I’m spending a lot of time working with WebForms at the moment. I haven’t written WebForms forms since”¦ 2003 maybe 2004. When WebForms was created it was done as way to transition developers from the drag and drop world of Windows development to the exciting world of the Internet. Of course the Internet is not a Windows form. The result is that WebForms is a leaky abstraction. The abstraction has been getting leakier and leakier as web technology progressed.

One of the key features of WebForms is that it keeps track of transient data in ViewState. By using ViewState WebForms is able to provide a web experience which is more similar to a desktop application: it is expected that when pressing a button on a Windows form that the rest of the form isn’t wiped out. This would happen without a ViewState storing the form state.Depending on how you configure your application the ViewState is either kept in a hidden field which is sent to the client or in some sort of server side storage mechanism. You can hook ViewState persistence up to a database like SQL server or to a distributed cache like memcache or Azure cache.

However the vast majority of sites keep ViewState in that hidden field. As your ViewState grows then so does each page load. There is very little room to optimize ViewState because, instead of it being sensibly stored in a key value fashion it is persisted as a single blob. The entire thing is persisted and reloaded each time. The result is that most interactions with the server need to include this viewstate. This makes lightweight AJAX calls difficult. When AJAX started to become popular update panels were introduced. These were chunks of the page which could be refreshed independently.

Again these were justplugging up a leaky abstraction.

As web applications become more JavaScript based it became apparent that the HTML produced by WebForms was brittle. Controls were named with a near indecipherable id which changed based on the rest of the page. Later versions of ASP.net brought more predictible contol names but, again, this was just patching the abstraction. If you’re interested in building a modern web application it should not be done using webforms. There are just too many places where the abstraction leaks and makes your job much more difficult.

Modern web applications make much greater use of client side framework the likes of Angular, Ember and Backbone. With this class of application the server side framework starts to matter less and less. Eventually it is reduced to a tool for sending views to the client and providing data end points. I won’t miss WebForms on new applications but we’re not all lucky enough to work on new applications. For legacy applications which are written using WebForms there are upgrade paths available to you.

I’m going to start blogging a bit over the next few weeks about how to start taking steps towards more modern WebForms applications without jeopardizing existing functionality. Stay tuned!

I ran into the need today to move quite a number of classes into dependency injection. This can be a bit of a pain as you have to go through a ton of places to find where the class is used and get it out of the DI container instead of simply newing it up. See the constructor remains valid so you can still create an instance using just var b = new blah();

One trick I used which really helped speed up finding the places where the class was being manually created was to, temporarily, make the constructor private. This will cause all the places where the class is being instantiated to be highlighted as compiler errors. Once you’re done fixing it then you can return the constructor to its previous state and go about your business. This is really just an application of the Lean on the Compiler pattern I first learned about in Michael Feathers’ excellent book Working Effectively with Legacy Code. Well worth a read if you have any untested code to maintain.

Yesterday at Microsoft’s build conference there was a huge announcement: Microsoft were open sourcing their new C#/VB.net compiler. On the surface this seems like a pretty minor thing. I mean who looks at how compilers work? “This is probably going to be interesting to academics who study compilers and nobody else.”

Well I disagree. I think it is going to be a huge turning point in how programmers work with code.

There are other open source compilers: GCC,LLVM both come to mind as great examples. The differences between these and Roslyn are huge. First Roslyn is a much more modern compiler than almost anything else out there. I still think of clang, which is based on LLVM, as the new kid on the block, however LLVM was started in 2000: 14 years ago. Roslyn was written from the ground up over the last 4 years. I haven’t looked but I would bet that it makes much better use of things like parallel processing than other compilers. There is a pretty vague post on the C# blogabout how they’re treating performance of the compiler as a feature. Idon’t know what progress they’ve made on that front but we’ll certainly be seeing some benchmarks come out in the next few weeks as people dig into Roslyn.

Next is that Roslyn written in a much more accessible language: C#. It is going to be far easier for the average developer to jump into modifying the compiler than it would be add some functionality to LLVM. Roslyn was designed to be an extensible compiler. It has a well defined API and some phenomenal extension points into which people can plug. I think that we’re going to see a huge number of plugable modules which mutate the language.

