Thursday, November 7, 2013

Setting Cache Control HTTP Headers in Web API Controller Method

Controlling caching behaviour of an HTTP response is an important task that cannot be ignored as it will have a big impact on a web application load and performance. In ASP.NET Web Forms and MVC applications it usually is done by using special directives or attributes that take care of adding corresponding headers to the response. ASP.NET Web API framework unfortunately does not come with an out of the box support for this functionality so concious developers need to deal with that themselves. Luckily it is not a difficult task to do as the Web API framework has a number of support objects that simplify the job.

Basically in order to control caching behaviour we need to make sure that the output response will have what is called "Cache control header" with proper values that determine caching behaviour. Example below demonstrates how to make a response publicly cacheable for a period of time:

To simplify the usage further we can even create a static extension method that can be easily applied in a controller method:

Wednesday, November 6, 2013

ASP.NET and SSL Offloading

SSL offloading is quite a popular method of improving a web server performance by delegating a CPU-intensive SSL processing operations to an external device such as a load balancer. Because having a load balancer only makes sense when there are multiple web servers working in a farm it looks like an attractive solution for maximizing usage of a load balancer and at the same time improving performance of web servers by freeing them from doing an "unnecessary" SSL processing. What also makes SSL offloading a high profile feature is load balancing appliance vendors marketing SSL offloading as one of the selling points of their products.

With all above said being correct it is not always recommended to rush for turning SSL offloading on. One very specific use case is an ASP.NET application using  Web Forms authentication configured to serve protected content over secure connection only. What that means is when a request for a protected page sent over unsecured HTTP the application will redirect it to a secured version of the Url. But because the SSL request never reaches a web server (since it's being intercepted by a load balancer and converted into HTTP request) the application logic will be stuck in an infinite redirect loop. To resolve the problem there are only two options: allow protected content over an unsecured connection or disable SSL offloading. If there is more of an application logic that requires secured connection between client an a server it makes more sense to not use SSL offloading at all.

There are however scenarios when SSL offloading is very helpful. Examples include but no limited to many kinds of data processing service-like web applications that are not intended to return human-readable HTML output, TCP/IP based data processing applications that do not use HTTP at all and so forth. Most likely such applications will not base their logic on a condition of a secure connection with a client.

What are PROs and CONs of using SSL offloading? Obviously one positive point is web servers performance improvement by removing SSL processing from their plates. How important that could be? Most likely that depends on traffic. For high traffic high profile publicly accessible web servers that could be very important but in such cases all the efforts must be made to not couple application logic with a type of client-server connection. From another hand modern server CPUs implement specialized command sets that make SSL processing much less intensive and not so terrifying a task for web servers so it could be more convenient to allow secure traffic directly to web servers.

Another consideration is how secure traffic passing between an SSL offloading load balancer and a web server is. Obviously both devices are supposed to be behind a firewall but it needs to be take care of because traffic may contain sensitive information and in such a case load balancer could become a point of attack.

One more concern is IT maintenance. Secured infrastructure requires setting up and maintaining SSL certificates and other components. If there are a lot of web servers in a farm it could make sense to minimize maintenance by centralizing all SSL configurations on SSL offloading devices.

In conclusion, understanding specifics of a particular implementation is crucial for making a correct decision about using SSL offloading technique.

Thursday, September 19, 2013

Why Some Web Sites Suck

I am an active Internet user. I visit and use a lot of different web sites including those for all kinds of e-commerce and utilities. Being at the same time an experienced professional web developer allows me to understand why some web sites are not as good as others and some of them simply suck. The first and foremost reason from my experience is that web site's developers do not follow web development best practices and most likely do not test their creations thoroughly.

In this article I am trying to analyse and describe most commonly occurring problems not visible to a non-professional eye but significantly affecting users' experience.

Base technology platform selection

Often a web site could be built on top of a platform that is familiar to a development team but not necessarily a good choice for a new project but sill would be selected. One particular example is a high traffic e-commerce web site built upon Microsoft Sharepoint Portal Server because the developer team used this technology for a corporate news portal. The platform choice always brings its limitations and must be validated against a particular web site goals and usages. How fast do you expect it to work? How cross-browser compatible do you expect it to be? Those and other similar questions should be asked to make sure the technological platform choice is proper.

Web development framework

Obviously the platform choice limits the options for a Web development framework but if you are a .NET developer you most likely have at least two choices: ASP.NET WebForms and ASP.NET MVC. Both frameworks are modern first-class web development tools and support all the recent technological advances of web development. However regardless of the framework choice a team needs to make sure it uses all those advances and follows known best practices for a selected framework.

Most frequently noticed ASP.NET development bad practices

When I come across a web site that I don't like but still have to use I usually take a pick at the source code and easily spot some from the known bad practices listed below.

  • HTML 4.01 Transitional. Remind me what year is it?
  • JavaScript and CSS references neither bundled nor minified. Page load time, anyone?
  • Inline JavaScripts that are neither minified nor obfuscated. See the previous point.
  • Inline JavaScripts do not use OOP: still the old school functions only.
  • Inline handling of cross-browser differences like "<!--[if IE 7]>". Well, this is really old school. No need to do that any more especially with JS libraries like jQuery.
  • Inline CSS using ASP.NET long IDs. Shame on you, development team. That was considered poor poor practice since I can remember. Basically it's just a hack.
  • Still using long ASP.NET IDs. You really need to do your home work and read documentation.
  • Viewstate embedded right on a page. No comments here. If I see that my only hope that it's properly encrypted. How fast have you expected it to load?
  • Still using hidden input elements to manage state. Have you considered other methods like Session maybe?
  • Still using server controls for simple HTML like 'a' or 'li'. I call this lazy and I want to blame your team's coding best practice policies for that.
  • Multiple different JavaScript libraries are present for example jQuery and Microsoft Ajax, that functionally overlap with each other. You do need to make up your mind and pick up just one.


