To give myself some deployment options for the Whisky Fringe 2012 Tasting Tracker site I’ve been using my Microsoft Azure 90 day trial account to try setting up cloud-based hosting. This comprises two services:

• A Cloud Service to which the MVC 4 web project is deployed
• A SQL Azure database

Given that I might want to scale up the site for the event session state needs to be managed by the SQL Azure database, or an Azure table. Scott Hanselman posted about how to use the System.Web.Providers NuGet package to handle this, and gave sample configuration. For some reason, while the membership, roles and profiles parts of this worked just fine it refused to set up the relevant Sessions table as was expected – firing up the app lead to a yellow screen of death with an error:

Invalid object name ‘dbo.Sessions’.

After wasting a bit of time figuring out why it wasn’t creating the table, I resorted to letting it create the table against my local SQL Express instance (which worked without incident) then scripting directly to the SQL Azure instance:

CREATE TABLE [dbo].[Sessions](
    [SessionId] [nvarchar](88) NOT NULL,
    [Created] [datetime] NOT NULL,
    [Expires] [datetime] NOT NULL,
    [LockDate] [datetime] NOT NULL,
    [LockCookie] [int] NOT NULL,
    [Locked] [bit] NOT NULL,
    [SessionItem] [image] NULL,
    [Flags] [int] NOT NULL,
    [Timeout] [int] NOT NULL,
PRIMARY KEY CLUSTERED 
(
    [SessionId] ASC
))
GO

Huzzah! Working sessions. The only caveat was that SQL Azure has limitations on the kinds of DDL operations you can use, so when you script from your local instance you’ll find the CREATE TABLE from above also has:

WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY]
) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]

tagged onto the end – omitting that’ll get it scripting into Azure just fine.

I’ve finally deployed a preliminary version of the Tasting Tracker for this year’s Whisky Fringe. While deeply unfinished, and so far only populated with test data, a bunch of stuff’s already implemented:

• A long list of whiskies arranged by distillery or whisky name
• Ability to add the whisky to your wishlist ahead of the event
• Ability to score a whisky out of 5
• Ability to add private tasting notes to a whisky – before, during or after the event
• Filter whiskies by whether or not you liked, disliked or just tasted them
• Publish lists of whiskies that you liked, disliked or tasted and optionally include your tasting notes – and also including links to the RMW site to quickly add desired whiskies to your shopping basket
• Some limited mobile browsing support in terms of layout

Yet to go:

• Activity feed
• Linking in a social media account
• Statistics
• Something other than the default Bootstrap theme
• Possibly some offline support
• Cross-browser and mobile-browser testing

What’s deployed is there only for interest, will change without notice and contains only test data (i.e. last year’s whisky list) for now.

I had an MVC4 application (the new Whisky Fringe Tasting Tracker site) for which forms authentication’s persistent cookies worked fine when testing on my local machine but failed when deployed to my shared .NET host.

The symptom was pretty simple – you’d log in ticking the ‘remember me’ checkbox (which generates a persistent cookie on the client’s machine), could use the site normally but would find that the next day you were no longer logged in. In fact, leaving just 20 minutes or so between accesses to the site would be enough to see your login bumped.

That 20 minutes should have been a good clue – it’s about the same amount of time as the shared host’s app pool worker processes were recycling. With a bit of digging, what seemed to be happening was that in recycling the worker processes, my application was getting new validation and encryption keys, as at the machine.config level these were configured to auto-generate. With authentication cookie validation turned on, this meant that the keys used to sign and encrypt the cookie 20 minutes ago ain’t the same ones that were used to try to decrypt and validate it just now, so the provider kicks your login out.

The fix is to specify a machineKey element in your app’s web.config file under the <system.web> element, locking down a validation key and a decryption key to be used and opting you out of automatic key generation in the process. With this applied, logins will persist even over app pool recycles.

One caveat – if you use a tool such as this one to generate the keys for you, make sure that the ‘validation’ attribute that specifies the validation algorithm to use for tamper-proofing the cookies matches the default for the system as it was before if you’re using the System.Web.Providers libraries for authentication. Failure to do so will make it impossible for existing users to login… The default is ‘HMACSHA256’.

With a surname like O’Neill I’m used to breaking systems that need me to enter my name. Apostrophes are used in SQL commands and many programming languages to enclose string or character literals – as such, the appearance of one when not expected can mark the end of a string before the programmer of the system actually intended, leading to faults and security bugs such as SQL injection attacks.

