I am looking into different ways to handle updating an ASP.NET application across many different clients, and looking for suggestions from your previous experience.
We need the client apps to check if they have any available updates.
A way to Auto update (If possible, something similar to chromes but for webapp).
Some way to check that we are the ones sending the updates. (Checksum of some sort I would guess)
Any other tips/advice
Thanks
Edit: after thinking more about this overnight, I would have to agree that auto updates may not be the best. However maybe something more along the lines of how wordpress does it. Wordpress will display saying that there is an update available then clicking will auto update the system.
I would absolutely not have your application auto update on clients (assuming you mean clients are entities external to your organization) servers. We would immediately stop using a product that would "phone home" and update itself. Clients need to be able to choose when and how an update on their server occurs.
If you are going to do this, the easiest way would be to set up URI the systems could ping once a day etc. and see if there are updates available. If so the application would pull it down from the host system and update itself. If you do it using SSL then the certificate would verify the URI being hit is your company.
Having a hard time figuring out if you're actually talking about a web application or a desktop application. If you're trying to do something similar to Chrome...I'm guessing a desktop application. If that's the case...check out ClickOnce deployment.
It offers the first three bullet points you mention:
Every time a person runs the app, it will check for updates.
If updates are found, the user can choose to install them or not (better user experience than forcing the update on the user).
The application always checks the URL that the app was installed from...which in your case would be your servers.
Related
I have experience developing software and web applications and I have decided to do some freelance work on the side. Well, I met with my first client and they are requesting a relatively simple, custom system that (without being long winded) tracks client’s paperwork as it progresses through the business’s different manual processes. It is a small business that has about 10 employees, but all of the employees will interact with the client’s paperwork, therefore everyone would need access to the new system. When I say ‘track’ I literally mean that the employees will ‘check as complete’ on a simple page the increases a progress bar at different stages for the paperwork. Now I am %110 capable of coding the custom system that meets their needs, but I am unsure about how I should go about doing it.
The information that is being tracked in the new system and stored in the DB is confidential information that they are very protective of. My main question is how should I be developing this to be as secure as I can?
-They have their own server in house, so should I develop an application (VB and SQL) for the server and require employees to log on remotely to use it? Can more than one person access/use the application at a time?
-Or should I develop a web application (ASP.Net/VB and SQL) that is only accessible on their network to their employees? They plan to expand offices, could they set up a VPN to access the site?
I’m leaning towards a web application, but I have not done too much in term of security. Basically I’m looking for pros and cons for either option or any suggestions on what I should.
PS, stackoverflow is awesome! Long time user, first time poster!
If you want to develop using vb & sql you have to consider that:
You need to have real ip
Your system will communicate threw certain port and you have to handle the security measure for letting certain port opened in your server.
You should have good knowledge in network programming
If you want to develop using asp.net you have to consider that:
in case only office employees will use the system, you can develop against users in Active Directory and for outside users with username and password with SSL connection or vpn
for preventing more than one person access the file you can simply add column 'locked' in case file is being used.
Well im not a web fan (I suck) ive seen too many security issues go with it...i.e Lulzsec, but i do very much love VB apps.
So I would definetely recommend a VB app connected to a MSSQL database (coz it's easy to configure and havent seen any security exploits yet),my Chinese friend told me there is a way to access MySQL free databases.Now, allow remote access but make sure your Windows Firewall is also configured properly do look at all angles of security.
If I remember well there is an option in MSSQL to specify the IP addresses or is it MAC addresses that can access the DB so maybe input all of the 10 employees' IP addresses assuming they are static,if they are dynamic (DHCP) don't bother. And ask them to make the IP address of the server where you will host the DB on static.
If only 10 employees use the DB then limit the connections to 10. For now develop this when it comes to VPN you can make a Remote version of the App im sure that will come later right now focus on the basics. Also use Dotfuscator when you are publishing the app I heard it is very good.N also im suggesting the document/work order is received at the reception so that user will check in the document with specifics...if they are passing on the work order to the next user they should select the user and then THAT user may enter some sort of verification code unique to the user...im sure you can envision the rest from here. Now do I also get a cut from this?lol
I've been doing the same for years now, and I always take the website side, this days I go width ASP.NET MVC 4, it's easier, everything in their place and extremely easier to test and maintain.
