Tuesday, March 20, 2007

HTTP & HTTPS / SSL in ASP.Net Applications

If you have the requirements to need to implement https / SSL in the asp.net application.

To avoid popup notifications for partial secured page in IE, make sure to modify references from http:// to https:// (e.g. image references, script sources, etc)

There are several way to implement the SSL in the applications, depends on the requirements :
1. Fully secured : All pages in the application will be using https://
2. Partial secured : Only certain pages in the application will be using https://, for example : login page, data submission page, reporting page, etc.

I found 2 interesting articles how to implement this partial SSL :
1. http://www.codeproject.com/useritems/switchprotocol.asp
This is a simplier solution for partial secured pages, but will need to recompile if suddenly the users need other pages to be secured :P
2. http://www.codeproject.com/aspnet/WebPageSecurity_v2.asp
This is more complete solution for partial secured pages, we can easily change the file / directory path that we need to secure in the configuration file.

PS : As you try the sample code, the session information can still be retrieved when switching from http to https vice versa.

There's a tool from microsoft called IISDiagnostic Tools, you can use the SSL Diagnostic to setup a temporary SSL certificate in your local, so you can use this to do the SSL testing locally.
http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

Friday, March 16, 2007

Stored Procedure Parameters - String limitation

In some scenario, we need to pass long string to the stored procedure.
My case is that we need to pass selected checkbox options value to the stored procedure.
Sometimes when the list of checkbox is very long, the parameter string value can exceed varchar(8000 characters).

Example of the parameter : '(''chkvalue1'',''chkvalue2'',''chkvalue3''.......)'

My solution :
1. Instead of constructing the values for the query, we change the strategy to use xml string format for the parameter.
Example of the new parameter : '<root><param value="chkvalue1" /><param value="chkvalue2" /><param value="chkvalue3" />.....</root>'
2. Change the data type for the parameter from varchar(8000) to text
3. Use OPENXML to get the values from the xml :
SELECT value
INTO ##temptable
FROM OPENXML (@idoc, '/root/param',1)
WITH (value varchar(100))
4. Use this temp table to achieve the same result