When reading/reusing a cookie sent from the client do not expect the expiration date to be valid.

The following excerpt is taken from MSDN regarding cookies:

"To be clear, you can read the Expires property of a cookie that you have set in the Response object, before the cookie has been sent to the browser. However, you cannot get the expiration back in the Request object."

Here are 2 things to remember:

1. If you need to save the cookie expiration date, save it in another place besides the Expires property.

2. Remember to always set the expiration date before sending a cookie back to the client.

I was really surprised to discover this bug a couple of days back while working on an ASP.Net 2.0 web site.

I spent several hours barking up the wrong code tree since I was convinced it had to do with some recent code changes I made.

But as it turns out this problem is as old as the server itself and for some reason has not been fixed by any .Net patches.

The jist of it is that if you encounter .net exceptions that only happen on your server with certain types of traffic ( examples: google bot, yahoo bot and some other esteemed visitors), you might be the victim of an annoying bug that has existed, as far as I could tell, for a couple of years and has not been fixed till date.

The telltale signs would be server exceptions that look like ->

Exception of type 'System.Web.HttpUnhandledException' was thrown.
Stack trace: at System.Web.UI.Page.HandleError(Exception e)

And inner exception type ->

System.Web.HttpException: Cannot use a leading .. to exit above the top directory. at System.Web.Util.UrlPath.ReduceVirtualPath(String path)

---------------

As it turns out this bug has to do with .Net 2.0 browser detection bug and can be fixed by adding a browser definition file to correct the problem.

You can also reproduce and test the browser detection bug here.

Note that this bug often occurs when you use url rewriting on your server.

Trying to rewrite URL's or custom handle URL's on IIS 6/7 can lead to HTTP errors on the IIS level.

The problem is that some characters like a question mark (?) are considered illegal by IIS when they are a part of a URL file name or path.

Example:

http://www.mydomain.com/MyUrlWithQMark?.ashx

Will produce: HTTP Error 404 - File or directory not found, even if there is an HTTP handler defined for that file type.

Since those characters are not allowed by IIS, requests containing those characters are blocked on the Http.sys level before they ever reach the appropriate HttpHandler.

Unfortunately this means that ASP.Net code does not get a chance to handle URL's that contain characters dimmed illegal by IIS.

Currently the only solution is to change IIS registry settings that effect the way Http.sys handles those types of characters.

Specifically you will need to change the AllowRestrictedChars setting from 0 to 1.

The main problem with this solution is that if you don't have access to those registry settings you have a problem!

For example people using shared hosting solutions or shared servers where some sites want to allow this option and some don't will not be able to use this solution.

I hope this will change in future versions of IIS. in my opinion the AllowRestrictedChars option should be configurable per site through an ASP.NET configuration option.

A couple of weeks ago I showed an easy way to redirect from HTTP to HTTPS.

Fosiul raised the issue that once you redirect to HTTPS all the pages become secure even the ones we do not need to be secure.

This can lead to some problems like adding additional stress on the web server machine.

To solve this problem we should be able to switch from https to http when ever we detect a page where we do not need secure communications.

One way to do that is to have a function that knows to switch both ways.

Example:

One way to use the above function is in the page load handler of pages where a transition to or from HTTP or HTTPS should occur.

Putting the function call in the page load handler would make sure that a transition from secure to non secure and vice versa would occur before the rest of the page gets rendered.

Example:

If you want to be fancier you can use a custom HTTP module to detect and redirect using a variant of the setSecureProtocol function.

Example:

// The example code below always redirects to https!!!

Good luck!

It took me some time to find where Microsoft hides the latest Silverlight tools :)

I also noticed that many other people were searching for the latest Microsoft Silverlight 2.0 beta, Silverlight SDK's , Expression Blend, and other tools.

As it turns out you can find a list of all the tools and their download links at:

http://www.microsoft.com/silverlight/resources/tools.aspx

Hope this helps.

Sometimes it is useful to get the base URL of a given URL.

For some reason there is no built in function in the URI class to do that.

A simple implementation of a function to get the base URL from a given URI would be:

As a usage example if we call extractBaseURLFromURL and supply the following URL

http://msdn2.microsoft.com/en-us/netframework/default.aspx

The function will return the following URL 

http://msdn2.microsoft.com

----------

 Update:

Example:

Below is a simple code snippet to redirect from a non secure HTTP URL to a secure HTTPS URL using C# and ASP.NET.

The code checks if we are using a secure connection and if not it redirects to the same requested URL changing the protocol from HTTP to HTTPS.

// Check if we are using https and if not redirect