0 comments suggest edit

Yesterday I posted a little quiz with an example of an HttpHandler implemented as an ASHX file.

Brad Wilson obviously knew the answer, but only gave a hint for others to elaborate on. BigJimSlade (no link given) expanded on the answer. BigJim, I have a GMail account for you if you want one.

Calling HttpResponse.Redirect(string url) actually calls an overload HttpResponse.Redirect(string url, bool endResponse) with endResponse set to true. If endResponse is set to true, HttpResponse.Redirect will make a call to HttpResponse.End().

That method in turn calls Thread.CurrentThread.Abort(). Oh the depravity! Once again, Thread.Abort rears its ugly head.

So as you see, the code sample will ALWAYS redirect to /default.aspx because the HandleRedirect method throws a ThreadAbortException every time. To fix this, I merely need to change the HandleRedirect method to call ctx.Response.Redirect("/special.aspx", false);.

The fact that this week seems to be “Thread.Abort Week” isn’t why I posted this quiz. I ran into this problem the other day in my carelessness. It’s a result of my old ASP 3.0 habits resurfacing after years of suppressing them. It took me a few minutes to realize why my code never made it to special.aspx.

0 comments suggest edit

This is a simplified version of a sneaky bug I ran into today (I’m fine thank you, but the bug is dead). The only prize I can offer is a GMail account if you want one.

Imagine that the method HandleRedirect actually does something interesting and if all the conditions pass, the user is redirected to special.aspx. This is the source code for an HttpHandler implemented as a .ashx file.

<%@ WebHandler Language="C#" Class="MyHandler" %>
using System;
using System.Web;
public class MyHandler : IHttpHandler
    /// <summary>
    /// Processs an incoming request.
    /// </summary>
    public void ProcessRequest(HttpContext ctx)
    void HandleRedirect(HttpContext ctx)
    public bool IsReusable
        get { return true; }

0 comments suggest edit

ATI Radeon I’m currently updating my device driver for my ATI Radeon 9700 at work (I now have a new 17” LCD monitor that supports portrait mode) and noticed that to install the CATALYST Control Center, .NET 1.1 is required. See for yourself.

It’s nice to see that .NET is starting to spread beyond internal business applications, ASP.NET sites, and web services.

0 comments suggest edit

Recently my company (which was a division of Company X) was purchased by Company Y. Company Y is based outside of the country and we are a fully owned subsidiary and make up their U.S. presence.

A couple weeks ago or so we found out that my boss (our CTO) was promoted to CTO of the parent company. He has to spend 25% of his time at the parent company’s headquarters in Canada and 75% here, though it’s been more like 50/50. Some of my coworkers are starting to call me “See-Toe”. (Get it?).

In any case, I’m currently the lead on integration efforts to get our platform running on cell phones and set-top boxes. It’s one of the more interesting projects I’ve worked on, though I really can’t (or am not sure if I should) talk about it much here.

0 comments suggest edit

MLS I watched DC United take on Kansas City today for the MLS Cup 2004. The great thing about soccer in the U.S. is that I can get tickets for the national championshipship the day before for a decent price. Unfortunately that’s also the problem with U.S. soccer. The quality of play is nowhere near a Premiership game or Bundesliga.

In other soccer news, several of the players I play pick-up with organized a game (with refs et all) with the league team I just recently joined. I played with the pick-up team and we were shelled 6 to 3. It would have been a lot worse had we not had the most phenomenal goalie on our side. For my part I had an assist and converted a penalty kick.

0 comments suggest edit

AD&D I’ll come out of the closet and admit that I used to play this game with an almost fanatic interest. My first exposure to the game was in Spain when several other military brats in my apartment complex introduced me to a twenty sided die (1d20). By the time I moved to Guam, I was hooked. I started a group there with an unlikely band of friends: a Hawaiian volleyball player, half-thai skateboarder dude, heavy metal rocker, etc… and we were destroyers of worlds.

