Don't Use Cookie-Based Authentication for Client Web API Calls Without CSRF Protection

For years, ASP.NET developers have used cookie-based authentication sessions (also called Forms authentication) to secure their Web pages. There's nothing wrong with doing that for your server-rendered pages, but as people start moving into developing Single-Page Applications with frameworks such as Angular, they need to realize that leveraging the cookie-based session for the client JavaScript Web API (AJAX) calls opens them up to a Cross-Site-Request-Forgery (CSRF/XSRF) attack.

The full details of how and why take a bit to understand. For a good background article on this, check out this blog post from Microsoft MVP Troy Hunt. The bottom line is you need to not use cookies for authenticating Web API calls and use something like OAuth tokens instead. You could also put additional protection in place for CSRF with separate correlated tokens that prevent code in another browser tab or instance from issuing calls to your Web APIs and hijacking your security session.

Brian Noyes is the CTO of Solliance Inc., a Microsoft regional director, MVP and Pluralsight author.

Posted by Brian Noyes on 05/20/20150 comments

Automatically Sort C# Objects

Whenever you create a C# class definition, consider adding one extra method so you can automatically sort object instances. It's easy and well worth the minimal extra effort. For example, suppose you've defined:

public class Employee
  public string name; 
  public string title; 
  // methods here

If you enhance the class as follows:

public class Employee : IComparable
  public string name; 
  public string title; 
  // Methods
  public int CompareTo(Employee other) 
    return String.Compare(,; 

Then if you have a list of objects:

List list = new List();

You can automatically sort this list with the statement:


Being able to automatically sort lists and arrays of objects really comes in handy for WriteLine-style debugging and display routines.

Dr. James McCaffrey works for Microsoft Research in Redmond, Wash. He has worked on several Microsoft products including Internet Explorer and Bing.

Posted by James McCaffrey on 05/18/20150 comments

Boost Business Apps with LightSwitch

The primary reason you might want to use WCF RIA Services with Visual Studio LightSwitch/Cloud Business Apps (SharePoint) is to:

  • Combine more than one entity into a single entity.
  • Eliminate unnecessary columns in an entity to improve performance (otherwise large amounts of data, such as pictures, will be transmitted even when they're not shown).
  • Implement calculated fields that let you search and sort resulting values.

Go to the LightSwitch Help Web site for more information.

Michael Washington is the founder of He's an ASP.NET, C# and Visual Basic programmer. He has extensive knowledge in process improvement, billing systems and student information systems.

Posted by Michael Washington on 05/12/20150 comments

Speaker Profile: Dr. James McCaffrey

If you've ever read MSDN Magazine or Visual Studio Magazine, or attended a Visual Studio Live! event, you've probably come across Dr. James McCaffrey. Dr. McCaffrey works at Microsoft Research in Redmond, Wash., but he spends a lot of time writing articles and presenting at developer events.

Dr. McCaffrey is fascinated by any form of activity that involves human interaction and combinatorial mathematics. Some examples of that include analyzing gambling games, such as "Blackjack Switch," and the study of betting behavior associated with professional sports. He enjoys examining software systems that have designs influenced by the behavior of biological systems, such as genetic algorithms and simulated bee colony algorithms, especially when applied to large-scale data mining and analysis.

"I really like attending Visual Studio Live! events," he says. "There are great speakers and I always pick up interesting and useful knowledge that I can apply to work. Additionally, I especially enjoy the impromptu, ad hoc conversations that spring up between session talks and scheduled events."

Lafe Low is the editorial liaison for the Enterprise Computing Group Events team.

Posted by Lafe Low on 05/06/20150 comments

Speaker Profile: Laurent Bugnion

If you've read any materials on Model-View-ViewModel (MVVM), Windows Presentation Foundation (WPF) or Xamarin, chances are you've seen the work of Laurent Bugnion. Based in Zurich, Switzerland, he is a prolific writer and speaker in the software development world. He's the author of the well-known open source framework MVVM Light Toolkit for Windows Phone, Windows Store, WPF, Xamarin, and of the popular Pluralsight reference course about MVVM Light. He's also the senior director for IdentityMine, a Microsoft gold partner for technologies such as WPF, Xamarin, Pixelsense, Windows Store, Windows Phone, Xbox and, generally, UX.

