Petes random thoughts and jottings

Chrome 19: xmlhttprequest open() with authentication is broken

Good old Chrome autoupdated itself last week. All was fine except now I can’t seemlessly log into my web applications.

Turns out it has stopped supporting embedded identities eg: http://username:password@google.com
(note: that is not my real username and password!) That is fine but it looks like when you use the following code:

var xhr = new XMLHttpRequest();
xhr.open(“GET”, “/data”, false, “pete”, “test1”);

It doesn’t use the username and password anymore and instead the user gets the authentication dialog box.

Surely this is a bug?!

I thought I had got a workaround by adding the following code:
xhr.setRequestHeader(“Authorization”,”Basic cGV0ZTp0ZXN0Mg==”);
This does work but the browser doesn’t save the credentials, so if the browser gets sent to a secure page, you still get the popup authorisation dialog.

My choices are:
1. Wait to see if they fix this problem
2. Don’t support Chrome anymore
3. Rewrite the authentication system

It looks like point 3 is the way to go. I might have to start using cookies within the authentication process, I really liked using the Basic HTTP authentication because it can be used by the browser and programmatically very easily. If I introduce cookies, then programmatically retrieving data gets harder and a lot messier.

Have we been Hacked?: An investigation

I started to get a lot of spam email from one email address, about 10 every minute: they were all going into my junk mail folder but after a few hours I was curious as to why this was happening.

In outlook, I opened the email and then selected ‘Properties’ (in outlook 2010, click on File menu then click properties button). You get to see the headers for the email, of interest was the Received: header which identifies the source.

Unfortunately the IP address it was coming from was one of our servers… uh oh…..

Perhaps we had an smtp server sitting on there being used as our secondary mail server (in case our primary mail server went down) but no, the smtp server option hadn’t been installed. I tried telnetting to port 25 on the box but no response so it didn’t seem to be a piece of software (rogue or otherwise~) acting as an smtp server.)

Next brainwave: I used netstat on the commandline to see if port 25 was currently in use. The command is:
netstat -ano formats the data quite nicely and if you do the following:
netstat -ano |findstr :25 you can find only entries that are communicating to/from port 25.

Success, netstat told me which process was being used by giving me the pid (process id). If you then go into resource monitor or task manager you can relate pid to a process (you might have to add pid as a column for task manager).
It was a w3wp.exe - one of the application pools on IIS. Luckily we have started to use application pool identities on IIS so I knew which application pool was the culprit (On resource manager, add column ‘username’ to see the application pool name, in task manager, it shows it there by default)

Ok, it happens to be one of our old websites but how is it occurring? For that particular website (we have 1 application pool per website which makes things a lot easier) I then looked into its log files stored here: %SystemDrive%\inetpub\logs\LogFiles\{id} (Find the ID from IIS manager by clicking on the sites folder in the left hand side and you will see all the sites with their ids)

Most log files were 1Mb each, except for today which so far is 24Mb! Ahah! Success. Looking into the log file told us which page was being ‘hacked’. It was a tell a friend page where you could enter yours and a friends email address along with a message and the server would send the friend an email looking like it came from your email. A classic case of forgetting to put a captcha on the page. The page has been around for 4 years and only today someone discovered its vulnerabilities. Luckily I am BCCd on all emails sent which is why I got a lot of emails sent to me. If I hadn’t been copied in, we wouldn’t have found out until our email server had been blacklisted.

I blacklisted the IP address which put an immediate stop to the problem but have deleted the page aswell. It was very rarely used (not for months) and so wont be missed. But a good learning experience all round.

By amazing coincidence my second in command is on holiday this week. He says he is at Centre Parcs but if I found out he has gone to the Philippines (which is where the IP address of the hacker comes from), well, I hope for his sake, he brings me back a nice present.

Adding associations in a dbml: LinqtoSQL

Adding association to a dbml; if they aren’t working making sure both tables have a primary key!

You know you’re old when…

After helping my daughter (age 6) with singing Its a long way to Tipperary, she asked me:

“Were you in the war Daddy?”