The build pipeline for Roslyn taken from the overview on codeplex http://roslyn.codeplex.com/wikipage?title=Overview&referringTitle=Home

Finally I’m excited that Roslyn will enable smaller, more incremental changes to the languages it compiles. Already we’re seeing some hints as to this. In the Tour of Roslyn post there was an example of inline declarations:

public static void Main(string[] args) { if (int.TryParse(args[0], out var n1)) { Console.WriteLine(n1); } }

There is support for these in Roslyn but not in the classic C# compiler. Little things like this are going to add up and make the language much better. If shipping for Roslyn can be decoupled from Visual Studio, a given for open source projects, then we can see awesome new features enabled rapidly instead of waiting for the full releases of Visual Studio.

What can we do with the compiler?

Here are some quick ideas I had about what we could plug into Roslyn. Some of them are mad dreams but some of them are almost certain to get made.

Aspect Weaver

There is already and AOP weaver available for the .net platform in Aspect Sharp. It has a bit of a reputation for being slow. It works by rewriting the IL instructions which is kind of hacky and presents some problems. With Roslyn there should be no need to hook into the build that late. I think you could manipulate the syntax tree to inject calls to the aspects whenever needed.

AOP should be vastly easier and may even be more powerful with this syntax tree rewriting.

Custom Compiler Errors

Is there some practice you’re trying to avoid in your team? Perhaps long methods are really a huge deal for you and you want to fail the build when some mouth-breather writes a method which is over 50 lines long. No problem! Just plug into the syntax tree API and fail the compile when long methods are detected. Perhaps you want to check for and fail on concatenating strings and them running them against a database(SQL injection). Again this could be plugged in without a great deal of trouble.

Domain Specific Languages

There are plenty of nifty places where it would be fun to be able to define a custom syntax for certain projects. Perhaps you’re writing a message based system and you want to make it easier to write message handlers. With some Roslyn work a new syntax could be added so that instead of writing

You could just write

and all the wireup would be dealt with by the compiler.

Random other Syntax Improvements

You know what syntax I really like? Post if statements. I think they’re nifty and read more like human language.

This the sort of thing which can just be added by rewritingthe syntax tree. Oh or how about cleaning up the accessors for collections?

That’s probably a terrible syntax now I think about it”¦ whatever it is still possible.

It is going to be awesome!

I envision a future where any project of appreciable size will include a collection of syntax and compiler modules. These will be compiled first, plugged into Roslyn and then used to build the rest of the project. Coding standards will be easier to enforce, compilations will be more powerful. There is a risk that the language proliferation will get out of hand but I’m betting it will settle down after 2 or 3 years and we’ll get a handful of new dialects out of this. There will need to be new tooling developed to make changing compilers in VS easier. Package managers like nuget will need to be updated to support compiler modules but that seems trivial.

It is an exciting time to be a .net developer. I’m so glad that when I had the option I decided to go down the .net path and not the Java path. Those suckers just got lambdas and we’re working with the most modern, flexible, extensible compiler in the world? No contest.

ASP.net WebForms has a nasty habit of making developers comfortable with using POST for pretty much everything. When you add a button to the page it is typically managed via a postback. This is okay for the most part but it becomes an issue when using the back button. See HTTP suggests that things which are POSTed are actual data changes where as GETs are side effect free. Most browsers save you from messing up with the back button by simply throwing up an warning

This warning is not something we want our users to have to see. Without some understanding of how browsers work it is confusing to understand why users are even seeing this error. On my agenda today is fixing a place where this is occurring.

The first step was to get a test in place which demonstrated the behaviour. Because it is a browser issue I turned to our trusty CasperJS integration tests and wrote a test where I simply navigated to a page and then tried to go back. The test should fail because of the form resubmission.

It didn’t.

Turns out that CasperJS(or perhaps PhantomJS on which it is built) is smart enough to simply agree to the form submission. Bummer.

To test this you need to intercept the navigation event and make sure it isn’t a form re-submission. This can be done using casper.on

If you add this before the test then navigate around an exception will be thrown any time a form is resubmitted automatically. Once your testing is done you can remove the listener with casper.removeAllListeners.