For many of these guys, the game was new to them and they didn’t realize that in many circles there was a stigma attached to those who played it. I would cringe when hanging out with my other friends and these guys would say, “Yeah, we’re going to play Dungeons and Dragons tonight”. This was an unecessary side effect of youthful insecurity. I haven’t played in years as I’ve found that as people work full time and have families, it’s difficult to make the time. Even more difficult is to have several people have the time at the same time. It’s a feat of synchronization. Perhaps when I retire.

Mark Frauenfelder: Peter Bebergal has a wonderful op-ed in today’s Boston Globe about the imagination-boosting power of Dungeons and Dragons

To put it simply, Dungeons and Dragons reinvented the use of the imagination as a kid’s best toy. The cliche of parents waxing nostalgic for their wooden toys and things “they had to make themselves” has now become my own. Looking around at my toddler’s room full of trucks, trains, and Transformers, I want to cry out, “I created worlds with nothing more than a twenty-sided die!” Dungeons and Dragons was a not a way out of the mainstream, as some parents feared and other kids suspected, but a way back into the realm of story-telling. This was what my friends and I were doing: creating narratives to make sense of feeling socially marginal. We were writing stories, grand in scope, with heroes, villains, and the entire zoology of mythical creatures.


[Via Boing Boing]

0 comments suggest edit

In response to Ian’s post on thread.abort, Richard Blewett points out a situation when the thread you are attempting to cancel can’t check the volatile book flag to determine whether it should cancel itself or not.

An example he presents is when the thread is waiting on a synchronization primitive. The solution given is to call Thread.Interrupt.

This is a handy technique when you have a reference to the thread you wish to cancel, but this is not often the case when dealing with asynchronous method calls such as spawned by calling BeginInvoke. You won’t have a reference to the thread that an asynchronous method call is operating on.

So what is the would be thread terminator to do? Rather than go back in time and stop the thread from being spawned in the first place (my apologies for the poor cinema reference), avoid having indefinite waits on synchronization primitives in the first place. With a ManualResetEvent for example, you can specify a timeout for the WaitOne method. I recommend that you do so.

0 comments suggest edit

Ian Griffiths (one of my favorite tech bloggers) wrote this fine piece on why Thread.Abort is a representation of all that is evil and threatens the American (and British) way of life.

The problem with Thread.Abort is that it can interrupt the progress of the target thread at any point. It does so by raising an ’asynchronous’ exception, an exception that could emerge at more or less any point in your program. (This has nothing to do with the .NET async pattern by the way - that’s about doing work without hogging the thread that started the work.)

If you’re interested in how Thread.Abort raises an exception in another thread, read Chris Sells’ (another favorite blogger) investigative report here.

I’ve taken this to heart in the design of my Socket server class (which I will release to the public some day) and in any situation where I have a service running that spawns asynchronous operations. Ian’s appoach to cancelling an asynchronous operation is the similar to mine:

The approach I always recommend is dead simple. Have a volatile bool field that is visible both to your worker thread and your UI thread. If the user clicks cancel, set this flag. Meanwhile, on your worker thread, test the flag from time to time. If you see it get set, stop what you’re doing.

One difference is that I chose not to use a volatile bool field. My reasoning was that if my asynchronous operation only reads the value (and never writes it) and just happened to be reading it while my main thread was changing it to false (in response to a user cancellation effort), I’m not so concerned that asynchronous operation might read true even though it’s being set to false. Why not? Well it’ll stay false by the time I check it again and the chance of that small synchronization flaw is very minute and has a low cost even if it does occur.

The question is, am I missing something more important by not using a volatile field in this instance?

0 comments suggest edit

So now that I have a second Windows box (and third computer in the house), I’m soliciting recommendations for good synchronization software. Ideally I’d like something where I could configure which directories and files get synchronized and it happens seamlessly any time the Tablet connects to the home network.

