Blog: Posts from September, 2011

Posts from September, 2011
Sunday, September 4, 2011PrintSubscribe
URL Hashing

Powerful and simple mechanism of data controller URL parameters allows easy manipulation of the page behavior in Code On Time web applications. For example, consider Products page at If you navigate to the page and login as admin/admin123% then you will see the following screen with a list of products.


If you want to navigate to a specific product then try the following link. The same page will open in edit mode on the product with the primary key equal to 7.


Data controller parameters offer a simple and powerful method of affecting user interface presentation. Couple that with robust Access Control Rules implementation and your web app will provide an excellent and secure mechanism of navigation to specific records.

Sometimes you may want to prevent any possibility of external commands sent to your application via URL parameters unless the commands were initiated by the web application itself or an external “friendly” source.

Enabling URL Hashing

Unlimited edition of Code On Time offers a new feature called URL Hashing, which is available as a component of EASE (Enterprise Application Services Engine). The purpose of URL Hashing is to ensure that only encrypted commands can be passed in the URL of your web application.

Start the web application generator, select your project and click Next button a few times until your reach the Features page. Enable URL Hashing under EASE Configuration.


Proceed to generate the project.

Navigate to any page of your web application displaying data and try passing any parameter in the URL. For example, if you are looking at Products.aspx page then change the URL in the address bar of the browser to Products.aspx?AnyParam=Hello and hit enter key to navigate to the page.

You will see the following response.


All applications pages are now protected and will not allow inclusion of any URL parameters.

Internal URL Parameters

Your web application may be using URL parameters for its own purpose. For example, configure a Navigate action in the Northwind sample as explained next.

Select your project on the start page of the web app generator and click Design. Select Products data controller on All Controllers tab and activate Action Groups page.

Select action group ag1 with the scope of Grid and switch to Actions tab.

Add a new action with the following properties. Note that Command Argument must be entered without line breaks.

Property Value
Command Name Navigate
Command Argument ?ProductID={ProductID}&_controller=Products&_commandName=Edit&_commandArgument=editForm1
Header Text Edit Product

The value of command argument instructs the application to navigate to the current page that hosts the data controller view and pass the ProductID of selected row in the URL. The other URL parameters will force the data controller to open the specified product in editForm1 in Edit mode.

Save the new action, exit the Designer and generate your project.

Navigate to Products page and select the context menu of a product row.


Your browser will navigate to the currently active page with the URL that looks as follows. Notice that there is a parameter “_link” with the cryptic looking value in the address bar of the browser.


URL Hashing mechanism embedded in your application only allows this particular parameter and demands that the value of “ _link” parameter is encrypted.

Alter any portion of the parameter or add any additional URL parameters and the request will fail to display the page with the same HTPP error code 403 presented above.

External URL Parameters

Sometimes you may need to pass URL parameters from an external web application. If URL Hashing feature is enabled then this task becomes impossible unless you encrypt the URLs passed by external web application.

The implementation of encryption can be found in the StringEncryptorBase class of your application source code. The partial code below shows encryption key (Key) and initialization vector (IV). Both properties are passed by methods Encrypt and Decrypt as arguments to the default implementation of Advanced Encryption Standard (AES) available in Microsoft.NET Framework.


public class StringEncryptorBase
    public virtual byte[] Key
            return new byte[] {
. . . . 153}; } } public virtual byte[] IV { get { return new byte[] { 87, 84, 163, 98, 205,
. . . . 112}; } } public virtual string Encrypt(string s) { . . . . . .
} public virtual string Decrypt(string s) {
        . . . . . .


Public Class StringEncryptorBase

    Public Overridable ReadOnly Property Key() As Byte()
            Return New Byte() {253, 124, . . . ., 153}
        End Get
    End Property

    Public Overridable ReadOnly Property IV() As Byte()
            Return New Byte() {87, 84, 163, 98, . . . ., 112}
        End Get
    End Property

    Public Overridable Function Encrypt(ByVal s As String) As String
. . . . .
End Function Public Overridable Function Decrypt(ByVal s As String) As String
. . . . .
End Function End Class

Copy this class to the external application and make sure to encrypt the URLs that are passed to a Code On Time web application with URL Hashing enabled.

You may also want to change the key and initialization vector. The default values are hard-coded and shared by all applications generated with Unlimited edition of Code On Time.


URL Hashing is always performed for History and permalinks. If the application is generated without URL Hashing enabled then the permalinks are simply encoded with base-64 encoding to mask the nature of URL parameters.

Advanced encryption with hash code validation will be performed on links create with View Details command and on results of any actions with Command Name set to Navigate.

Thursday, September 1, 2011PrintSubscribe
IE6, Azure Publishing, Time Processing

Code On Time update has introduced the following enhancements and bug fixes.

  • Improved support for IE6 in the client library.
  • Publishing of web applications created with Azure Factory is now using Windows Azure SDK 1.4. Previous release would fail to create a deployment package if Windows Azure SDK 1.3 was not installed.
  • Time processing has been improved for all locals / cultures. If you have a date field then you can enable the time component on the such field if you change the Data Format String property of a data field in a view or the field a data controller to “g” or “G”.  
    User can now enter time 0518 or 5 18 (space between hours and minutes) and the time will be correctly formatted according to the current culture properties.
    Time selector rendered next to time component of a data field shows 48 intervals, 30 minutes each. The intervals start from the current hour. Intervals are correctly formatted according to the web application culture.
  • File upload/download mechanism is now using data fields of editForm1 to update the utility fields. Previous version of the application framework would not have updated the utility field values if the data fields were not present in grid1.
  • URL Hashing now works with View Details. Previous implementation was not encrypting links produced by “View Details” arrow that is typically present next to lookup fields.
  • Incorrect processing of single word table and column names has been fixed. Last update has introduced a bug that has affected older project. 
    If you have a table named “customer” or “CUSTOMERS” and there is a column named “address” or “ADDRESS” then the code generator would incorrectly label the corresponding objects as “ CUSTOMERS” or “ customers and “ ADDRESS” or “ address”. Notice the leading space character in front of the label.
    We have resolved the issue to allow correct processing of old projects created prior to the update. There is a possibility that a new project that was started last week will get affected. If you observe that the order of data fields has changed then please re-order your fields once more.
  • Presence of image fields in a data controller will not affect the height of data rows in automatic reports unless the data view explicitly includes a reference to an "image” field.
  • Sample SQL Server database Contact Manager includes an improved data set. 
  • Data access objects now support passing of FieldValue parameters when calling Select and SelectSingle methods.
  • Text Mode property of data fields displays “Auto” instead of “Text” in designer.

We expect to release the next update by the end of the next week and are planning to roll out DotNetNuke Factory. SharePoint Factory will follow shortly thereafter.

New project releases were delayed to allow stabilization of the recent changes to the core application framework and client library.