Now on to actually fixing the code”¦

It is April 1st today which means that all manner of tom-foolery is afoot. Apart from WestJet’s brilliant “metric time“ joke the best one I’ve seen today is Stack Overflow’s introduction of Unicoin which is a form of digital currency which can be used to purchase special effects on their site.

To get Unicoin you have two options: buy it or mine it. I have no idea if buying it actually works and at $9.99 for 100 coins I’m not going to experiment to see if you can actually purchase it. Mining it involves playing a fun little game where you have to click on rocks to uncover what they have under them(could be coins, could be nothing).

I played for a few minutes but got quickly tired of clicking. I’m old and clicking takes a toll. To unlock all the prizes you need to have about 800 coins (799 to be exact). So I fired up the F12 developer tools to see if I could figure out how the thing was working.

As it turns out there are two phases to showing and scoring a rock. The first one is rock retrieval which is accomplished by a GET tohttp://stackoverflow.com/unicoin/rock?_=1396372372225 or similar. That parameter looked familiar to me and, indeed, it is a timestamp. This will return a new “rock” which is just JSON

{“rock”:”DAUezpi1zrfxHRxdi3yp9JUCZ9vwABJbDA”}

The value appears to be some sort of randomly generated value. Doesn’t really matter for our purposes. The response once a rock is mined is to POST to

http://stackoverflow.com/unicoin/mine?rock=DAUezpi1zrfxHRxdi3yp9JUCZ9vwABJbDA

in the body of that POST you’ll need an fkey which can be found by looking at the value in StackExchange.options.user.fkey.

Once you know that stealing coin is as easy as

There appears to be some throttling behaviour built in so I ran my requests every 15 seconds. Hilariously if you don’t include the fkey the server will respond with HTTP 418, an April Fools inside and April Fools. Now you can buy whatever powerups you want

Update: The rate at which I’m discovering new Unicoins has dropped off rapidly. I was discovering coins on almost every hit originally now it is perhaps 1:20. Either I’m being throttled or the rate of discovery of new coins reduces as more of the keyspace has been explored like Bitcoin. I really hope it is the second one, that would be super nifty.

I’m working on a really nifty piece of code at the moment which interacts with a lot of external services and aggregate the data into a dashboard. One of the services with which I’m working is github. My specific need was, given a commit, what was the commit message?

GitHub have a great RESTful API for just this sort of thing and they even have a .net wrapper library for the API called Octokit.net. It seems to bind most of the API, which is great. It also seems to have no real documentation, which is not.

The repositories against which I wanted to fire the API were part of an organization and were private so I needed to authenticate. You have two options for authenticating against the API: basic or OAuth. As my service was going to be used by people who don’t have github credentials the OAuth route was out. Instead I created a new user account and invited it into the organization. It is always smart to give as few permissions as possible to a user so I created a new team called API in the organization and made the API user its only member. The API team got only read permission and only to the one repository in which I was interested.

Next I dropped into my web project and added app settings for the user name and password. I use a great little tool called T4AppSettings which is available in nuget. It is a T4template which reads the configuration sections in your web.config or app.config and makes them into static strings so you don’t need to worry about missing one in a renaming. The next step was to add a reference to Octokit

install-package octokit

in the package manager console did that. Then we new up some credentials based on our app settings

Next create a connection

The product header values seems to just be any value you want. I’m sure there is some reason behind it but who knows what”¦ Now we need to get the octokit client based on this connection.

That is all the boring stuff out of the way and you can start playing around with it. In my case I had a list of objects which contained the commit versions and I wanted to decorate them with the descriptions

This was actually what took me the longest. The parameters to the Get were not well named so I wasn’t sure what should go in them. Turns out the first one is the name of the owner where the owner is either the organization or the user. The second one is the name of the repository. So for this repositorythe owner is alexwolfe and the repository name is Buttons.

The GitHub API is rich and powerful. There is a ton to explore and many ways to get into trouble.Take chances,makemistakes,get messy.

It is tax season again here in Canada which always makes me angry. A little bit because I have to pay my taxes (who likes that?) but mostly because of tax software. Doing taxes by hand isn’t all that bad but we live in the 21st century and doing taxes like that is old school; we use computers these days.

