Change of connection string in deployed WEB.CONFIG overridden by Application setting

I just had an issue with a deployed ASP.NET app on Azure: I changed the connection string in the deployed web.config using the new App Service Editor in the Azure Portal, but the changes had no effect in my application!

This answer from StackOverflow gave me the hint I needed: My connection string was being overridden by an Application Setting in the Azure App Service. I didn’t even know that it was configured.

To see if you have a connection string defined in your Azure App service log into the Azure Portal, open your App Service and go to Settings -> Application Settings -> Connection strings.

Fixes

  1. Delete the connection string in the Azure application settings. Now you can change the connection string in the web.config using the App Service Editor, for example.
  2. Use the Azure application settings to manage your connection strings. The values defined here will always override the connection strings from your web.config.

“Inconclusive” error in ReSharper unit test runner caused by “async void”

The ReSharper unit test runner doesn’t like test methods which are declared as “async void”.

Unfortunately you won’t get any compiler or intellisense warning to tell you. When trying to run the test in ResSharper unit test runner it will first get a blue question-mark icon and when you run it individually it will get the test result Inconclusive.

Example of an “conclusive” test result and a good one.

Code:

[TestMethod]
public async void This_Test_Will_Cause_Inconclusive_Message()
{
    // tests
}

[TestMethod]
public async Task This_Test_Will_Run_Ok()
{
 // tests
}

 

How to reset a SQL Server LocalDB instance in Visual Studio

Many Visual Studio project-templates configure a SQL Server LocalDB instance for development on your local machine. For example the ASP.NET with Identity template.

But what to do if that database gets corrupted or you need a clean one for testing your Entity Framework Migrations, for example?

One solution is this:

  1. Open up the Package Manager Console (Tools -> NuGet Package Manager -> Package Manager Console). Make sure to select the project containing your database in the DefaultProject dropdown.
  2. Enter the command sqllocaldb infoat the prompt. The result is the name of your SQL Server LocalDB instance.
  3. Enter the command sqllocaldb stop InstanceName. Replace “InstanceName” with the name you got from the previous command.
  4. Enter the command sqllocaldb delete InstanceName. Replace “InstanceName” as in the command before.

    Commands to stop and delete the LocalDB database.
  5. Open the folder where the database files (*.mdf) are stored.

    Open App-data folder in Windows Explorer
  6. Delete the two *.mdf files in the folder.

Depending on your configuration your database will be re-created automatically when you execute your application or running Update-Databasein the Package Manager Console.

 

Show PDF in browser instead of downloading (ASP.NET MVC) without JavaScript

If I want to display a PDF file in the browser instead of downloading a copy, I can tell the browser via an additional Content-Disposition response header.

This code example assumes that the file content is available as byte-array, reading the content from a database, for example.

// Get action method that tries to show a PDF file in the browser (inline)
public ActionResult ShowPdfInBrowser()
{
  byte[] pdfContent = CodeThatRetrievesMyFilesContent();

  if (pdfContent == null)
  {
    return null;
  }

  var contentDispositionHeader = new System.Net.Mime.ContentDisposition
  {
    Inline = true,
    FileName = "someFilename.pdf"
  };

  Response.Headers.Add("Content-Disposition", contentDispositionHeader.ToString());
  return File(pdfContent, System.Net.Mime.MediaTypeNames.Application.Pdf);
}

Please keep in mind that ultimately we don’t have control over the browser. We can politely request to show the PDF inline, but this can be overridden by a user configuration, for example.

Keep your eyes healthy

Staring at our screen all day long can take a toll on our eyes:

I was forced to wear glasses a few years ago for which I blame my screen-time. Since then I am more conscious about the health of my “biological data interface” (eyes) and just got myself computer glasses with blue filter, although I am not sure  if they are necessary. The information available on the web is contradictory, but I have an acquaintance who fixed her problem getting tired with computer-glasses.

What DID convince me though is this free tool for Windows-User: EyeLeo. It will ask me every now and then to exercise my eyes. Together with Tomighty Pomodoro timer I get the frequent breaks I need to finish my work days without my eyes hurting.

