Null Url Referrer going from HTTPS to HTTP

February 25, 2009 at 5:10 PMBen

Thought I would pass on a small issue I ran into recently when redirecting a user from an HTTPS page to an HTTP page.  When the person reached the HTTP page, Request.UrlReferrer was null.  There are browsers, add-ons, proxies, security suites and other entities that will strip the url referrer sent to a web server, but that was not the case in this instance as this was happening to me when testing a new site and didn't happen when I was redirected to the same page from an HTTP page.

It turned out this is a pretty standard security feature implemented by browsers to omit the referrer when a user is redirected from an HTTPS page to an HTTP page, or when a user clicks on a hyperlink taking them from an HTTPS page to an HTTP page.

This behavior does make sense considering sensitive information may be stored in query string parameters of the HTTPS page url.  I found this MS KB article explaining this behavior.  In the article, MS suggests some sites may even store credit card data in a url.  Credit card numbers in a url ... really??  I was thinking more along the lines of private session ids in the url.  I don't think I'd feel too comfortable shopping at a site if I saw my credit card number in the address bar ;-)

Posted in: Development

Tags: , ,

Beware: CodePlex

February 22, 2009 at 4:45 PMBen

Ever since setting up this blog which is powered by BlogEngine.NET, I spend a small amount of time everyday at the BE.NET code hosting area at CodePlex.  Mostly I participate in the discussions there and have even submitted some bug reports in the issue tracker.  It's been a rewarding experience to be able to contribute to an open-source application used by probably thousands of bloggers out there.

However, my time spent at CodePlex has been anything but pleasant.  CodePlex is a website built, maintained and run by Microsoft.  It's a place anyone can store their open source projects for free.  There's other code hosting services out there such as SourceForge and Google Code.

Allow me to vent a bit and list the problems I find with CodePlex.

  1. SLOW, SLOW, SLOW!  CodePlex has to be the slowest website on the face of the internet.  Just about anything you do on CodePlex takes 10 times longer than it takes to do the same type of action on other websites.  Just pulling up a simple discussion takes 3 seconds for a simple GET request.  That 3 seconds is a best case scenario.  Almost on a daily basis, CodePlex will start slowing up.  Posting a message can take 10 to 20 seconds or even minutes at times.  Searching the Discussions takes too much time.  Even worse is searching the Issue Tracker.  There's been times it takes over 2 or 3 minutes for search results to come back.
  2. Server side errors.  I don't think a day has gone by that I haven't received at least one server side error while on CodePlex.  The typical error is an XML parsing error.  Sometimes the response from the server takes so long that I just get a general timeout error or page cannot be displayed error.
  3. Issue Tracker editor.  When creating an issue in the tracker or adding a comment to an issue, instead of getting a WYSIWYG editor like you get in the Discussions, all you get here is a plain old textarea.  And a pretty small textarea at that.  It's a common need to paste some code into the issue tracker -- after all, that's what CodePlex is for!  But all leading spaces are lost when saving your post.  This means properly indented code is no longer indented, looks crappy and is difficult to follow.  You also can't edit anything you posted in the Issue Tracker.  I'm not sure why you can edit messages and get a WYSIWYG editor in the Discussions area, but not in the Issue Tracker.
  4. Spam.  For a while, various spammers kept posting spam messages in the Discussions area.  CodePlex doesn't seem to have any mechanism to report spammers.  The spammers would post messages with some relevance to technology, but the messages had nothing to do with the Discussion at hand.  Throw in CodePlex's speed woes, and trying to find the real messages while sifting past the spam equates to a waste of my time.
  5. Team Foundation Server unavailable.  The source code for projects at CodePlex is stored in a TFS database.  Every now and then, I get messages stating TFS is unavailable for short to long periods of time.  While TFS is unavailable, the Issue Tracker and Source Code areas are completely unavailable.
  6. RSS Feed Lags.  CodePlex uses caching for its RSS feed which is a good idea.  New items to be added to the feed seem to normally show up within an hour.  There are times, however, that certain items may take several hours before they appear in the feed.

I wouldn't recommend CodePlex to anyone looking for a place to host their code.  I've not yet spent any time at Google Code, but I do visit SourceForge on rare occasion.  I recall no slowness or errors while browsing through the messages in the discussions at SourceForge.

I'm definitely not the first and certainly won't be the last one to bring up some of these CodePlex problems.  Dave Ward had this great blog post where he broke down some of the massive performance inefficiencies in CodePlex with its voting system.  It's disturbing too since this isn't the only Microsoft website to suffer from a performance / reliability standpoint.  A few years ago when I was spending some time on the forums, forum searches were very slow.  Apparently the website was completely down about a week ago.  The Microsoft blogs website is another site where blog posts and paging through the posts often results in long wait times.

I'd love to see BE.NET move and host its codebase elsewhere.  I unfortunately haven't seen any sign of Microsoft planning to fix CodePlex and they seem perfectly content with the way CodePlex is now.  If they do fix CodePlex, great.  I'm just constantly frustrated everytime I'm at CodePlex, and don't think a code hosting website (or any website) should be a hindrance or distraction from the real reason I'm at the site -- to participate in and have fun with a growing open-source project.

