section look something like this:
```
<elmah>
    <errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="YourConnectionStringName" applicationName="YourWebsiteName" />
    <security allowRemoteAccess="true" />
</elmah>
```
It's pretty self explanatory, the connection string name must be a valid connection string from the <connectionStrings> section of your web.config, and the application name should be the name you want to log errors for this application against.

As you can see in point #2, I have set allowRemoteAccess to true, this is a personal preference, but if you do this you must secure it. If you use forms authentication with roles this is simple to do, find the <location path="elmah.axd"> element, and make it look something like this:

<location path="elmah.axd">
    <system.web>
      <httpHandlers>
        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
      <authorization>
        <allow roles="Admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
    <system.webServer>
      <handlers>
        <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
</location>

You'll notice here I have added a constraint which means only users which are members of the Admin group will be able to view Elmah.axd

The next section you need to modify is in your system.webServer section, you need to add runAllManagedModulesForAllRequests="true" to the modules section. Without this, elmah will not log exceptions in .NET MVC, you will simply find there is nothing logging to your SQL server:

<modules runAllManagedModulesForAllRequests="true">
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>

Custom Errors

When you use Elmah with Custom Errors redirects, you'll notice that nothing gets logged to elmah. This is because the framework intercepts the error prior to elmah getting hold of it. To get around this we need to add two global filters, the code for them is fairly, simple:

Public Class ElmahHTTPErrorAttribute
    Inherits System.Web.Http.Filters.ExceptionFilterAttribute

    Public Overrides Sub OnException(actionExecutedContext As System.Web.Http.Filters.HttpActionExecutedContext)
        If actionExecutedContext.Exception IsNot Nothing Then
            Elmah.ErrorSignal.FromCurrentContext().Raise(actionExecutedContext.Exception)
        End If
        MyBase.OnException(actionExecutedContext)
    End Sub
End Class

Public Class ElmahMVCErrorAttribute
    Implements IExceptionFilter

    Public Sub OnException(filterContext As ExceptionContext) Implements IExceptionFilter.OnException
        If filterContext.Exception IsNot Nothing Then
            Elmah.ErrorSignal.FromCurrentContext().Raise(filterContext.Exception)
        End If
    End Sub
End Class

And then you need to modify your FilterConfig.vb. What we're doing here is creating a new section for HTTP filter attributes, which we will call from global.asax later:

Public Class FilterConfig
    Public Shared Sub RegisterGlobalFilters(ByVal filters As GlobalFilterCollection)

        'Add elmah attribute
        filters.Add(New ElmahMVCErrorAttribute, 1)

        'Add the standing handle error attribute
        filters.Add(New HandleErrorAttribute(), 2)

    End Sub
    Public Shared Sub RegisterHTTPFilters(ByVal filters As System.Web.Http.Filters.HttpFilterCollection)

        'Add a http filter attribute
        filters.Add(New ElmahHTTPErrorAttribute)

    End Sub
End Class

Finally, update Application_Start in your Global.asax.vb to register the new filters:

        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters)
        FilterConfig.RegisterHTTPFilters(GlobalConfiguration.Configuration.Filters)

And that's it, you're all configured and ready to go, if you go to http://yoursite.com/Elmah.axd, you should see a screen similar to the following:

You can drill down further, by clicking details, which will show you the stack trace if one is available.

MiniProfiler - Installation and Setup

Karl — Fri, 21 Dec 2012 13:35:38 Z

Overview

The primary reason I started this web site was to share with you the things I come across in my day job as a Web Developer, the first batch of articles I am going to write will be around the tools I find invaluable in my role.

So first and foremost, let’s take a look at MiniProfiler.

MiniProfiler is a tool created and used by the StackExchange group of websites and is used for profiling your .NET and Ruby applications.

Whilst in your development environment you can use it to get an overlay on your page detailing the code execution of your Application. For those of you that have ever tried to identify bottlenecks in your applications you can immediately see how useful this can be. Take a look at this screenshot from the Jambr blog page.

As you can see, the steps needed to render my page, and most importantly the SQL that was executed in the process are clearly detailed out here, you can even click on the query to view the detail, for example:

I’ll go into all of this a little more in later articles, but for now let’s look at setting up and configuring MiniProfiler against a .NET 4.5 MVC 4 Application which uses Entity Framework 5 for its database connections.

Installation

Installation is simple and is all done through the Package Manager Console integrated into Visual Studio.

Open the Package Manager Console (Tools -> Library Package Manager -> Package Manager Console.
Type “Install-Package MiniProfiler” and press enter:
Package Manager will now download and install MiniProfiler and add the required references to your project.
As I mentioned previously, we’re going to be configuring MiniProfiler to profile our Entity Framework database context, in order to do so, we’ll also need the MiniProfiler.EF package, which is installed in exactly the same way, with
```
“Install-Package MiniProfiler.EF”
```
Now open your Global.asax.vb file, at the top of your Sub Application_Start, add:
```
MiniProfilerEF.Initialize_EF42()
```
This ensures that any connections created and used by Entity Framework are captured and logged into MiniProfiler like in my screenshot above.
In the same file, add the following to the top of your Application_BeginRequest:
```
MiniProfiler.Start()
```
And at the top of your Application_EndRequest:
```
MiniProfiler.Stop()
```

Almost done, I promise. We now need to add a piece of code to the page you want to see the profiler on. Personally I have this on my Base.Master, the parent master page for all others, that way it’s available on every page. The code you need to add, in your <head> tag is:

<%:MiniProfiler.RenderIncludes %>

You may need to add a reference to the namespace at the top of your page like so:

<%@ Import Namespace="StackExchange.Profiling" %>

And that’s it. It’s worth noting that if MiniProfiler.Start() isn’t called, the .RenderIncludes function is smart enough not to clutter your browser with the JavaScript files that are required. I personally wrap my .Start() in a Debugger.IsAttached statement, therefore I only show the profile in my local development environment.

Run your application and see what happens…

"Oh wait, Karl, you lied – it doesn’t work and I’m getting the following error when running MVC4"

Failed to load resource: the server responded with a status of 404 (Not Found) http://*/mini-profiler-resources/results

This article wouldn’t be interesting unless it solved at least one annoyance now, would it? To fix the above error you need to add the following to your Web.Config

<system.webServer>
    <handlers>
        <add name="MiniProfiler" path="mini-profiler-resources/*" verb="*" type="System.Web.Routing.UrlRoutingModule" resourceType="Unspecified" preCondition="integratedMode" />

This sorts out the routing issue which appeared in MVC4. Now try again, and you’ll be sorted!

Summary

MiniProfiler is a very powerful tool, I will go into the more advanced features of it in a later Article.