Skip to content

ObjectDataSource DateTime, and Locale

Thinking of using an ObjectDataSource and DetailsView to populate/save your business object? If the object has a DateTime property – lets hope you live in the United States!

Had an strange problem today with a birthday set to October 9, 1940. The edit screen would populate a TextBox with “9/10/1940”, correct for my culture en-AU. Clicking save populates the database with “September 10, 1940”. Strange the edit screen would observe the my culture settings, yet populating the business object doesn’t.

Googling around turned up this: ObjectDataSource ignores culture information when updating. Do’h!

2008 02 18 russ asp.net Comments Off on ObjectDataSource DateTime, and Locale Permalink

How Does OpenID Work?

I’ve heard about OpenID on a podcast I listen to. Sounds interesting – an open source solution to have a ‘single sign on’ for many websites. Interested to see how this works – both as a user, and as a website author.

Here’s a run through of an example authentication:

  1. User accesses an OpenID enabled website, site responds with a form requesting the user’s OpenID identity.
  2. User enters their identity, e.g: russau.myopenid.com. Then submits the form to the website.
  3. Website server accesses http://russau.myopenid.com.
  4. Retrieves the location of the OpenID provider from the link tag:

    <link rel="openid.server" href="http://www.myopenid.com/server" />
  5. Website POSTs an ‘associate’ request to the provider. The two machines establish a secret using a Diffie-Hellman key exchange.
    openid.mode associate
    openid.assoc_type HMAC-SHA1
    openid.session_type DH-SHA1
    openid.dh_consumer_public
    openid.dh_modulus
    openid.dh_gen Ag==
  6. Provider’s response provides the website an ‘assoc_handle’ (and expiry) for future requests. The two servers now have established a shared secret, without passing it over the wire.
    7. assoc_handle {HMAC-SHA1}{47b0ec92}{5hMN8A==}
    assoc_type HMAC-SHA1
    dh_server_public
    enc_mac_key
    expires_in 1209600
    session_type DH-SHA1
  7. The comsumer’s response from step 2 contains a redirect to the provider, containing a number of parameters in the querystring. Note, the querystring contains the established ‘assoc_handle’, and a ‘nonce’ has been attached onto the ‘return_to’.
    openid.mode checkid_setup
    openid.identity http://russau.myopenid.com/
    openid.return_to http://openidconsumer.test/cp/login.aspx?&nonce=vovudmLa
    openid.trust_root http://openidconsumer.test/cp
    openid.assoc_handle {HMAC-SHA1}{47b0ec92}{5hMN8A==}
    openid.sreg.required gender,postcode,timezone
    openid.sreg.optional email,country
    openid.sreg.policy_url
  8. The user is now on the provider website, and performs the step needed to authenticate, e.g. entering a password.
  9. The provider redirects the user back to the consumer website, along with parameters in the querystring. The consumer now has everything it needs to log in the user.
    nonce vovudmLa
    openid.assoc_handle {HMAC-SHA1}{47b0ec92}{5hMN8A==}
    openid.identity http://russau.myopenid.com/
    openid.mode id_res

    openid.op_endpoint http://www.myopenid.com/server
    openid.response_nonce 2008-02-12T00:47:53ZyUUam3
    openid.return_to http://openidconsumer.test/cp/login.aspx?nonce=vovudmLa
    openid.sig EpvWdJtxacv2WtCaZLbud85M84k=
    openid.signed assoc_handle, identity, mode, op_endpoint, response_nonce, return_to, signed, sreg.country, sreg.email
    openid.sreg.country AU
    openid.sreg.email testuser@webmail.com

    This querystring contains a couple of things to prevent an attacker from spoofing it. The ‘assoc_handle’ established in steps 5 and 6, the consumer uses to this look up the established secret. ‘openid.sig’ contains a digital signature of the parameter values listed in ‘openid.signed’, using the established secret. If an attacker were to change the ‘openid.identity’ in an attempt to login as someone else, the signature wouldn’t match (without knowing the secret, the attacker cannot re-create the signature). Finally, the initial ‘openid.return_to’ in step 7 contained a nonce. If an attacker were to resubmit the querystring above unchanged (a replay attack), the consumer web site would know the nonce has already been used.

Further reading

2008 02 12 russ security
web dev Comments (4) Permalink

Facebook dev, IIS 5.1, and error 405

In the middle of a Facebook application idea of mine. Using the FacebookToolkit to get something together.

It’s pretty interesting how Facebook integrates with 3rd party applications. Short version: User accesses “http://apps.facebook.com/<appplication_name>”, Facebooks sends your page a POST (you host it wherever you want); Facebook displays the output of your page. Long story: Basic Application Architecture.

You can configure the location of the page Facebook POSTs to – called the Callback Url. I initially had this set to something like: http://www.mycheaphosting.com/Canvas.aspx. The location the Facebook user accesses, i.e. apps.facebook.com/myapplication/ is called the Canvas Page.

Any relative links within your Callback page will become relative to your Canvas page. For example a link to “blah.aspx”, will be treated by the browser as a link to “apps.facebook.com/myapplication/blah.aspx”. What does Facebook do with a URL like this? It POSTs to the same ‘relative’ location on your server. Which in my case would be: http://www.mycheaphosting.com/Canvas.aspxblah.aspx. Yuck!

My first thought was: Okay, I can put the logic into a ‘default.aspx’, and change the Callback URL to: http://www.mycheaphosting.com/.

Have you ever tried to POST to a default document? Under IIS 5.1 – it actually causes a 405 – ‘Resource not allowed’ error. The best reference on this I could find was in this comment from David Wang’s article HOWTO: POST Resources to IIS:

The ability to POST to a DefaultDocument requires IIS6. Prior IIS versions will return “405 Method not Allowed”. That is simply a limitation of the IIS Request Processing Pipeline.

The fix: WebDev.WebServer2
– an alternative to the Cassini web server that comes with VS2005. Unlike Cassini this web server can service external requests.

2007 12 05 russ asp.net
iis Comments (3) Permalink

Creating Your Own Dev SSL Cert for IIS

Ever wanted to create an SSL certificate for your dev box? There’s no need for a well known CA like Verisign or Comodo on your dev box. Here are some guides to creating your own CA/signed certificates:

2007 08 28 russ iis
security Comments Off on Creating Your Own Dev SSL Cert for IIS Permalink