Thursday, February 26, 2009

Thousander Club Update (2/22/2009)

This week's Thousander Club update:
  • Game Development Hours: 3 / 1000 (this week), 46 / 1000 (overall)
  • Novels read: 0 / 12
  • Books read: 0 / 12
  • Games finished: 0 / 12
I know this update is a couple of days overdue, but it was a rather hectic week and my home PC has been acting up a lot lately, so I just couldn't get around to it earlier.

I got to work on finalizing the Rubik Cube game last weekend, but unfortunately I was hit by some strange error mid-way and I stopped and said I'll go back to it later on, and I haven't yet!

I also made some progress in the novel I'm currently reading, but barely.

I hope I can get some progress done this coming weekend, in all aspects. I also have other stuff that needs my attention, so I need this to be a very busy weekend. Should be exciting though.

Sunday, February 15, 2009

Thousander Club Update (2/15/2009)

This week's Thousander Club update:
  • Game Development Hours: 0 / 1000 (this week), 43 / 1000 (overall)
  • Novels read: 0 / 12
  • Books read: 0 / 12
  • Games finished: 0 / 12
Unfortunately, still no progress this week. I've been kinda low on game development spirit lately, and I'm busy with other stuff that kinda have more priority.

I'm also starting to think the reason might be that I have reached a stale kind of state in the Rubik Cube project, since I almost figured out everything I need to do and what remains is to get things in order and make it ready for release! I still need to put in a GUI, of course, but I don't think that should be too hard. I'll try to work on that soon, and get everything else done so I can focus on getting at least the Rubik Cube project finalized.

Sunday, February 08, 2009

Thousander Club Update (2/8/2009)

This week's Thousander Club update:
  • Game Development Hours: 0 / 1000 (this week), 43 / 1000 (overall)
  • Novels read: 0 / 12
  • Books read: 0 / 12
  • Games finished: 0 / 12
Yeah, those are some big fat zeros! I had a lot going on in my personal life this week, so I didn't really get a chance to do anything worth mentioning. It should get better soon though, I'm trying hard to get things under control.

Stay tuned!

Monday, February 02, 2009

Changing response status code in ASP.NET web applications

For a little change in flavor, here's a bit of technical talk about web development!

There's this interesting problem I came across at work that I wanna share my experience about. The problem was the following: for an ASP.NET web application, when someone tries to access a directory under the site while that directory doesn't have any directly viewable pages (for example, the "/images" or "/CSS" directory), I don't want this person to get a "403 - Forbidden" error, but a "404 - Not Found" error instead. The idea behind this requirement is for security reasons, since, using this 403 response, someone could learn the directory structure of the website simply by trying different directory names, and he might stumble across a directory that he doesn't have access to, such as "/administrator" which would give him a better target to aim future attacks at.

So, the first attempt to fix this problem was through making an HttpModule and add it to the web.config "httpModules" section. To make an HttpModule, all you need to do is have a class in your application that inherits the System.Web.IHttpModule interface, and handles its methods. And in the Init method of your class, you would add and register an event handler for the HttpApplication.PreSendRequestHeaders event. The HttpApplication object is passed as a parameter to this Init method. In this event handler, I did something like this:

HttpResponse response = httpApplication.Context.Response;
if (response.StatusCode == 403)
{
response.StatusCode = 404;
}
What this does is check whether the response status code is 403, and replaces it with a 404 status code.

After creating this class, all I had to do to activate this HttpModule was to add it in the web.config file in the <httpmodules> section in <system.web>.

This didn't work, however! The reason this didn't work became obvious quickly after a few breakpoints and some debugging. Since directory listing was denied in my IIS website, when someone tries accessing a directory name they get the 403 response code directly from IIS, and the ASP.NET runtime doesn't know anything about that request in the first place!