In October 2010, he published the book, "Silverlight 4 Unleashed" (Sams Publishing). It was an advanced sequel to "Silverlight 2 Unleashed" (2008), which was published by the same company. He writes for MSDN Magazine and other publications, writes apps for Windows Phone, Windows Store, WPF, Xamarin (iOS and Android), and ASP.NET and his blog is on

This is Bugnion's ninth year as a Microsoft Most Valuable Professional (Windows Application Development), his second year as a Microsoft Regional Director and his first year as a Xamarin Most Valuable Professional.

Lafe Low is the editorial liaison for the Enterprise Computing Group Events team.

Posted by Lafe Low on 05/05/20150 comments

Diagnose Web Problems in Mobile Devices with Fiddler

Fiddler is a great help when diagnosing problems with Web sites, investigating performance concerns and modifying requests sent to Web servers. Because mobile devices are responsible for more traffic to Web sites, you should know how to use Fiddler for mobile clients, as well.

You can simply run Fiddler on your PC on its default port of 8888, configure it to "allow remote computers to connect" in Fiddler Options on the Connections tab, and ensure any firewall allows traffic on that port. Use ipconfig on the PC to determine its IP address. Then set the proxy server on the mobile device to point at the given IP address and port 8888.

In iOS, you'd set this on the Wi-Fi connection under the HTTP Proxy section by choosing Manual. Open the browser on the device and as you visit Web sites, you'll see all the traffic in Fiddler. Now use all the great features in Fiddler you’re used to for mobile clients.

Robert Boedigheimer works for Schwans Shared Services LLC providing business solutions with Web technologies and leads Robert Boedigheimer Consulting LLC. He’s been designing and developing Web sites for the past 18 years including the early days of ASP and ASP.NET.

Posted by Robert Boedigheimer on 05/01/20150 comments

5 Great Visual Studio Keyboard Shortcuts

Here are five of my favorite keyboard shortcuts in Visual Studio. There's a good chance at least one of them will be new to you.

Move Code Alt+Up/Down
This keyboard shortcut is new in Visual Studio 2013. If you put the cursor on a line of code and use the Alt+Up Arrow keys, the line of code you've selected moves up. If you use the Alt+Down Arrow keys, the line of code selected moves down.

Create Collapsible Region Ctrl+M+H/Ctrl+M+U
Chances are you've noticed the "+" and "-" symbols in the margins that let you collapse and expand your classes and functions. Did you know you can create your own collapsible regions? If you select a section of code and then use the key sequence Ctrl+M+H, you turn that region into a collapsible/expandable region. The key sequence Ctrl+M+U will remove the collapsible region. It doesn't delete the code, it just removes the icon that lets you expand and collapse.

Comment Code Block Ctrl+K+C/Ctrl+K+U
Whether it's because you're trying to track down a "but," or experimenting with code change, from time to time you'll want to comment and uncomment blocks of code. If you select a block of code and use the key sequence Ctrl+K+C, you'll comment out the section of code. Ctrl+K+U will uncomment the code.

Peek Definition Alt+F12
When you're going through your code and you want to examine the code in the method you're calling, many programmers will use the F12 key or the pop-up menu option Go To Definition. Go To Definition will navigate to the called method; however, many times you don't need to navigate to the code. Sometimes, you just want a quick look at the method. If you've installed Visual Studio 2013, there's a new keyboard shortcut -- Alt+F12 -- that will give you a preview of the method being called inline. You can use the Esc key to close the preview.

Navigate Forward/Backward Ctrl+–/Ctrl+Shift+–
When you have multiple files open at the same time, you might want a way to quickly move back and forth between two or three different locations in your code. If you've moved from one location to another you can use the keyboard sequence <Ctrl>+ to move to the previous location and then you can return using Ctrl+Shift+–.

Susan Ibach is a developer evangelist at Microsoft Canada. She loves to talk about Windows Phone, HTML5 and the cloud and has worked as a consultant doing programming, testing, data conversions, rollouts and also as a trainer teaching Oracle, SQL Server, SQL Server BI, and .NET programming. When she's not staring at an LCD screen, she's doing martial arts with her kids, out running or enjoying her husband's cooking.