Configure FTP account to download Azure diagnostics logs

If you just published your web app to Azure with Visual Studio you probably won’t have a FTP account configured in your App Service. I just want to share how to set it up to enable downloading logs via FTP.

If you go to “MONITORING-> Diagnostics logs” in your App Service you should see the text “No FTP/deployment user set” in the field FTP/deployment username:

Diagnostics logs download configuration

Use the page “DEPLOYMENT -> Deployment credentials” to set up a new  FTP user:

Deployment credentials configuration

If you go back to “Diagnostics logs” you will see the FTP/deployment username you can use to access the logs with the FTP client of your choice (On Windows I like to use WinSCP):

Diagnostics logs download configuration (updated)

Important: You have to use the full FTP username shown on the “Diagnostics logs” page consisting of the App Service name, a backslash followed by the FTP username:

AppServiceName\FTPUser

Hint: Try to avoid FTP and use FTPS instead to protect your credentials and data.

 

Azure App Service: View and Edit the deployed web.config with Kudu

We can use the Azure Portal and Kudu to view and edit the web.config of our deployed app in the App Service:

  • Open the App Service you want to using the Azure web portal.
  • Goto “DEVELOPMENT TOOLS” -> “Advanced Tools” and click on the “Go ->” link.

  • Above the console use the file explorer to navigate to the “site/wwwroot” folder

  • Scroll down and click the pencil icon to open the file

  • You should see the file content in the editor:

Be careful, saved changes have immediate effect and you should absolutely know what you are doing when on a production system!

Security resources for .NET web applications

A collection of web app security links with focus on ASP.NET:

OWASP – The Open Web Application Security project is a worldwide community of professionals interested in security and a good starting point for securing your web apps. Some of the topics: Vulnerability, .NET ProjectCheat sheets, .NET Security Cheat Sheet, Top 10 security risks. Troy Hunt has some great Pluralsight courses about the Top 10 issues.

Top 10 Common Web Attacks from vpnMentor. Good summary of the OWASP Top 10 – 2017 edition. A good place to start (thanks to Qusai for the tip)

ASP.NET MVC Guidance: Security, Authentication and Authorization  (ASP.NET site)

Security, Authentication, and Authorization in ASP.NET Web API (MS Docs)

ASP.NET Identity – Current MS stack for authentication and authorization in ASP.NET. Check the articles on security and especially the one on deployment, passwords and the cloud.

Troy Hunt – MS MVP, blogger and security expert. I really like his stuff. Take the list of topics of his Hack Yourself First workshop as inspiration, check out his Pluralsight courses and sign up for his newsletter. Love one of his recent posts Passwords Evolved: Authentication Guidance for the Modern Era.

Ten Immutable Laws Of Security (Version 2.0) – Security philosophy 101 from Microsoft. Makes you think.

.NET Blog – General and security-related information.

My own blog entries about security.

Automatic security updates for Microsoft NuGet packages?

I just tried to answer the question “How to ensure that my ASP.NET MVC 5 web app gets updated automatically when a severe security issue is found in a NuGet dependency”.

The best resources I have found on this topic:

Summary

  • Windows Update will update NuGet packages only for targeted security updates
  • Supported .NET version: 4.5.1. or newer
  • MS .NET NuGet packages treated as part of the .NET framework
  • Security update notifications are posted to .NET blog. Subscribe!
  • Microsoft Update records loaded MS assemblies on a machine to identify candidates for patching.
  • Apps using a vulnerable NuGet package will get served the patched Assembly via GAC Publisher Policy.

Conclusions

I am now more confident that using NuGet packages I get critical updates for my applications when needed when Windows Update is used.

But: I would like to see a more recent document about the treatment of Security issues in NuGet. (Pease leave a comment if you have something and I will update the post). And I would like to know why the NuGet package feed list is empty.

Cloud diary tutorial part 1- Get started with ASP.NET MVC, user authentication and the cloud

A video tutorial based on my learnings of ASP.NET MVC 5, ASP.NET Identity, SQL Server and Azure.