The web application has a very big advantage to any standalone windows application, you deploy and upgrade only one application instead to maintain all the different versions once you start deploying windows apps, and they are harder to debug once you start to having different machines with different versions and so on...
so, Web or Win app = Web app, always!
All you need is a server that run IIS and set it up for using Active Directory (Visual Studio has that project already, simply create an ASP.NET MVC and choose the "intranet" template), it will set up everything for you, and all you need later is tweak the Active Directory connection string.
I also use a self-signed SSL to protect data between client and server, as I also make the apps available outside the office without VPN needed, as long as they login with their secure AD credentials.
And... audit everything into a secondary database, every action performed by a user since they login until they logout, every view, update or creating data witch .NET makes it simple if you create your Logging method to simple log messages and Stack messages on errors.
This will greatly benefit your employer and you when something goes wrong.
I would say to go with web application. Advantage using web application is, if they want to expand bussiness .. same can you do with you WebApp. But choose .Net over VB, going with latest techonology will help you resolve current challanges.
I build ASP.NET websites (hosted under IIS 6 usually, often with SQL Server backends and forms authentication).
Clients sometimes ask if I can check whether there are people currently browsing (and/or whether there are users currently logged in to) their website at a given moment, usually so the can safely do a deployment (they want a hotfix, for example).
I know the web is basically stateless so I can't be sure whether someone has closed the browser window, but I imagine there'd be some count of not-yet-timed-out sessions or something, and surely logged-in-users...
Is there a standard and/or easy way to check this?
Jakob's answer is correct but does rely on installing and configuring the Membership features.
A crude but simple way of tracking users online would be to store a counter in the Application object. This counter could be incremented/decremented upon their sessions starting and ending. There's an example of this on the MSDN website:
Session-State Events (MSDN Library)
Because the default Session Timeout is 20 minutes the accuracy of this method isn't guaranteed (but then that applies to any web application due to the stateless and disconnected nature of HTTP).
I know this is a pretty old question, but I figured I'd chime in. Why not use Google Analytics and view their real time dashboard? It will require minor code modifications (i.e. a single script import) and will do everything you're looking for...
You may be looking for the Membership.GetNumberOfUsersOnline method, although I'm not sure how reliable it is.
Sessions, suggested by other users, are a basic way of doing things, but are not too reliable. They can also work well in some circumstances, but not in others.
For example, if users are downloading large files or watching videos or listening to the podcasts, they may stay on the same page for hours (unless the requests to the binary data are tracked by ASP.NET too), but are still using your website.
Thus, my suggestion is to use the server logs to detect if the website is currently used by many people. It gives you the ability to:
See what sort of requests are done. It's quite easy to detect humans and crawlers, and with some experience, it's also possible to see if the human is currently doing something critical (such as writing a comment on a website, editing a document, or typing her credit card number and ordering something) or not (such as browsing).
See who is doing those requests. For example, if Google is crawling your website, it is a very bad idea to go offline, unless the search rating doesn't matter for you. On the other hand, if a bot is trying for two hours to crack your website by doing requests to different pages, you can go offline for sure.
Note: if a website has some critical areas (for example, writing this long answer, I would be angry if Stack Overflow goes offline in a few seconds just before I submit my answer), you can also send regular AJAX requests to the server while the user stays on the page. Of course, you must be careful when implementing such feature, and take in account that it will increase the bandwidth used, and will not work if the user has JavaScript disabled).
You can run command netstat and see how many active connection exist to your website ports.
Default port for http is *:80.
Default port for https is *:443.
My company has a website product (ASP.NET) which is sold to customers. It means we don't host the website. They install it on their server and run it in the intranet.
I need to implement some sort of copy protection mechanism so that not everyone ends up installing the website. It has following aspects:
It has to be completely software based (no dongles).
Hiding usage information in registry or some folder in c:\ (basically outside virtual directory) is not an option for a website
Please can you suggest any scheme/method?
One suggestion is to use some kind of web service running, of course you need to have a main server to do so. In this server you can have some of your clients servers data (IP of the authorized servers, CPU and Motherboard ID's, and other important data).