Posted on 04/17/20150 comments

Disable Mobile Redirect on Your Public-Facing SharePoint Sites

Sometimes when you try to navigate to a site from a mobile device, you'll be redirected to the SharePoint mobile version of that site. The mobile view is a bit of a throwback to a bygone era. It gives you a restricted text view designed to work on older devices. Nowadays, mobile browsers are much better and you would much rather see the site rendered using responsive design.

Even worse—you might not have access to mobile pages, resulting in the authentication problems. Instead of fiddling with permissions, the best solution is to simply switch off the mobile view entirely. The easiest way to do this is to add a few lines to your web.config file. Add the following to the System.Web element following the SharePoint section that contains your SafeControls. It's normally about a third of the way down the web.config file. Here's the code to add:

  <result type="System.Web.Mobile.MobileCapabilities, 
    System.Web.Mobile, Version=, Culture=neutral, 

Here's what that section of your config file should look like when you're finished:

<Action id="68c8f882-0c21-4190-9c85-ec9672bf8c16" 
  sourceFile="C:\Program Files\Common Files\Microsoft Shared\Web Server 
  Extensions\14\config\" />
  <result type="System.Web.Mobile.MobileCapabilities, 
     System.Web.Mobile, Version=, Culture=neutral, 
<trustLevel name="WSS_Medium" 
  policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server 
  Extensions\14\config\wss_mediumtrust.config" />
<trustLevel name="WSS_Minimal"
  policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server 
  Extensions\14\config\wss_minimaltrust.config" />
<httpHandlers />
<customErrors mode="On" />
<httpRuntime maxRequestLength="51200" />
<authentication mode="Windows" />
<identity impersonate="true" />

If you want to do this programmatically, you can use the SPWebConfigurationModification class and deploy it as a feature by adding your code to the feature receiver.

Bill Ayers is a consultant developer and software architect who has been working on SharePoint since version 2003, and is a Microsoft Certified Master and MCSM, SharePoint. He specializes in Web content management and intranet portals. He has more than 20 years' experience in the software industry, and speaks regularly at international conferences and user groups. He's also a moderator on and blogs at

Posted by Bill Ayers on 04/16/20150 comments

Use CSS3 Features with Fallbacks for Older Browsers

Yes, it is possible to have your cake and eat it too. A good strategy is to use the latest CSS3 features in browsers that natively support them, but fallback to existing techniques like jQuery plug-ins or polyfills for older browsers. 

Modernizr is a great free JavaScript library that detects what HTML5 and CSS3 features a user agent supports. Opacity controls how transparent an element is. CSS3 now has an "opacity" property you can set from 0 (fully transparent) to 1 (fully opaque). Modernizr supports conditional loading, so if it detects the user agent doesn't support the new opacity property, it can download the jQuery core library, which offers cross-browser support for opacity. This provides the best performance for current devices, while ensuring all users have the same experience with the site.

Robert Boedigheimer works for Schwans Shared Services LLC and leads Robert Boedigheimer Consulting LLC. He's been designing and developing Web sites for the past 18 years and is a columnist for, a Pluralsight author, an ASP.NET MVP, and a third-degree black belt in Tae Kwon Do. He has spoken at industry conferences including Visual Studio Live! and TechEd, plus numerous national and international events.

Posted by Robert Boedigheimer on 04/16/20150 comments

Remember the Parentheses on Your Knockout Observables

When you use KnockoutJS for data binding, you'll generally want to be binding to observable properties exposed from your ViewModel objects. An observable is an object declared with knockout:

{ customerName = ko.observable("");}

When you go to set that property, remember to call it as a function object with a call like:

customerName("Homer"), as opposed to customerName = "Homer"

When you get the value, you likewise call it as a function:

var name = customerName() 

This trips up even the most experienced Knockout programmers. As a result, you might want to check out either this post on Steven Sanderson's blog or this Durandal documentation page for ways to leave off the parentheses when working with observables.

Brian Noyes is the CTO of Solliance Inc. (, a Microsoft regional director and MVP, and Pluralsight author.

Posted by Brian Noyes on 04/16/20150 comments

Keep Up-to-Date with Visual Studio Live!

Email address*Country*