I've been working on bringing this project up to date. I made some general categories of things that needed to be done, and some of the steps needed in each category. I didn't finish all of these items, but I thought I'd post my lists here to get some comments.

1) make code download work, and port to VS 2003
   a) set up the database from the backup file in the code download,
      and not from the script
   b) make a new set of DB scripts that include all objects, and all
      data rows
   c) set up the Virtual Directory
   d) Open the .sln in VS2003, and work through the conversion of
      each project to VS2003
   e) set up NTFS security to protect the FileManager module from
      unauthorized users
   f) more of these steps are explained in the "index.htm" file in
      the code download

2) Make it work with a hosted website
   a) log full errors to a file, but don't show users the full error
      message
   b) change the hard-coded pathnames to use the virtual root dir,
      and this includes some necessary changes to database records
   c) set up the file manager with Forms security so it works on a
      hosted site (where NTFS security isn't appropriate)

3) fix security problems
   a) make sure EVERY admin page checks for the needed permissions.
   b) Some pages need to have new security perms defined: like
      the File Manager, and the Ads Manager.
   c) Remove ALL admin items that lets administrators see and change
      the connectionstring. I can't understand any reason why this
      should be on any web page - it should be the most controlled
      item on the site.
   d) log password failures, limit the number of failures allowed
      (maybe a simple measure of a time delay after each failure
      is good enough), and add a option to force a password to
      be changed the next time a user logs on.
   e) Consider adding a password expiration option
   f) figure out a way to allow us to delete users without messing
      up the messages that were posted by this user in the forums
      (there's a referential integrity constraint that causes a
      deletion of all messages posted by a user if you delete him).
      Maybe we just want a way to inactivate a user?
   g) Make sure cross-site scripting is not possible on any page.
      Make sure we never show HTML literally from a user message
      posting.

4) add missing functionality, and change some existing functionality
   a) change the Nav box into a nicer menu that supports rollovers,
      and a visual clue about what page the user is on. Have it
      generated by a User control, and allow it to be customized in
      the future to show only the menu items the current user is
      authorized to see. (Scott Mitchell's skmMenu is one option)
   b) Create a new main page, Books and DVD's pages, CONTACT US page
   c) fix the footer links
   d) merge the 2 main forum tables for messages - I disagree with
      the author's decision to use a separate table for the first
      message of each thread.
   e) do an analysis of the database design. It's my impression
      that we may need to add more primary keys, foreign keys,
      indexes, and this type of thing.
   f) Merge the 2 user registration functions into 1 overall
      registration. We don't want to make users register for the
      forums separately. Also, remove the items we don't want to
      track - like the user's address. We may want to know his
      city and country.
   g) fix some forum stuff: disable the Avatar feature until you
      work out a way for users to upload their own pic, consider
      changing the way we want people to embed email links (because
      of SPAM)
   h) We are getting an error if you have IE script debugging
      enabled and you select a news item - I don't know why this
      happens
   i) Fix the way the current poll renders. The bars don't look
      good, and the title of the poll isn't centered.


5) add new features
   a) add RSS to the news pages: both consume and syndicate. This
      should replace the web service functionality. After all,
      RSS is the modern way to do this kind of thing.
      (Scott Mitchell's skmRSS is one option, but it has some
      problems: the main problem is that it doesn't ignore
      bad entries in someone's RSS feed - it raises an exception)
   b) optionally log where users come from (referrer), and their IP
   c) find a way to mark the site down for maint, and do this
      automatically in the base page if SQL Server is down for any
      reason.
   d) Users need a way to upload their own avatar image. These
      should be stored in the DB in the users table (as a blob).
   e) Users need to know if someone replied to a message they posted
      in a forum - we should send them a notification email.
   f) Users should be allowed to send each other private forum
      messages. When the other user logs in, it should show him
      a link to a private message he received. This is a good SPAM
      fighter option.
   g) We should tie ads and polls to the page category (books or
      dvds). Book users don't want to see DVD ads and polls.

Does anyone have any comments on these items? Is there other things I should add to the list? Should I remove anything from the list?

Thanks!

Eric,
I agree with all of your suggestions. I would be willing to write some code for improving Registration
& Login including functionality for users who have forgotten their password. Wrox ASP.NET security has
some good suggestions on the topic. Please email me
directly at [email protected] as I'm really interested in learning and improving The Phile.

Thank you,
Shawn Cohan

Shawn Cohan
[email protected]

The only option you have with forgotten passwords is to change their password to a different known value, and email it to them. This is most secure if you add a FORCE_CHANGE flag in the user table, and a new EXPIRE_DATE so you can expire it after a few days. You don't want the new password sitting in his inbox for a long period of time.

Before sending the password out, you might ask the user a "hint question" to make sure it's the right user (or to at least improve the odds that it's him). Even if he gets the hint question right, you still must have a policy of sending the password ONLY to the email address he registered from. This will make it harder for a hacker to get the new password.

Of course, if you go with a hint question, you have to code this in up front, and add a new DB field for the question and answer. But you should add the other DB fields, anyway, so you might as well add this at the same time.

