Development comments edit

Every year users are conducting more of their lives online, but they’re also doing so from more screens than ever before. It’s not uncommon for me to access the same web application from my work computer, home computer, iPhone, and iPad, and those are just the devices that I consider “mine”. (Not that I own my work computer, but that I am its only user.)

If your web application contains anything of real value, the real danger comes from public computers that your users may use. It’s all too easy for a user to forget to log off from a website, and most webapps make it impossible to log off those sessions remotely.

I believe it’s becoming more important to allow your users the ability to globally log off from your website, clearing not only local credentials stored in cookies, but invalidating all the user’s sessions across all devices.

Read more →

Development comments edit

I have a friend.  Let’s call him “Steve”.

Steve was recently complaining to me about the password requirements imposed on him by Corporate IT.  He was using all sorts of words to describe them.  The only one suitable for reprinting was “stupid”.  They went downhill from there rather quickly.

Here are the password requirements Steve has to live with:

  • Must contain at least one uppercase letter A-Z.
  • Must contain at least one lowercase letter a-z.
  • Must contain at least one numeral 0-9.
  • Must contain at least one special character
  • Must be longer than 6 characters. (So >= 7)
  • Must be shorter than 9 characters. (So…7 or 8, but not 9)
  • Must begin and end with an alpha character A-Z or a-z.
  • The change periods (how often you must reset) vary.
  • You may not use any password you have used in the last year.

Read more →

Development comments edit

A common question about NServiceBus is how to use it to integrate with an external partner. The requirements usually go something like this:

  • The third party will contact us via a web service, passing us a transaction identifier and a collection of fields.
  • If we successfully receive the message in the web service, we respond with a HTTP 200 OK status code.  If they do not receive the acknowledgement, they will assume a failure and attempt to retry the web service later.
  • Once we receive the message from the third party, we need to distribute (think publish) the contents of the message to more than one internal process, each of which are completely independent of each other.
  • We need to logically receive each message once and only once. In other words, it would be a “Very Bad Thing” for one of the internal subscribing processes to receive the same notification more than once.

This was most recently asked in this StackOverflow question, where it became difficult to explain more within the 600 character comment limit. The best explanation is example code, so here it is.

Read more →

Technology comments edit

For a long time I thought that the addition of a “.com” button on the iOS keyboard was a fantastic idea.  But what about .net, .org, and .edu domains?  Where’s the love for them?

I got to thinking, wouldn’t it be awesome if you could hover over the .com button and get a popup with options for the other common top-level domains?

Turns out the Apple engineers were way ahead of me.  Give it a shot sometime!

On my iPad (set to English/US keyboard layout of course) hovering over the .com button gives me additional options for .net, .org, .us, and .edu.  It does make me wonder if I would get something like .co.uk if I had a British keyboard setting.

What you apparently can NOT do is take a screenshot with the popup menu activated.

Development comments edit

Are you experiencing either of these exceptions?

System.Security.Cryptography.CryptographicException Padding is invalid and cannot be removed.

System.IndexOutOfRangeException Index was outside the bounds of the array.

System.IndexOutOfRangeException Probable I/O race condition detected while copying memory. The I/O package is not thread safe by default. In multithreaded applications, a stream must be accessed in a thread-safe way, such as a thread-safe wrapper returned by TextReader’s or TextWriter’s Synchronized methods. This also applies to classes like StreamWriter and StreamReader.

Well at least the last one is descriptive, but that is the LEAST likely to occur.

If you’re seeing any of these exceptions, there’s a good chance you’ve run afoul of a secret of the System.Cryptography namespace.  Almost nothing is thread safe.

It’s an easy error to make. We know encryption is processor intensive, and it seems like it would be smart to incur the costs of setting up ICryptoTransform objects for encryptors and decryptors once and then store them in a static variable. Any state they might share would seem to be reference data like keys and salt and init vectors, so as long as we use a new CryptoStream for each operation, what could go wrong?

Well, lots.

Internally, the implementations of ICryptoTransform (and I assume other objects) use objects from the System.IO namespace like buffers and streams that we would never think of sharing between threads, but it’s hard to know that from a simple call to ICryptoTransform.TransformBlock().

So, if you run into any of the exceptions above, try either creating your System.Cryptography objects each time you need them, or mark them with the ThreadStaticAttribute.  Remember that with [ThreadStatic], a static initializer will not execute for each thread, so check it for null before you use it, then initialize if null.

Technology comments edit

There are two types of people in the world right now: those who are angry at Netflix and those who don’t have Netflix.