There are a lot of options out there for software to help with doing taxes. QuickTax, Cantax and, I kid you not, Taxtron are all good options. But there is one piece of tax software which I never see and I should: whatever tax software the Canada Revenue Agency use internally. Let me walk through this:

Every year almost everybody in the country fills in some form of tax filing and sends it to the government. Let’s use a Fermi estimationto figure out how much paper work the government has to do. There are about 35 million people in Canada. Perhaps 25% of them aren’t filing taxes because they’re too young. A few more people don’t file taxes for a variety of other reasons so let’s say that 25 million people file taxes. Each person is likely to have at least five forms plus the actual tax form themselves, let’s say 20 pages all told. So that means that the government can expect to get something on the order of 500 million pieces of paper.

That’s a lot of paper! Even with netfile, the electronic filing system, it is a mountain of data to process. There is no way that this amount of paperwork is being done by hand. There must be some software which is processing this data. What’s more every year I receive a notice that they’ve assessed my taxes and found them to be correct.

This means that not only is their software handling filing the taxes it is also performing a cross checking function. My argument is that this software should be made public, what’s more this software should be open sourced.

By making the software available to everybody we tax payers can perform our own cross check to ensure that our filings are correct. If we wanted we could use the software to actually fill out our taxes. This has the potential to save us millions of dollars spent on buying tax software. For those for whom buying tax software is a burden this could be a great boon. I don’t worry very much that giving away the government’s software would necessarily put the traditional tax software companies out of business, either. Their selling feature would be ease of use. Goodness knows that the software the government uses internally isn’t likely to be very user friendly. What’s worse is that the software may not be very good.

This software handles billions of dollars every year. Billions of dollars which fund our schools, roads, military and everything else in between. Allowing the population to test and audit this software is quintessentially democratic. For many of us paying taxes is the only time we interact directly with the government all year. If we cannot be sure that the government is getting this most basic interaction right how can we trust them to deal with more pressing issues?

Opening this software up and providing it for general consumption should be a priority. Our taxes paid for the software to be developed in the first place and any government which values transparency should be delighted to open it up.

Free our tax software.

If you’ve ever built and sold an excel add-in written in VBA you’ve probably wanted to hide your code so that nobody else can get a hold of it. The problem with VBA is that it is pretty easy to extract and edit. Microsoft have, over the years, made some attempts to lock down the file format with passwords and encryption and the such. They generally haven’t worked very well.

Today I encountered a very solid attempt to thwart user editing of VBA. Typically you just need to follow the steps listed on StackOverflow. This time, however, these tricks didn’t work. When attempting to expand the project node in the VBA editor this error was thrown:

Typically this Project Locked ““ Project is unviewable error is shown the excel file has been placed into shared mode. Shared mode disables all editing of VBA. Setting the workbook to shared mode and then exclusive mode is usually enough to clear this flag. In this case, though, that didn’t help. I suspect that the author of this particular excel file had used one of the tools for locking VBA. This tool must, in some way, set the shared flag in a way that it cannot be unset.

I went down many a blind alley trying to solve this. VBA code is not stored in a text format but rather in a binary blob which lives inside the open Office Open XML format: vbaProject.bin. This file format is outline a bit by Microsoft in a long and probably very boring document. I say “probably very boring” because I didn’t read it. I would be very interested in looking at this file in a hex editor and seeing what the locking tool changes.

There are some paid services out there which promise to unlock your file. That all seemed pretty sketchy to me.

Fortunately the locking of this binary file is ignored by other tools. I used a great little tool called VBADiffwhich was able to extract the majority of what was needed from the excel file. It wasn’t able to extract the forms but they were pretty easily recreated.

I’m super impressed with the excel locking tool and the author’s knowledge of the excel file format. However even all that work was still bypassed with few hours work. It goes to show that any code running on your machine can be exploited.

I couldn’t find how long the cookie expiry for a cookie based identity token is for ASP.net Identity anywhere in any documentation. I ended up decompiling Microsoft.Owin.Security.Cookies in which that property is defined. The default expiry is 14 days with a sliding expiration window.