I can’t, for example, use Asda online shopping because attempting to pay with a debit or credit card using my surname results in the site throwing a wobbler on account of the apostrophe – it claims it to be an ‘invalid character’. Small business owners’ websites will frequently bail out in a way suggesting an attack vector when I have to enter my name – they’ll see a premature end-of-string and try to parse Neill as a SQL command. Even Twitter’s not immune – view my Twitter feed and you’ll see the HTML entity code for an apostrophe in the title of the page instead of the character itself.

This week I’ve encountered three more examples that I document purely so that someone else encountering frankly weird behaviour in their systems will feel less alone:

• Office 365 doesn’t support apostrophes in your username
• If your domain login name contains an apostrophe, the Azure Storage emulator will fail to function
• If your domain login name contains an apostrophe, you’ll lose the ‘Add Service Reference’ context menu item in Visual Studio – and if you open a project that contains service references you’ll get a broken folder full of .wdsl, .disco and other files instead
  • Though at least this’ll supposedly be fixed in 2012

With Unicode ubiquitous and an assumption even down to the level of DNS that the world is small enough for internationalisation to be a fundamental component of an application, how on earth can a lonely apostrophe cause such havoc?

Proving that you are who you say you are can be hard at the best of times – my local GP requires two forms of identification to sign up, signing up for a bank account requires a passport or birth certificate and I’ve even had jobs where I’ve needed to supply my passport for photocopying before they’d take me on.

When you take your interactions online the problem becomes substantially more complicated, as there aren’t many brokers of identity information that’re trusted enough to replace physically viewing a passport or birth certificate. This results in a worst-of-both-worlds situation, where you complete half of your interaction with a third-party online and are then forced offline to supply the relevant credentials before firing things off at the mercy of the postal service.

There are solutions. Providers exist who will – once you’ve proven who you are to them physically in a Post Office or similar (and with associated identity documentation) – verify your identity to third-parties on your request. However, they suffer a number of issues:

• The scope of identity information required to authenticate with the identity broker is fixed
• Your identity isn’t necessarily re-validated, and certainly not automatically (unless you’re going to head into the Post Office once a month with your passport to re-confirm your identity) – this makes the claims the identity broker make about your identity less compelling the further away we get from the original validation time
• You’re still required to go offline to provide relevant credentials

miiCard is an Edinburgh-based start-up that’s hoping to change that. Instead of providing physical verification of your identity you instead utilise your existing online trust relationships with people like financial providers – you then share your verified identity with as few or many people as you like. By basing their identity assurance on something that required physical proof of identity in the first place (e.g. a bank account), that level of assurance can then be passed on and consumed. Even better – because the sources of that identity are online, your identity can be validated and re-validated whenever is necessary – it doesn’t become stale over time.

Proving who you are in such a way will allow you to complete split online-offline interactions purely online. It’ll also let you rest assured that the person who just contacted you on LinkedIn, who you’re buying from an auction site or who you just received a sales inquiry from is both a real-life person (and not a sock-puppet) and that they are who they claim to be.

It’s so compelling an idea that I’ve signed up for one and validated my identity. And then I’ve gone one step further and joined them as a software developer. I’m delighted to be part of the team, and know that there are some exciting ways to both validate and consume identity as part of a very pacy roadmap.

Last year I put together a quick web app to let me keep track of which whiskies I’d liked and disliked at the Royal Mile Whiskies Whisky Fringe 2011. A few friends used it, some found it more useful than others and that was that.

That was hacked together in PHP against a MySQL database, neither of which are my bread-and-butter. While flexible, I’m a .NET developer so when it started heading towards the time to build it again this year I went with a different stack:

• ASP.NET MVC4
• SQL Server back-end
• Bootstrap for initial layout and styling (and responsive design)
• jQuery and custom scripting for some AJAX bits and bobs

I’ve loftier goals this year in the hope that others will find it useful. Last year it was to be little more than an aide memoire for the tipsy sampler though I managed to extract some fun statistics from it. This year I want to:

• Let you make a wishlist of things to sample ahead of the event to make sure you don’t miss anything
• Let you expose your wishlist and sampling lists publicly to friends and family (so that they have no excuses when your birthday or Christmas next comes around)
• Try to give a real-time impression of what’s making waves at the event
• Give more interesting stats at the end of the event to both the public and to the organisers and exhibitors
• Support a possible deployment to Azure to allow infrastructure scaling based on demand

Functionally it’ll be broadly the same as last year – navigable dram lists and big finger-friendly buttons to hit when you try something out, nice and simple. Hopefully there’ll be a demonstrator site up soon enough, so suggestions as to what it should include would be welcomed at whisky@pablissimo.com.

Over the next few weeks as things start coming together I’ll hopefully have time to document some of the development work.