Like everyone else, I received the email yesterday notifying me that as of September 1, 2011, my $10 Netflix plan that includes 1 DVD at a time and online unlimited streaming will be discontinued. Instead, they offer separate plans for DVDs and for streaming.  1 DVD at a time will now cost $8, and unlimited streaming will now also cost $8.  There is no discount for bundling, so if I want to continue the same level of service, it will now cost me $16 per month.

It’s not the money that bothers me. Prices were bound to go up.  Maybe this is a pretty severe jump all at once, but it’s not completely unexpected.

What bothers me is the false choice it represents. If money does indeed talk (and I believe it does) then Netflix is asking me to choose from these options:

  1. I like getting DVDs from you, but I don’t care for your streaming service. Please take my money and keep the DVDs coming.
  2. I love your streaming service, but DVDs in the mail is so 2003. Please take my money and let me stream to my heart’s content, but don’t make me walk out to the mailbox.
  3. I like DVDs and I also like streaming, and I’m willing to pay more money for both.
  4. Netflix, you suck. Cancel my subscription.

I don’t believe that any of these four options correctly captures my real intent:

I would be willing to pay $16 per month, maybe even more, just for the streaming service, provided that the streaming selection didn’t suck.

Read more →

Development comments edit

It’s commonly very difficult to question business people about reporting requirements.  It’s not really their fault either – they just can’t know exactly what they want until they’re trying to answer a question and can’t easily do it with the reports you’ve given them.

This is why it’s good to make reports as flexible and updateable as possible, but with as little developer required to update the reports as possible.

If you’re operating in an environment where all database access must be via stored procedures, this is a really big problem.  It’s really unlikely that the changes requested by business can be implemented with the same stored procedure you naïvely created for your first attempt.  I’ve seen scenarios where a database has stored procedures with the suffixes GetReport, GetReport2, GetReport3, GetReport4, etc.  Yuck.

Even if you’re using Entity Framework, LINQ to SQL, or some other data layer framework that enables more free-form access to the database, you can’t always ensure that all report queries will result in good execution costs and actually be performant.

Read more →

Development comments edit

At work we use Hudson Continuous Integration for our build servers because, among other reasons:

  • It’s FREE!
  • It runs on Windows (for our C# builds) and on Mac/Linux (for our iOS/Android builds).
  • It has a web-based GUI that is MUCH easier to use than the XML-driven config used by CruiseControl.NET, which we used before switching to Hudson.
  • It has a rich system of plugins for adding functionality.
  • Did I mention it’s FREE?

The one nice thing about CruiseControl.NET was that because it had one complex XML configuration file, I would only edit that file in source control so that I could back out my changes if I screwed it up. Now I need a way to back up the Hudson configuration files so that if one of my build servers goes up in flames, I can get my team back in business quickly.

A good backup solution needs to be automatic and offsite, and due to the magic of distributed version control and the inherent job execution nature of Hudson, we can back up Hudson with Hudson. If this isn’t the ultimate in universe folding in on itself awesome, I don’t know what is.

Read more →

Development comments edit

When coding for work, everything of course has to be done the Right Way®. This isn’t always super exciting, so it is sometimes liberating to cut loose and work on a side project that mashes together a whole bunch of technologies without worrying too much about stability, reliability, scalability, or even if it will continue to run tomorrow. These R&D projects will never have even a single line of code directly pushed into even a development repository, but more often than not I find that I take concepts learned and tested during these coding sessions and apply them in some later project. Even if the entire project is thrown away in relatively short order, some concept of value survives for the long haul.

Plus, it’s just fun.

Recently my wife and I got the very exciting (and scary!) news that we were pregnant with our first child. The little guy or girl’s arrival is still over 5 months away, but already we’re wrestling with tons of difficult questions, and one particularly overwhelming one is “How are we going to decide where to send our child for day care?”

We live in the great state of Minnesota where the Department of Human Services maintains a searchable Licensing Info Lookup website for all sorts of things, including (but not limited to) family child care. Anyone with a child care license can be found here, along with address, phone number, if they can accept newborn infants and how many, etc.

Just one problem. We live on the border of two big suburbs, so you do a search for both cities and together you get over 150 results, and no map.

This is where my inner geek starts to get excited. I’ve got a copy of Visual Studio. I can fix this problem. Let’s do it.

Read more →

Development comments edit

Sometimes I need a rolling counter, especially in diagnostics-related scenarios. How many requests have occurred in the last hour? It’s not okay for a counter object to drop out of cache every hour, because the value will be meaningless if I happen to observe it at (Cache Drop + 3 minutes).

A real rolling counter is needed in these situations. The counter must increment, and then at some point those hits must drop off.

But especially in these situations, low impact is the key. A Queue where each item contains a timestamp is too unruly. Too many objects are created and too much cleanup is required. Less is more.

Read more →