Eric

One suggestion is to improve the security for changes / edits to information presented via myAccount.aspx. It seems to me that if you change your email address to one that is already entered in table Accounts_Users, you then have an opportunity to assume that persons permissions.

Since I'm just starting to implement some of the code, if you have some enhancements you want to try on a newbie, let me know.

Thanks,
Rich

This kind of thing is prevented by the unique constraint on the EmailAddress column:

ALTER TABLE [Accounts_Users]
ADD CONSTRAINT [IX_Accounts_Users] UNIQUE NONCLUSTERED
([EmailAddress]) ON [PRIMARY]

I think this is included on the database backup file that came in the code download, but it's not in the SQL script in the code download.

This will cause an exception when someone tries to change to an existing email address. This exception looks ugly, and we should make it look a little better, but it is secure. We can handle it better in MyAccount.aspx.cs.

Eric

Eric

I finished the new Menu to replace the ugly NavBox. I moved the menu to the left side of all the pages. It has a CSS "hover" style to show you which entry you're holding the mouse over. It also uses dynamic rendering so it can highlight the current page you're on. That current page is not a link - because you're already on that page! I'm using an XML file for the data, but I'm not using XSLT translations. The code for this menu is quite simple considering how cool it works.

I also added RSS to the Books page, added a new Contact page, and did some other fixes.

See it here:
http://www.ericengler.com

I made a new creation script for the Database, and I'm working on documenting the changes I made. I might distribute my code if people want it, but it's a little big. It's almost 5 megabytes. I don't know about posting it on my site for downloads because of it's size - it'll eat into my monthly quota quite a lot. Let me know if you have lots of bandwidth and you would like to post the code at your site. Use the "Contact Us" link at my web site to send me a private email.

Eric

Hello Eric,

 I liked the menu control but I have a few questions about it.
1- what's dynamic rendering?
2- how did you use xml file and converted it to html code and links?
3- how did you program the links so it will now show you a hyper link if you are in the current page?
Thanks
Marenela

1) Dynamic rendering means the menu is generated by code, and it depends on what page you are on. The menu item for the current page will not get an anchor tag.
2) I read the XML file with code so I can get the title of each menu item and the link for each menu item. I made a small demo program to show how to read the xml file. I like to test my ideas with small console programs before I code them in the final page. I'll post this in a separate message.
3) I compare the link for each menu item to see if that is the current page. This is how I get the current page:
  String CurrentUrl = Context.Request.Url.ToString().ToLower();
And this is how I made the link or label for each menu item:

  if (CurrentUrl.IndexOf(fullLink.ToLower()) != -1)
  {
     // current page, so just render this as plain test with a "currentnav" style
     sb.Append("<td class=currentnav>" + title + "</td>");
  }
  else
  {
     // not the current page, so make this an anchor, use the "sidenav" style
     sb.Append("<td><a class=sidenav href=\"" + link + "\">" + title + "</a></td>");
  }

Eric

Here's the menu XML file:

<?xml version="1.0" ?>
<Menu>
  <SiteURL>http://www.ericengler.com</SiteURL>
  <MenuTitle>The Phile II &lt;BR&gt; Site Menu</MenuTitle>
  <MenuItemWidth>126</MenuItemWidth>
  <MenuItem title="Home" link="/default.aspx" />
  <MenuItem title="Books" link="/Books/default.aspx" />
  <MenuItem title="DVDs" link="/DVD/default.aspx" />
  <MenuItem title="Archived Polls" link="/Modules/Polls2/ShowArchive.aspx" />
  <MenuItem title="Message Forums" link="/Modules/Forums/Default.aspx" />
  <MenuItem title="Contact Us" link="/Contact.aspx" />
</Menu>

Here's the console mode program that shows how to read the XML file:

using System;
using System.Xml;

namespace ConsoleApplication2
{
   class Class1
   {
      static void Main(string[] args)
      {
         XmlDocument menuDoc = new XmlDocument();
         menuDoc.Load(@"c:\ThePhileII\Config\Menu.xml");

         String menuTitle =
            menuDoc.SelectSingleNode("Menu/MenuTitle").InnerText;
         Console.WriteLine("Menu Title = " + menuTitle);

         String menuItemWidth =
            menuDoc.SelectSingleNode("Menu/MenuItemWidth").InnerText;
         Console.WriteLine("Menu Item Width = " + menuItemWidth);

         String siteUrl =
            menuDoc.SelectSingleNode("Menu/SiteURL").InnerText;
         Console.WriteLine("Site URL = " + siteUrl);

         XmlNodeList menuItems =
            menuDoc.SelectNodes("Menu/MenuItem");
         String link, title;
         foreach ( XmlNode menuNode in menuItems )
         {
            link = menuNode.Attributes["link"].Value;
            title = menuNode.Attributes["title"].Value;
            Console.WriteLine("title: " + title + "\tlink: " + link);
         }
         Console.Write(Environment.NewLine + "Press Return ...");
         Console.ReadLine();
      }
   }
}

Eric

I still need to write the code to put the XML document in the data cache. This may be a better option than using output caching. I'm not sure if output caching on the user control will work in my case because the output depends on the current URL, and not on any particular variables.

Eric