This lead to the natural conclusion that, if ASP.NET doesn't know anything about it, this obviously needs to be handled from IIS itself through an ISAPI module! Of course, further investigation made it very clear how messy and dangerous ISAPI modules are, and since this isn't really that much of a must-do, the whole thing was about to get abandoned. That is, until I had another idea!

Instead of relying on IIS denying directory listing, I put an empty Default.aspx page in the directory I wanted to hide. In this Default.aspx, all I needed to do was run a single line of code that changes the response code from 200 (OK) to 403. When this happens, then the httpModule is invoked and finds this response code in the response header, the above code will work its magic and make it a 404 instead! Of course, I could have avoided adding an HttpModule and simply set the 404 response code in the page itself, but since I have many folders that I need to hide and I might need to handle this situation differently one day, I chose to keep the HttpModule and issue the 404 error from there instead.

So far what would happen is that the Default.aspx would get rendered to the output but the returned status code would be 404. If you need this to change, you can clear the response in the HttpModule code and change the response to, say, the common IIS 404 error page.

Also, if you have some directory permissions setup in web.config files inside those hidden folders and you want other (unauthorized) users to get the same 404 error for these (restricted) files too, all you would need to do is handle 401 (Unauthorized) status codes in your HttpModule as well. But, be careful, if you are using the ASP.NET built-in authentication, and you deny anonymous users, you should know that ASP.NET returns a 401 the first time an anonymous user tries to access the site, so that the browser would know that this site needs authentication and either sends this authentication directly or asks the user for it (depending on settings). So, if you simply handle all 401 responses, you will interfere with this process and EVERYONE will get 404 errors! So, what you need to do is, if you're using ASP.NET build-in authentication (ex. via web.config's "authentication" and "authorization" sections), you need to let the 401 pass if the HttpApplication.User.Identity.IsAuthenticated property is false, so the user could get the chance to authenticate.

Well, that's it. I hope this was informative! If you read this and find it useful, please drop me a comment. Also, I would be really interested in any comments about how good or bad this method of hiding the directory structure is. If you can bypass it, you should definitely let me know ;-).

Sunday, February 01, 2009

Thousander Club Update (2/1/2009)

This week's Thousander Club update:
  • Game Development Hours: 14 / 1000 (this week), 43 / 1000 (overall)
  • Novels read: 0 / 12
  • Books read: 0 / 12
  • Games finished: 0 / 12
This week was a little slow for some reason. I still managed to do some work over the weekend, but unfortunately not all the work I needed to finish to get done with my Rubik's Cube game. I did, however, finish this much:
  • Successfully implemented face rotation, both absolute and relative to the current cube's rotation.
  • Got the arcball rotation working (although not quite perfectly yet, as it clashed with the face rotation code for some yet-to-be-determined reason!).
This last issue where the arcball rotation clashed with the face rotation consumed a lot of time trying to reason with, and eventually took up more time than it was supposed to. I think I know where the problem is, though, but I'm not sure I'll take the time and effort needed to fix it, since it's partially a bit of clashing functionality as well. You can rotate the cube in 90-degree animated rotations, and you can rotate each face clockwise and counter-clockwise. Also you can choose to either rotate the "current" top/bottom/left/right face (relative to the current rotation) or the "absolute" face (as if you were still looking at the cube in its original orientation). I'm starting to think an arcball isn't really needed. I do wanna get it right though, especially that I already did manage to get rotation working perfectly with face rotation in a previous DirectX variant of the Rubik Cube game.

Anyway, I know I said I'll try to get an initial version ready by now, but it looks like it's gonna have to wait just a little bit. I still need to "classify" my code, so to speak, and I need to see if I can make it into a redistributable package so you wouldn't need to have Ogre3D installed before you can run it.

On a different note, I havn't been doing any progress with either of the other objectives! Here we are, starting February, so I really should try to finish my first Book, Novel, and Game. My choices are: Learning Perl, LoTR: The Two Towers, and Doom 3, respectively. I will try to update on my progress for these objectives as well.