Earlier this week, on the lead up to the ekoparty Security Conference in Argentina, a pair of security researchers announced that they would demonstrate an attack to exploit the way that ASP.NET handles encrypted session cookies.

I first learned of this on Wednesday, when someone posted a question on Stack Overflow. Since then, Microsoft have issued a security alert and Scott Guthrie has put out a blog post giving a full explanation of how this works and how it may affect you. Scott's post includes a link to a script you can run on your servers to identify vulnerable sites. In short, you need to have a <customErrors> section in your Web.Config file and map all errors to a single error page.

As reported here, the attack is 100% reliable; any ASP.NET website can be "owned" in seconds. The longest it takes is less than 50 minutes. Confirm with your bank that this has been remedied before logging into your account (ASP.NET sites)!

Update to Security Advisory 2416728 (09-20-2010)

FAQ about the ASP.NET Security Vulnerability - Scott Guthrie (09-21-2010)

Update on ASP.NET Vulnerability - Scott Guthrie (09-24-2010)

ASP.NET Security Update Shipping Sept 28th - Scott Guthrie (09-27-2010)

Microsoft Security Bulletin MS10-070 (09-28-2010)

ASP.NET Security Fix Now on Windows Updates - Scott Guthrie (09-30-2010)

For some time now, I've been searching for a good ASP.NET Web Forms CMS. I had been working on a project with Sitefinity but they recently stopped supporting the free community edition and that took the sheen off it for me. In fairness to Telerik, they offered to provide free support for that project but I also found Sitefinity somewhat over-engineered and producing some pretty messy markup. I looked at Umbraco but its over-reliance on XSLT was a total turn-off. I've been criticized because as a developer I should embrace XSLT as an extra skill; well I do, and I choose not to use it when it's not needed or called for in a given situation.

The open source N2 CMS on CodePlex has been on my radar for a while now. There are both Web Forms and MVC versions available. I experienced some frustration in getting it up and running and vented my usual rants in the forums - but that's what they're for, right? ;-) I took one look at how the template code was created months ago and realized that was exactly what I was looking for. The documentation is lacking, but this is true of a lot of the projects on CodePlex, which is sad. That said, N2 is going to fill a glaring hole in the ASP.NET CMS market that has existed for a long time. Neither of Microsoft's efforts, MWPSK or Orchard, has gained a lot of traction or support in the community.

I'm going to outline the basic steps required to create a Web Forms version of the N2 CMS and how to import the downloaded zip file as a package in IIS7. The Web Deployment Tool gives us the ability to package our Web application or Web site as well as an associated database. The simplest aproach is to use the Web Platform Installer to install the Web Deployment Tool on your machine. Much thanks to Cristian Libardo for stepping me through this process.

If you haven't done so already, install the Web Platform Installer on your machine. After you run the MSI file, you should be able to see the WPI icon in IIS. Click on the icon and install the Web Deployment Tool. You should now be able to see a new Deploy panel in IIS with links to import and export site packages.

Next step is to download the N2 Web Forms Template pack from CodePlex. You can save it anywhere convenient for now. Next, go to your wwwroot folder and create the top level empty folder for your new site. The N2CMS folder in the download will go directly under this top level folder. When you open IIS, you need to right-click on the new folder and select "Convert to Application".

Next, look to the new Deploy panel in IIS, in the actions column. Click on the "Import Application" link and use the wizard to pull in the zip file containing the downloaded project. If you are using SQL Server, you will need to be operating in mixed authentication mode. Create an account and password for site's DB and update the config file, I don't usually use a login when developing locally but the wizard insists on it; you can revert to integrated security afterwards, if you wish:

<connectionStrings>
    <remove name="N2CMS"/>
    <add name="N2CMS"        
        connectionString="Initial Catalog=CMS;Data Source=MYMACHINE;Integrated Security=SSPI;" providerName="System.Data.SqlClient"/>
</connectionStrings>

You should now be able to navigate to the new CMS site in your browser thus:

  http://localhost/mysite

You can use the "Export Server Package" to create a zipped file to deploy to your server. When on the server use the same steps as before for importing the zip file, and don't forget to update your Web.config file with the live DB login details.

As a developer I need to have the ability to easily customize the different areas of the site using CSS. You can access the CSS for the existing themes in the App_Themes folder and use one of these as the basis for creating your own theme. The related master pages can be located in the Templates/UI/Layouts folder. I am currently working on a new CMS site for our local Farmers Market and plan to use the Stripes theme as a starting point. My first task is to widen the layout to 960px, get rid of the logo and flags and adjust the column width to fit the new layout.

I may come back and post again on the customization steps for N2 :-)

UPDATE 08-22-2010:
SQL Server sripts can be obtained here.

I'm never short of plans for the future of this blog, but a cursory glance at the dates of the last few posts reminds one of "the best laid plans of mice and men"...

Every so often I see other bloggers explaining to their readers how they got waylaid and would be more dutiful in their future blogging efforts. But what gets me is that more often than not they were never committed and more likely underestimated the real time demands of maintaining a blog. My excuse is that I have been taking on extra projects without stopping to ask myself what gives me the most enjoyment. I have to admit that I miss blogging on a regular basis and won't rest easy until I get back into the swing of it.

I'm also having problems with the version of BlogEngine that I'm currently using, in that the invisible CAPTCHA is seriously flawed. Right now I'm being spammed to death and I hate not responding to people who are good enough to contribute in the comments section. My plan has been to upgrade to 1.6 but I've also been pondering the use of a different blog engine.

I've been having an internal argument for the last month on whether to switch my focus to MVC; it wouldn't be suitable for our projects at work and I'm loath to invest more time in it myself right now because I'm finally throwing every spare moment into improving my JavaScript/JQuery skills (or lack of). There's a part of me that just knows that MVC is the proper way to build Web applications. However, right now it is just not practical for me to make the switch. In time, I will definitely move in that direction.

So rather than make a list of what I will do for my new blog design, I'm just going to take the first small step when I finish this post: I will download the latest version of BlogEngine and have it ready to go in the morning! First order of business will be to widen the layout to 960 pixels and decide on how radical a re-design this will actually be overall. Thanks to the 7,378 unique visitors over the last month for your patience and loyalty :-)