1.Web site is partitioned into restricted areas (protected using SSL) and public areas Web sites that consist of both public (anonymous) and restricted (secure) areas should be partitioned to separate the restricted content into one or more subdirectories. Restricted subdirectories are protected by requiring authenticated access (configured in the section of the file)

abashedwhimsicalSoftware and s/w Development

Nov 2, 2013 (3 years and 11 months ago)

125 views

1.

Web site is partitioned into restricted areas (protected using SSL) and public areas

a.

Web sites that consist of both public (anonymous) and restricted (secure) areas should be
partitioned to separate the restricted content into one or more subdirectories.

b.

Restricted subdirectories are protected by requiring authenticated access (configured in the
<authorization>

section of the
Web.config

file)

c.

Unauthenticated access to restricted pages (e.g. expired session) should redirect to the default
login page.

2.

Code
-
behind files are used rather than inline server
-
side script blocks

a.

Check every
.aspx

(page) file:

No
<
script
>

blocks with
runat
=
"
server
"

should be
found.

3.

Code
-
behind files are not used as a container for Business Logic and/or Data Access Logic

a.

Code
-
behind

files should only contain presentation
-
related programming logic such as event
handlers which work with the UI elements (ASP.NET Server Controls, HTML Controls).

4.

Master Pages are used as a means to create a consistent layout for web applications

5.

Web site
is fully
-
functional when JavaScript is disabled in the browser

6.

Server
-
side validation is performed on all user inputs from sources such as HTML controls, Query String,
and Cookies

a.

The validation code should check that the length, type, and range of data is

valid.


7.

Input form field values are retained when form is redisplayed to the user after input validation fails

8.

Data paging is used for unbounded or long lists of data

9.

Sensitive information such as passwords and connection strings are not stored in any cli
ent
-
side state

10.

Web site is fully
-
functional when cookies are disabled in the browser

11.

The DataGrid server control is not used

a.

The DataGrid control has been superseded in the .NET Framework 2.0 by the GridView control.
This new control should be used in plac
e of the DataGrid as it has
several improvements


over
the DataGrid.

12.

HTTP error codes are handled us
ing custom error reporting pages

a.

Custom error pages are set up in the
Web.config

file in the <
customErrors

> section.

b.

Unhandled exceptions within an application should be caught and managed in a consistent and
safe manner. This can be best achieved by using a global error handler that can trap all
unhandled exceptions, log the details, then present a saf
e error page to the user (without
exposing any sensitive data).

13.

Configurable application settings are stored in the web application's Web.config file

14.

Database connection string should be encrypted

a.

Encrypting Sections of the Web.config File


(MSDN Library)

Check these resources:

1.

MSDN
Coding Techniques and Programming Practices

(
http://msdn.microsoft.com/en
-
us/library/aa291596(v=VS.71).aspx

)

2.

Enterprise Solution Patterns Using Microsoft .NET

(

http://msdn.m
icrosoft.com/en
-
us/library/ms998469.aspx?rssCatalog
)

3.

ASP.NET tutorials for beginners

(
http://www.dotnetspider.com/tutorials/AspNet
-
Tutorials.aspx
)

4.

http://www.education.vic.gov.au/devreskit/appdev/Standards/ASP/aspnet
-
standards
-
details.htm#qa2



Code Fragments

Web.Config

<
connectionStrings
>


<
add

name
=
"
localDB
"

connect
ionString
=
"
Provider=Microsoft.Jet.OLEDB.4.0; Data
Source=c:
\
inetpub
\
wwwroot
\
productmanager
\
App_Data/StarMarket.mdb; User Id=;
Password=
"


></
add
>


<
add

name
=
"
localDBProvider
"

connectionString
=
"
Provider=Microsoft.Jet.OLEDB.4.0;
Data Source=
"

></
ad
d
>


<
add

name
=
"
localDBFilePath
"

connectionString
=
"
/App_Data/StarMarket.mdb; User
Id=; Password=
"