Summary: I will show you how to create a very simple web application with user authentication. Users can register, log in, create diary entries (text) and visualize their entries.

In part one we will create, test and refactor the application locally on our computer. Although the app is very simple we will touch a lot of different technologies. You will also see some issues you may experience when starting with ASP.NET MVC in Visual Studio and how to fix them.

In part two we will publish our app to the cloud (Azure). Please subscribe to get notified when part two is finished.

Technology stack

Visual Studio 2017 (Community Edition)
ASP.NET MVC 5
ASP.NET Identity
C#
Git
Entity Framework 6 with Code-First
LINQ to Entities
Azure App Service
Azure SQL Database

Prerequisites

Visual Studio 2017 with the following workloads:

  • ASP.NET and web development
  • Azure development

Content

00 – Introduction

01 – Create ASP.NET MVC 5 application from template

  • Create a new ASP.NET MVC 5 application with ASP.NET Identity
  • Configure authentication (Individual user accounts) for new project
  • Project folders overview
  • Local database folder: App_Data
  • Register user and log into our new application
  • Use “Server Explorer” to show data from local database

02 – Remove unneeded content from application

  • Change title and footer of application
  • Basic HTML tags (title, footer, h1, h2, footer, div)
  • Remove a View and Action Method
  • Commit to source control (local GIT repository)

03 – Create new Controller and View

  • Create a new ASP MVC Controller
  • Create a new ASP MVC View
  • User authentication and security
  • Use of the [Authorize] and [AllowAnonymous] attributes
  • Configure authorization/authentication by default with global filter
  • Refactor our app to use global filter instead of [Authorize] attribute

04 – Display list of fake entries in View

  • Create a model class for diary entry
  • Usage of “prop” code snippet.
  • Create fake data in Controller
  • Display list in View
  • Use of the “ViewBag”
  • Create an HTML table in code

05 – Add form for adding new diary entries

  • Create a Html form using ASP.NET Identity code as template
  • Razor syntax
  • MVC Form @model directive
  • Create a ViewModel for form-data with data validation attributes
  • Use of [Required], [DisplayName] and [StringLength] attributes

06 – Implement Action Method on Controller to handle the form data from HttpPost request

  • Add HttpPost Action method to Controller
  • [HttpPost] and [ValidateAntiForgeryToken] attributes
  • Test Action Method

07 – Store diary entries in database

  • ASP.NET Identity ApplicationUser and ApplicationDbContext overview
  • ASP.NET Identity tables
  • Extend DiaryEntry model class for usage in DbContext
  • Create foreign key property and navigation properties (Entity Framework)
  • Add new DiaryEntry table to DbContext
  • Create new model class from viewmodel
  • Use Entity Framework to insert into DiaryEntries table
  • Show result of data-model change: “Server Error in Application. The model backing the ‘ApplicationDbContext” context has changed since the database was created. Consider using Code First Migrations to update the database”

08 – Enable EF Migrations

  • Add Code First Migrations to update the database
  • Delete SQLServer LocalDB database from App_Data folder
  • Enable, create and apply migrations with Package Manager (“enable-migrations”, “add-migration”, “update-database”)
  • Test adding a new diary entry to the database using our form.

09 – Retrieve data

  • Query database with LINQ to entities query
  • Redirect to GET ActionMethod after the POST with “RedirectToAction”

10 – UX improvement – Login button on homepage

  • Identify user experience issues
  • Use source control (GIT) to access code from a previous version
  • Improve navigation by adding Login-Button on homepage

11 – UX improvement – Move diary to homepage

  • Refactor Controllers and Views to merge homepage and diary page

Part 2 (Publish our app to the cloud) still in the works. Please subscribe to my YouTube channel and blog to get notified when it’s ready!

Credits: Big thanks to John Sonmez from SimpleProgrammer. His “10 Steps to learn Anything” course not only helped me to organize my learning but also motivated me to create this tutorial!