If you’ve ever written AJAX-accessible WCF services and needed to return structured data to the client, it’s likely that you’ll have seen a fairly simple model object with automatic properties (i.e. get and set specified but their implementation left absent) received by the client with funky field names, all prefixed by k_BackingField. It doesn’t take much Googling to suss that marking your model object with a [DataContract] attribute and properties with [DataMember] attributes fixes things up and lets the serialiser make the correct field naming decisions for these properties.

You can get into a similar situation using the ApiController of the ASP.NET WebAPI, where you have the following setup:

• A model class with one or more auto properties
• A controller action method that returns an instance of the model, or a collection of the model
• The model class is marked as [Serializable] to allow it to be stored in out-of-proc session state

That last part’s crucial – if you want to store an object in out-of-process session state (for example, using the session service or a SQL database then it needs to be marked as [Serializable] for persistence and re-hydration. The problem is that while an un-attributed model will be automatically serialised to nicely-named JSON fields, by attaching a [Serializable] attribute we end up with k_BackingField once again. Bugger.

I’ve found three options, with the last suggesting that this will not be a problem in future versions of the framework.

The first is to have a second model type used only for storage in session state, marked with Serializable as appropriate and perhaps with an operator to cast between it and the one to be returned to the client via WebAPI calls.

The second is to mark up your model class with a [DataContract] attribute, and then mark up the properties that need serialisation to JSON with [DataMember] attributes.

The last is to replace the default formatter with a Newtonsoft Json.NET one – which it seems will in the future be the default JSON formatter anyway. This formatter doesn’t render the backing field names into the resultant JSON, but instead just uses the property names – it also doesn’t suffer from the many limitations of the standard DataContractJsonSerializer.

So it’s a pretty rare situation that’s likely to go away on its own when WebAPI goes RTM, but at least it can be worked-around until then with relative ease.

I had this issue first on my laptop and then my desktop, when variously installing or uninstalling Express editions of Visual Studio and in particular the ASP.NET MVC 2 components that I was using at the time. The installer would sit suspiciously inactively while uninstalling the MVC 2 tools, and could be left for over an hour without any progress being made.

In all situations my fix so far has been simple, though it’s always taken me an hour to remember it; temporarily disabling Kaspersky anti-virus (just about the only commonality between my Windows XP laptop and Windows 7 desktop) sees progress immediately resume on the installer. Clearly there’s some conflict between the activities of the two but so far it’s not failed to un-stick a stuck installer.

Beware StringFormat.GenericDefault and StringFormat.GenericTypographic. While multiple calls to one or other property yield new .NET StringFormat instances, under the hood they’ll all refer to the same blob of unmanaged memory as a StringFormat’s really a wrapper around some GDI+ functions.

This means that you shouldn’t be using either property as a basis for a custom StringFormat without first making a call to .Clone. If you do modify either default StringFormat then the change is with you and, crucially, anything else using either property in the same app domain.

The alternative, and one that’s probably better anyway, is to new up a StringFormat with your settings fully-specified without leaning on the defaults. Just remember to Dispose it when you’re done.

Remote Desktop can throw off rendering of .NET controls in annoying ways, and most of those come down to dithering and other colour-related issues. It can be especially annoying when you have a standard WinForms control that seems to render in one colour just fine, and a UserControl that should be rendering in exactly the same colour looking off by a few shades.

If you’ve encountered this then you’ve probably zoomed into a screenshot of the broken and working controls side-by-side and noticed that your UserControl is dithering the colour while the built-in control is a nice solid hue.

Left: Gainsboro over RDP. Right: Gainsboro over RDP?

This is down to Remote Desktop running as a terminal session with a lower colour depth than you might be used to on a local machine to improve performance. This means that when you set a colour on your control, it may not be exactly representable by the time it’s been rendered over the RDP session and so the colour will be dithered to give an approximation.

The key is that the built-in controls are using Graphics.GetNearestColor to map the requested colour to one that can be represented without dithering given the settings of the current terminal session. If you’re running locally in full-colour then it’ll just return the colour you asked for. If however you’re running over RDP it’ll give you the best attempt it can.

For example Gainsboro, a named system colour, is defined as #DCDCDC (or 220,220,220). Over a 24-bit-per-pixel RDP session you may find that the Graphics object supplied in your UserControl’s Paint events can only manage #D8DCD8 as a solid tone.

So how does a Label render nicely over RDP when its BackColor is set to Color.Gainsboro and your user control not? Simple – the colour you’re seeing isn’t Gainsboro at all – it’s just as close as the graphics context can manage given the current session’s settings. So if access over a terminal session is a use case you have to handle, consider using Graphics.GetNearestColor to translate your desired colour into something more manageable by the session.