This web service has to run some important logic of the program and return a value to the authorized servers. If the data of autorization sent by the client doesn't match, the server do will not execute the routine.
Of course I assume that this side of the logic is included in a DLL in the application and not in plain code.
A technique that worked well for a buddy of mine was to install a web bug on an administrative page which would report back to their server. You can monitor when and where the application is installed. It could be easily removed, but won't by most customers.
Simple, easy to do, and works relatively well.
Something you could try. Compile binaries for each client, obfuscate the code, lock the site down to a single domain. If its an internal app the domain might be something like "productname.clientname.internal". The app checks the domain of all the incoming requests, refuses anything that doesn't match.
As already pointed out by jeffamaphone: people will find ways around it, but it's enough to 'slow down' those not super determined.
[disclaimer]I sell the product I am recommending.[/disclaimer]
Take a look at DeployLX. You can add licensing to your web based application to require one of a couple different options.
Hardware based locking so it can only be used on one machine.
Domain based locking so it's tied to a specific domain name.
IP based locking to tie it to an IP address.
License server locking to that your app checks in periodically with a centralized web service.
It's pretty flexible and should let you create a balance between protection and not frustrating your users.
If not, are there any fundamental limitations of the service that prevent one from being built?
In response to Garys answer. "If you're hosting your app on EC2, it'll be fine"
Even if you're hosting your application on EC2 you should not really use SimpleDB to store session state. It provides an "eventually consistent" guarantee, so if you PUT something there is no guarantee that you will see the item on your next GET.
see: http://docs.amazonwebservices.com/AmazonSimpleDB/2007-11-07/DeveloperGuide/index.html?EventualConsistencySummary.html
This is fine when you want to use simpledb to do indexing on data that does not need to be immediately up to date and can be reconciled later, but in the case of session state, you'd likely want something with ACID guarantees (like SQL Server) as you want to know that once you have committed something you will get it back on the next read.
This obviously depends on your requirements, but most people use session state to store shopping cart items or similar. Your site visitors will soon get upset if things appear to go missing from thier cart, then re-add them and then discover they have added the same item twice when they come to pay.
There's a C# library for working with SDB.
If you want to roll your own, the API, WSDL and other documentation can be found at http://aws.amazon.com/simpledb/#resources.
It's a pretty straight forward API that rides over HTTP. The hardest part is writing the signing code. There's plenty of implementations in other languages.
As for using it for session state, there's a huge speed difference between using SimpleDB from EC2 and anywhere else on the internet. If you're hosting your app on EC2, it'll be fine, otherwise, it'll be brutally slow.
You could base it off this MySQL provider:
http://harry-kimpel.spaces.live.com/Blog/cns!CAA619CB4C4D1B6C!342.entry
I am looking for ways to keep track of simultaneous users within an application. I cannot use IIS logs due to a load balancer that abstracts the users IP address. I am looking for a .NET code based solution or a configuration item, possibly with health monitoring to be able to track the "true" simultaneous user count.
I know that I can monitor the number of sessions, but that isn't really an ideal method to show, as it can be bloated based on the number of sessions with users abandoning their session.
There is a similiar question here: Tools and methods for live-monitoring ASP.NET web applications?
I found an advanced logging tool for debugging and monitoring .NET applications: SmartInspect. But I don't know if it meets your requirements.
What do you mean of "simultaneous users"? Perhaps you should monitor simultaneous TCP connections to your IIS application? Windows Performance Monitor tools should help you there.
Otherwise there is no sure way of telling how many users are using your application right now. If you can monitor number of sessions, then I'd suggest going with that. Just take into account the last modification time of the sessions, so you could get something like "active sessions in the last minute". That should give you a close measurment.
In the end we decided to use ASP.NET Performance counters, as well as generic information from the IIS Logs.
I parsed the information from both sources using the Microsoft Log Parser tool!
You just want to know the number of active users at a particular time? An easy option that omits inactive users as well as most bots would be to register the user as active through a JavaScript AJAX call on page load along with their SessionID. You can then purge old records from the log as you see fit. *Be careful of how you build your table's performance for read/write optimizations. ... just an idea off the top of my head.
We are using an expensive solution which is AVICode but it is great. You can monitor so many thing with that.