0 comments suggest edit

Using NDoc I’ve generated an update version of the CHM code documentation for RSS Bandit. As you’ll see (if you take a look) this documentation is by no means complete. Many of the public methods need better documentation. Also, there are no Namespace summaries yet. I plan to spend some time adding these summaries and some higher level API documentation.

This documentation is intended for interested developers and is meant to supplement the existing documentation at the RSS Bandit documentation website.

Included in the documentation are three main components: RSSBandit.exe, NewsComponents.dll, and RSSBandit.UnitTests.dll.

RSSBandit.exe is the main application code. The documentation here covers all the Forms in use etc.

NewsComponents.dll contains all the classes used to fetch and parse RSS feeds as well as NNTP. Much of core logic is contained in this assembly.

RssBandit.UnitTest.dll I included the documentation of this assembly so that you can read what unit tests we currently have (and thus infer the many we are missing). The great thing about unit tests is that many of them are demonstrations of how to use the API (when correctly written which I can’t yet vouch for my own) ;)

0 comments suggest edit

Toshiba Portege M205 Wohoo! And it is a thing of beauty. Unfortunately I’ve been crazy busy lately so I don’t have any pictures so you’ll have to settle for this stock photo.

Acquiring a new computer is a laborious affair. Step one is to download and install Windows SP2 and all other critical updates etc… Second is to install RSS Bandit Then its the process of installing all the rest of the software, tools, and tweaks I’ve grown reliant on.

I’d like to backup all my photos and music on there, but that wouldn’t leave me much room for anything else. I’ll have to carefully cull a selection of music worthy to carry around.

Anybody have software recommendations for the Tablet PC? In what ways do you use it differently than you do a laptop in your day to day operations?

UPDATE: I forgot to mention, it’s a Toshiba Portege M205 with 60GB hard drive, 512MB RAM, and 1.5? MHZ Intel Celeron.

0 comments suggest edit

Parade of the
AthletesWhen the Olympics occurred, one of my favorite DJs spun for the opening ceremonies. Unfortunately I missed it, but I had heard good buzz about his performance. Now he’s come out with a CD called “Parade of the Athletes”. I have a feeling that if you liked the music he played for the Olympics, you’ll like this cd.

0 comments suggest edit

I received an email in response to my post How To Avoid ClearText Passwords With UsernameToken that asks the following question:

…Thus if a hacker steals the hashed password from your database, he will be able to write an application that gives the hash to WSE and he will authenticate successfully - which is exactly what we are trying to avoid by storing the hashed passwords in the first place. \ \ …\ \ The bottom line: this approach won’t really solve the real problem - if I steal the hash from the database, I will be able to uthenticate successfully. I’d love this to work the way you describe but as a security-conscious developer I’m still losing sleep.

Although this is a true scenario, the author makes an assumption that is false. The purpose of storing a hashed password is NOT to stop a hacker who obtains the hash from being able to authenticate as that user.

Think of it this way, if I’m a hacker and I am able to compromise your user database and obtain a user’s hashed password, why would I ever try to authenticate as that user? Since I already have my grubby hands in the cookie jar, I might as well grab all the data directly from your compromised database.

Rather, the purpose of hashing a password with a salt value is to provide security to the user of the system that rogue employees of the company and hackers who compromise the database cannot use my password to log into other sites I frequent.

Ideally your database isn’t compromised very often, otherwise you have bigger problems than whether or not passwords are hashed.

That’s why a security minded developer doesn’t stop at hashing passwords. Code security is never enough and is only a small part of the equation. The IT staff have to make sure the database itself is secure and not likely to be compromised. Staff with access to the system must be trained to deal with social engineering attacks. What good is a hashed password if I can call up tech support and get any information I need by posing as an executive?

So to the author of this email, I suggest you don’t lose sleep over the hashed password scenario. As a security conscious developer, you have a huge number of other attack scenarios to lose sleep over. ;-)