Fix: IIS 7 SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission failed

IIS 7 recommends using ApplicationPoolIdentities for its application pools. This is instead of using NetworkService. One advantage of this is looking at Processes in Task Manger, the IIS Worker process has the username matching the application pool name and thus it is easier to see which is consuming more resources etc.

BUT, if you switch to ApplicationPoolIdentity as the Identity you might come across the following error:

[SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.]

To fix this, in advance settings for the application pool change load user profile to true.

For more information on ApplicationPoolIdentity see http://learn.iis.net/page.aspx/624/application-pool-identities/

Accessing Reporting Services API locally: User Denied problem

We deployed to a new server this morning with SQL Server 2008 running on it. Our software was trying to programmatically access the Reporting services api (found at: http://localhost/ReportServer/ReportExecution2005.asmx) This would work but if we used http://publicurl.com/ReportServer/ReportExecution2005.asmx then this would fail. This is because IIS doesnt allow you to access a domain if it is pointing back at the box you are on and if you wanted to use integrated authentication. This stuff is called loopback checking

To resolve this you need to make some changes to regedit: Follow the instructions found here: kb896861

This will enable you to set up hostnames that loop back to the local machine and will be allowed by IIS.

Identifying Reporting Services subscriptions in SQL Server Agent

The jobs created by reporting services subscriptions have ‘random’ names. Here is some sql that helps you identlfy the subscription and the report.

SELECT Schedule.ScheduleID AS SQLAgent_Job_Name, Subscriptions.Description AS sub_desc, Subscriptions.DeliveryExtension AS sub_delExt,
[Catalog].Name AS ReportName, [Catalog].Path AS ReportPath
FROM ReportSchedule INNER JOIN
Schedule ON ReportSchedule.ScheduleID = Schedule.ScheduleID INNER JOIN
Subscriptions ON ReportSchedule.SubscriptionID = Subscriptions.SubscriptionID INNER JOIN
[Catalog] ON ReportSchedule.ReportID = [Catalog].ItemID AND Subscriptions.Report_OID = [Catalog].ItemID

Thansks to SteveFromOz at Sqlservercentral forums

HTML5 video tag gotcha - IE9

If the tag doesn’t work in IE9, but the video if you access it directly (it should play in Windows Media Player) - make sure the mime-type is set correctly.

The mime type for .mp4 is video/mp4 Other browsers seem to cope with the bad mime type but IE9 refused to play the video. Its nice to see IE9 being a stickler for standards for a change!

HTML5 Video Tag - New Learnings

We host quite a few videos on our website, currently they are stored as flv files and played through a flash player (We user JW Player), but we get quite a few requests of people using non-flash devices (ipad, iphone etc) who want to watch the video and so I am quite keen to use the new HTML5 <video> tag.

There are 3 main formats to consider: WebM, Mpeg4 and OGG. I used ffmpeg to convert the flv file to .mp4(codec h264) and .ogv (codec: ogg theora) files but found the quality better on mp4 and the file size smaller. I havent tried WebM so will leave that for a later experiment.

Best practice recommends that you should have available all 3 formats for each video with Flash player to fall back on (using the H264 video as Flash supports it). We have too many videos to have lots of formats supported, I wanted to keep it as simple as possible ie only have 1 format so I went with H264 mp4. The reason is: Flash supports H264 but doesn’t currently support Ogg files or VP8 codec. All the devices that cant play flash support H264.

Until I develop an automated system that allows me to upload a video and get it automatically exported into the different formats I will stick with mpeg4.

protocol relative urls

We do development on our test boxes using http (on our intranet) but use https on our production servers. I also use googles cdn to host the jquery files I use. The question is do I use http or https to link to them, or use javascript to change the link or perhaps get the server to create the src link. The best solution is to use protocol relative urls! Heres an example:

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.js"></script>

Drop the protocol and just start with double slash. The browser will then use the same protocol as the current page. NOTE: if you do this with stylesheets (css files) then IE7 & IE8 will download these files twice, I’ll need to check whether IE9 has this problem. I only really link to javascript (and media) files externally so protocol relative files work for me.