Append JavaScript Tag Dynamically

Sometimes you need to append a specific JavaScript file based on the user’s browser or as a result of some equation. Here is a little handy function that will help you do this.

function appendScriptTag(src) {
       var jstag = document.createElement('script');
       jstag.setAttribute('type', 'text/javascript');
       jstag.setAttribute('src', src);
       document.getElementsByTagName("head")[0].appendChild(jstag);
}

Remove JavaScript Tags From HTML

After a while of trying to create the perfect regular expression that would remove script tags from HTML I came across this super simple regular expression. It goes to show you, sometimes the simplest things work best.

s = Regex.Replace(s, "", "",RegexOptions.Singleline|RegexOptions.IgnoreCase);

Source: http://forums.asp.net/t/1323604.aspx/1

Secure Session ID Cookies on IIS6 Using Metabase And Classic ASP

I have been looking for a solution to this problem for weeks! How do you mark a cookie as secure so that it will only be transmitted via an SSL connection in IIS6? The first (and best) solution is so simple that I am annoyed by the amount of time I wasted on workarounds (solution 2).

Please keep in mind these are two different solutions. I suggest using the first one or the second one (if you have to) but not both together.

Solution 1

  1. Enable Direct Metabase Editing- As it mentions this allows you to edit the Metabase.xml file while running IIS.
    1
  2. Navigate to and open the Metabase.xml file.
    2
  3. Change the value of the property ASPKeepSessionIDSecure to equal “1” instead of “0”. Note the number must be in quotes.
    3

More Metabase Properties: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0d49cbc8-10e1-4fa8-ba61-c34e524a3ae6.mspx?mfr=true

Solution 2

I do not suggest this approach as it seems to require an extra trip to the server for the cookie to be marked secure. In which if you think about it, still leaves you vulnerable to being packed sniffed. The attacker can get your session cookie prior to you logging in and since the same cookie gets marked secure, he could then use the insecure cookie with your same session ID to hijack your session. This can be mitigated however by requiring SSL for the directory the user is browsing.

Nonetheless here is the code that marks your cookie secure. It must be included on every page through a sort of server side include.

<%
'///////////////////////////////////////////////
' secureAspSessionCookie
''''''''''''''''''''''''''''''''''''''''''''''''
' Notes:
'	If on SSL takes asp session cookie and marks it secure. If user changes
'	to non-SSL, new cookie is issued.
'////////////////////////////////////////////////
Function secureAspSessionCookie() 
    If Request.ServerVariables("HTTPS") = "on" Then         
        Dim AspSessionCookie
        AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
        If len(AspSessionCookie) > 0 Then
            AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
            If InStr(1, AspSessionCookie, ";") then
                AspSessionCookie = Split(AspSessionCookie, ";")(0)                     
            End If
            Response.AddHeader "Set-Cookie", AspSessionCookie & "; Secure; Path=/"  
        Else
            Response.redirect(Request.ServerVariables("URL"))     
        End If
    End If
End Function
    secureAspSessionCookie() 
%>

Source: http://stackoverflow.com/questions/2099777/classic-asp-how-to-check-if-aspsessionid-cookie-has-been-marked-as-secure

Hashing in SQL

Poking around I ran into an article that showed how to hash input or variables in SQL. It is very important to note that the output hash will vary depending on your input data type. So hashing nvarchar will give you a different result than hashing nchar.

Also please note that this sort of thing might be considered bad practice by some as it requires your user’s data to go through yet another connection (webserver to sql server) which might possibly be unencrypted and sniffed.

Here is the MSDN example almost verbatim:

DECLARE @HashThis nvarchar(4000);
SELECT @HashThis = CONVERT(nvarchar(4000),'some text');
SELECT HASHBYTES('SHA1', @HashThis);
GO

Here is how I tested it though I don’t recommend you do it this way.

SELECT HASHBYTES('SHA1', 'password');
GO

The following algorithms are available, unfortunately they vary by server year:

  • MD2
  • MD4
  • MD5
  • SHA
  • SHA1
  • SHA2_256 (2012 Only)
  • SHA2_512 (2012 Only)

Source:
http://msdn.microsoft.com/en-us/library/ms174415(v=sql.110).aspx” title=”http://msdn.microsoft.com/en-us/library/ms174415(v=sql.110).aspx