I've just deployed Auto-Input Protection 2.0 Beta to CodePlex. (Finally!)
It was changed from a Production release to a Beta release because there are so many breaking changes, although I'm confident that it works since I've been using it on my blog for the last week or two. I've even fixed a few bugs during that time.
The release page lists the breaking changes and most of the new features.
Here are a couple that aren't mentioned:
- All of the provider collection elements in the web.config file are now optional. (It used to be that just the <filters> element was optional.)
- CrossHatchAutoInputProtectionFilterProvider is now built-in. Instead of using a diagonal cross hatch each time it selects a HatchStyle value at random, although you can configure it to use a single style if you want.
- The ProviderHelper class is now public. It's useful for parsing configuration values from strings into other types.
- An ASP.NET Web Application project, for testing AIP, is part of the source code provided by the installer.
- You now have the choice of using the ASP.NET cache or session state to store challenges on the server. With out-of-process session state, AIP can be used in web farm scenarios.
Security
This release fixes a security flaw that was reported for AIP 1.0.0. If you find any other flaws please don't hesitate to report them to me so that I can try to fix them.
Note that due to the flaw I've added some new behaviors to help secure AIP; however, it may not be appropriate for immediate use in some scenarios. A timeout is now implemented that will cause validation to fail if a user does not respond in a timely manner (30 seconds).
If you are using the control on a blog (like me) or any other page that contains reading material or data entry fields, then you can increase the default timeout by setting the ValidationTimeout property on the AIP web control.
Alternatively, although not recommended, you can disable this behavior entirely by setting the ValidationKeepAlive property to true on the AIP web control. Doing so will cause unused challenges to remain on the server indefinitely, which will increase the amount of memory needed upon each request. (An unused challenge is one that is requested but never answered.) If you do decide to disable this timeout (by enabling ValidationKeepAlive) then I recommend setting the PersistenceMode property (new to the AutoInputProtection class) to a value of Session so that at least when a user's session expires their unused challenges will too. You can set this property easily on the autoInputProtection element in your web.config file:
<autoInputProtection persistenceMode="Session"/>
When you enable session state persistence you should also add the new AutoInputProtectionSessionRequestHandler to the configuration file instead of AutoInputProtectionRequestHandler. Refer to the docs for more information.
Documentation
The first batch of preliminary docs were built for this release. Naturally, I used DocProject 1.10.1 RC and Sandcastle so that I could automatically generate reference documentation from my triple-slash code comments and write conceptual documentation using MAML.
The AIP installer merges the MS Help 2 docs (.HxS) into Visual Studio 2005 and 2008 automatically. The HTML Help 1.x docs (.chm) is provided on the release page as a separate download.
A bit off-topic...
For the DocProject users out there, I've learned a few things about Help 2.x since I built the documentation for AIP and I plan to write a tutorial that describes how to:
- Add DocSet attributes to your topics so that your documentation appears when filters are applied in Document Explorer, including custom filters.
- Set the home and default pages.
- Use the Help Integration Wizard to produce a Merge Module for your .HxS file that can be added to a Setup Project. The wizard automatically generates the required collection-level files and allows you to specify titles, IDs and custom filters that will be installed automatically. I'll also describe a few showstoppers that you may run into as well.
There's already documentation online for some of this stuff, but I plan to write this tutorial with DocProject in mind.
In the AIP solution there are two merge modules: one for VS 2005 and one for VS 2008. Both are referenced by the installer project. I didn't include the DocProject that I used in the solution simply because AIP was written in Visual Studio 2008 and I was using DocProject 1.10.0 RC, which requires Visual Studio 2005.