Posted in: Opinion

Tags: , ,

The Ctrl-Z of Browsers

February 21, 2009 at 9:04 PMBen

In today's tabbed browsing world, maybe you find yourself opening and closing tabs left and right.  If you're into the keyboard shortcuts, that would be Ctrl-T and Ctrl-W respectively   What if you accidentally close a tab?  This happens to me most often when either I thought I was done with the website I was on, or I thought the tab I was on was a new tab with nothing to go 'back' to.

Fortunately, the good browsers out there offer a Ctrl-Shift-T keyboard command to open up the last tab you closed.  I like to think of it as the "ctrl-z of browsers".  This keyboard command is very handy because you can actually keep pressing Ctrl-Shift-T to open up all the tabs you previously closed.  Each tab you re-open not only opens up with the page you were on when the tab was closed, but the browser history for that tab is also preserved.  So once you re-open a closed tab, the entire 'Back' button browser history is there.

Ctrl-Shift-T works in Firefox and Chrome.  It doesn't appear to work in Safari/Windows and doesn't work in IE7.  That's what I meant by this keyboard shortcut working in 'good' browsers   It does appear to work in IE8.

Since discovering this keyboard command it's something I use probably at least once a day.  Sometimes many times a day!

VS Intellisense Mental Lapse

February 8, 2009 at 11:03 AMBen

Yesterday I was working on a C# web site project in VS 2008.  After making some modifications to a class in the App_Code folder, when I later went back to the codefile for an ASPX webpage, intellisense no longer recognized the class or methods of the class I was earlier changing.  I wasn't getting the normal coloring for the class name and no intellisense listing of the class's methods.  Right-clicking on the class or its methods and trying to 'Go to Definition' resulted in a message stating it couldn't find the definition (or something to that effect).

I could build and run the site with no errors.  I tried closing and re-opening the solution, tried closing and re-opening VS, tried deleting all the files in the Temporary ASP.NET Files directory, tried restarting IIS and tried rebooting the PC.  Nothing worked.  After rebooting the PC, intellisense even stopped recognizing another App_Code class.  Life without intellisense sucks!

What finally did work was to right click on these classes in the solution explorer, select the 'Exclude from Project' option which excludes the files from the project by giving the files .exclude extensions, and then I right-clicked on the files again to Include them in the project.  That cured intellisense.

SSL Certificate for WWW and no WWW

February 1, 2009 at 12:14 PMBen

I was recently buying a SSL certificate and remembered being on a website where some HTTPS pages had a WWW host in the url and other HTTPS pages didn't have the WWW prefix.  I vaguely remember from when I last bought a SSL certificate, you would normally indicate the host name you are buying the SSL certificate for -- whether it be,,  And the SSL certificate would only be valid for that exact host.

There's also wildcard SSL certificates that cover all hosts.  These certificates are a lot more expensive.  Wildcard certs cover,,  Interestingly, it appears SSL certificates do not necessarily cover cases where you have no host -- i.e.   An example of this is the customer login page at the hosting company where I have this blog hosted.  If you examine the certificate, it looks like it uses a wildcard certificate as the common name is *  However, if you remove the WWW from the url, my browser (Firefox) warns of an invalid security certificate.  What a sour deal ... you spend the extra money for a wildcard certificate and it doesn't even work when there's no host name!  I'd suspect that may not be the case with all wildcard certificates ... it probably depends on who you buy the certificate from.

In my case, I didn't need a wildcard security certificate, but I was hoping I could cover both and  One option would be to buy two separate SSL certs, one for and one for  Fortunately a few SSL certificate sellers cover both WWW and no host in a single certificate as a standard feature.  GoDaddy was one of the two places I found that offered this.  I didn't search around that much though.  GoDaddy's SSL certificate is dirt cheap at just $30.  What a great deal considering how expensive SSL certs once were.

GoDaddy briefly explains this feature in this help topic.  What I wasn't sure about was when creating the CSR that you submit to the SSL certificate seller, I wasn't sure if I should put or for the common name (CN) field in the CSR.  The website I had previously seen where HTTPS worked with and without WWW was using a GoDaddy SSL cert and the common name on the cert was just without the WWW.  And then I ran across this post where the blogger discussed this feature of the GoDaddy SSL certificates, and towards the end of his post, he says,

Therefore, to summarize the solutions, I can say that you can use a wildcard certificate or issue two separate certificates that both cost money and may not be a good option for many cases. You can also look for a SSL certificate issuer that automatically includes the base domain name when you generate one for the domain name with "WWW."

This last part sounds like you would generate a SSL certificate with as the common name -- not  But, when I examined his SSL certificate, the common name doesn't have the WWW!  Anyhow, I decided to include WWW in my common name field, sent the CSR to GoDaddy, received the certificate, installed it, and the good news is my site works both with and without the WWW.  Looking at the certificate fields when examining these SSL certificates from GoDaddy, of the ones I've seen, they all have a field named "Certificate Subject Alt Name" where the field value is:

Not Critical
DNS Name:
DNS Name:

This may be the field that tells the browser the certificate is valid with or without the WWW.  In summary, it appears you can probably put either or in the common name (CN) field of the CSR when purchasing the SSL certificate from GoDaddy.  I included the WWW in my common name, and the certificate is valid with and without the WWW host.

Posted in: General

Tags: ,