The full set of defaults looks like:

UPDATE: Pranav Rastogiwas kind enough to point out that the source code for this module is part of the Katana Project and is available on codeplex

I’m a pretty big fan of what Microsoft have been doing as of late with Azure. No matter what language you develop in there is something in Azure for you. They have done a good job of providing well sized application building blocks. I spent about a week digging into Amazon Web Services and Azure to help out with an application deployment at work. Overall they are both amazing offerings. When I’m explaining the differences to people I talk about how Amazon started with infrastructure as a service and are now building platform as a service. Azure started at the opposite end: platform as a service, and are working towards infrastructure as a service.

Whether one approach was better than the other is still kind of up in the air. However one area where I felt like Amazon was ahead of the game was in provisioning servers. This isn’t really a result of Amazon stepping up so much as it is a function of tools like Chef and Puppet adopting Amazon over Azure. Certainly Cloud Formation, Amazon’s initial offering in this space, is good but Chef/Puppet are still way better. I was a bit annoyed that there didn’t’ seem to be any answer to this from Microsoft. It wouldn’t be too difficult for them to drop 10 engineers into the Chef and Puppet teams to allow them to deploy on Azure. Then I remembered that they were taking the platform before infrastructure approach. I was approaching the situation incorrectly. I shouldn’t be attempting to interact with Azure at this level for the services I was deploying to websites and SQL Azure.

One thing about the Azure portal which is not super well publicized is that it interacts with Azure proper by using RESTful web services. In a brilliant move Microsoft opened these services up to anybody. They are pretty easy to use directly from Curl or something similar but you need to sign your requests. Fortunately I had just heard of a project to wrap all the RESTful service calls in nice friendly managed code.

In a series of articles I’m going to show you how to make use of this API to do some pretty awesome things with Azure.

Certificates

The first step is to create a new management certificate and upload it to Azure. I’ll assume you’re on Windows but this can all be done using pure OpenSSL on any platform as well.

1. Open up the Visual Studio Command prompt. If you’re on Windows 8 you might have to drop to the directory directly as there is no hierarchical start menu anymore.C:Program Files (x86)Microsoft Visual Studio 12.0Common7ToolsShortcuts.

2. In the command prompt generate a certificate using

makecert -sk azure -r -n “CN=azure” -pe -a sha1 -len 4096 -ss azureManagement

This will create a certificate and put it into the certificate manager on windows. I’ve used a 4096 bit key length here and sha1. It should be pretty secure.

3. Open the certificate manager by typing

certmgr.msc

into the same command prompt.

4. In the newly opened certificate manager you’ll find a folder named azureManagement. Open up that folder and the Certificates folder under it to find your key.

5. Right click on that key and select Tasks > Export

6. Select “No, export a public key”

7. In the next step select the Der encoded key

8. Enter a file name into which to save the certificate.

You have now successfully created an Azure management key. The next step is to upload it into Azure.

1. In the management portal click on on settings

2. In the settings section select the Management Certificates tab.

3. Click upload and select the newly created .cer file.

You now have the Azure half of the certificate complete. The next step is to get the client side of the certificate, a .pfx file, out. This is done in much the same way as the the private key, except this time select “Yes, export the private key”.

1. Right click on the certificate, select tasks then export

2. Select “Yes, export the private key”

3. The default options on the next screen are fine

4. Finally enter a password for the pfx file. The combination of password and certificate are what will grant you access to the site.

Creating a Database

There is a ton of stuff which you can do now that you’ve got your Azure key set up and I’ll cover more of it in coming posts. It didn’t seem right to just teach you how to create a key without showing you a little about how to use it.

We’ll just write a quick script to create a database. Start with a new console application. In the package manager run

Install-Package Microsoft.WindowsAzure.Management.Libraries -Pre

At the time of writing you also need to run

Install-Package Microsoft.WindowsAzure.Common -Pre

This is due to a slight bug in the nuget packages for the management libraries. I imagine it will be fixed by the next release. The libraries aren’t at 1.0 yet which is why you need the -Pre flag.

The code for creating a new server is simple.

First step in the GetCredentialson line 21 is to load the certificate we just created above, the password for the certificate and the subscription Id. Next we create a new SqlManagementClient on line 30. Finally we use this client to create a new SQL server in the West US region. If you head over to the management portal after having run this code you’ll find a brand new server has been created. It is just that easy. There is a part in one of the Azure Friday videos in which Scott Guthries talks about how much faster it is to provision a server on Azure than to get your IT department to do it. Now you can even write building a server into your build scripts.