></
add
>


<
add

name
=
"
remoteDB
"

connectionString
=
"
Provider=MS Remote; Remote
Server=http://Your
-
Remote
-
Server
-
IP; Remote Provider=Microsoft.Jet.OLEDB.4.0;
Data
Source=c:
\
App1
\
Your_Database_Name.mdb
"


></
add
>


</
connectionStrings
>

Default.aspx.vb

Partial

Public

Class

_Default


Inherits

System.Web.UI.Page



Protected

Sub

Page_Load(
ByVal

sender
As

Object
,
ByVal

e
As

System.EventArgs)
Handles

Me
.Load



'Use the following code if you want to have relative address to the
database file


'Use these settings in the ProductDB.vb class or in the Connection.vb class



Dim

strServerPath
As

String

= Server.MapPath(
"/"
)


Application.Add(
"Se
rverPath"
, strServerPath)


End

Sub



Protected

Sub

bntFind_Click(
ByVal

sender
As

Object
,
ByVal

e
As

EventArgs)
Handles

bntFind.Click



Try


Dim

myProduct
As

Product =
ProductDB.findProduct(
CInt
(
Me
.txtProductID.Text))


Me
.
lblProductName.Text = myProduct.ProductName


Catch

ex
As

Exception


Me
.lblProductName.Text = ex.Message


End

Try


End

Sub

End

Class

Product.vb

imports

Microsoft.VisualBasic


'****************************************************
******************************
*************************************

'Class Name: Product.vb

'Version: 1.00

'Programmer/s: Spiros Velianitis

'Date: February 6, 2010

'Purpose: Implements the Product domain class.
etc..

'**********************************************************************************
*************************************


Public

Class

Product


'Declaration of constants



'Declaration of module lever variables


Private

mintProductID
As

Inte
ger


Private

mstrProductName
As

String



Public

Sub

New
(
ByVal

intProductID
As

Integer
,
ByVal

strProductName
As

String
)


Me
.mintProductID = intProductID


Me
.mstrProductName = strProductName


End

Sub



Public

ReadOnly

Property

Produ
ctID()
As

Integer


Get


Return

mintProductID


End

Get


End

Property



Public

ReadOnly

Property

ProductName()
As

String


Get


Return

mstrProductName


End

Get


End

Property


End

Class



ConnectionDA.
vb

Public

Class

ConnectionDA


Public

Shared

Function

getConnection()
As

String


'Use the following code if you want to relative address to the database


'Dim strServerPath As String =
HttpContext.Current.Application("ServerPath")


'
Return
ConfigurationManager.ConnectionStrings("localDBProvider").ConnectionString &
strServerPath & _


'"/ProductManager" &
ConfigurationManager.ConnectionStrings("localDBFilePath").ConnectionString



Return

ConfigurationManager.ConnectionStr
ings(
"localDB"
).ConnectionString



End

Function

End

Class

ConnectionDA.vb


imports

Microsoft.VisualBasic

Imports

System.Data.OleDb

Imports

System.Data



Public

Class

ProductDB



Public

Shared

Function

findProduct(
ByVal

intProductID
As

Integer
)
As

Pr
oduct



Dim

sel =
"SELECT Products.ProductID, Products.ProductName FROM (Products)
WHERE (((Products.ProductID)="

_


& intProductID &
"));"



Dim

conString
As

String

= ConnectionDA.getConnection()


Dim

con
As

OleDbConne
ction =
New

OleDbConnection(conString)


Dim

cmd
As

OleDbCommand =
New

OleDbCommand(sel, con)



cmd.Connection.Open()


Dim

rdr
As

OleDbDataReader =
cmd.ExecuteReader(CommandBehavior.CloseConnection)



If

rdr.Read()
Then



Return

New

Product(intProductID, rdr.GetString(1))


Else


Throw

New

Exception(
"ERROR: Product Not Found"
)


End

If



End

Function



Public

Shared

Function

insertProduct(
ByRef

myProduct
As

Product)
As

Integer


Return

5


End

Function


End

Class