Try follow the suggestions below as they are proven best practice and help develop much better web sites.

  • Use HTML 5.
  • Minify and bundle CSS and JavaScript files. Not only doing that improves web site load times but also makes development and maintenance easier. Take a look at and also try to search for ASP.NET Bundling.
  • When develop on JavaScript treat it as a first class programming language and apply all the same practices as you would for a server-side language like C#. Read this and notice that it's from the year 2009.
  • Use proven JavaScript libraries that handle cross-browser compatibility well and do not try to invent your own wheel.
  • Implement well known solutions for hiding framework's specifics like client IDs, Viewstate, etc. Even though you need to use them it does not mean you cannot do it right.
  • Always prefer server-side technique instead of client-side for handling application state. If nothing else Session is your best friend.
  • Learn and use HTML directly for simple cases instead of server controls. It's not 2001 any more and you call yourself a Web developer.
  • Do not use multiple client-side libraries that functionally are similar. Not only that makes development and maintenance a nightmare but also tells a lot about your software design skills. Make your choice and use the best tool for your job.

User Experience

It's enough of technical stuff. Let me become just a regular user and tell you that when a  web site is slow, confusing, inconsistent and not cross-browser compatible it sucks. Test it thoroughly and remember the web site is your professional resume. 


This post was not intended as a thorough review of web development best practices and more like a spur of a moment cry-out, but come on! It is 2013 and professional web developers are supposed to build Web 3.0 web sites today for tomorrow and not for a day before yesterday. It also touches me personally when I visit web sites with similar issues because they bring shame on all the web professionals not just those who worked on a web site. Colleagues, please listen up and make improvements. Everybody will like that.

Monday, December 10, 2012

Setting a "Content-Disposition" HTTP Header in Web API Controller Method

When developing an ASP.NET Web API controller method that allows to download a file it is considered a good practice to set a "Content-Disposition" header to guide a browser of a name of a file being downloaded.

There are two different ways to approach this simple task. First is to add a new HTTP header to the HTTP response using string values for the header's name and value. The second is to try and use the .NET framework's infrastructure methods that presumably should make this task easier.

The first method seems to be very simple but potentially dangerous: one would need to hard-code string values and be totally responsible for the values to be properly formatted according to the W3C standards.

The second method is to try and delegate handling of the specifics of the HTTP protocol to the .NET framework by using corresponding presumably built-in methods. This seems more appropriate and even easier to achieve. However due to poor documentation of the Web API extensions that is easier said than done. without further ado this is how it's done:

Only one string value here should hard-coded with a guideline available in the official documentation so it's not that bad.

If you find this information possible share it with your fellow colleagues so it may save their valuable time.

Tuesday, February 21, 2012

Fixing 'Bootmgr is missing' problem on Windows 7

The reason for this post is that it took me three hours on the weekend to fix this problem and based on the amount of search results the Google returns for that keywords I figured there are a lot of people facing such a problem. So my goal is to provide with a simple explanation and easy fix to save one's time and may be even prevent this problem from happening.

Let's start first from understanding what exactly is the problem. Secondly we see how to fix it and lastly we discuss the scenarios that could cause such a problem.

The problem

When one tries to boot up a computer with Windows 7 OS on it and instead sees a black screen with a message "Bootmgr is missing - Press CTRL+ALT+DEL to restart". (I guess it's obvious that restarting will not fix the problem)

There is an important condition for the fix described in this article: the computer was booting before but after some changes this error occurred. If this is not the case than the solution might not be applicable but from another hand it would not hurt to read further.

So what exactly is the problem? The answer is easy: it's right in the message. Windows is looking for a file with a name "bootmgr" and cannot find it. This is a hidden file of a size about 320Kb that should reside in the root of a boot partition on a hard drive where the Windows OS is installed. We will discuss the reasons why it's missing later but now since we know what the problem is how can it be fixed?

The fix

Copy the bootmgr file from the source to the root of the boot Windows partition on hard drive. An XCOPY command can be used with an /h switch that allows copying hidden and system files. For example:
X:/>xcopy bootmgr C:\ /h

Where to find the bootmgr file?

This is an important question. The answer depends on a particular computer's configuration but based on the problem statistics let's just mention the most probable locations to search for the file (don't forget it's hidden):
  • Root of another hard drive with Windows 7 on it
  • Root of another partition on the same hard drive with Windows 7 on it
  • Windows 7 installation DVD
Once you figure the location of the bootmgr file simply copy it over to a boot partition and restart the computer: it should be able to boot in windows successfully this time and you are done.

The possible causes of the problem

In my case and based on the Internet search results that seems to be a very popular cause I have installed a second hard drive in the computer and then installed Windows 7 on a new hard drive. The key here is that Windows installer did not copy the bootmgr file on a new hard drive because it already existed on an old hard drive. The same problem would have happened if Windows was installed on a new partition on the same hard drive where another Windows installation present. These two reasons cover over 80% of the problem occurrences with some variations around different versions of Windows that existed at the moment of a new Windows installation and dual-boot related problem with the same outcome.

Another set of reasons relate to hardware problems with hard drives and not covered in this post for an obvious reason that the only solution for that is to replace a hard drive and reinstall Windows.


Apparently the only proper way of installing Windows is first to hide a hard drive or a partition with another Windows installation and once a new Windows is installed make it visible again. Unfortunately to the best of my knowledge that is not mentioned in the installation instruction.

Advanced technical details

For those who would like to dig a bit deeper I suggest to boot into a Windows Recovery environment (F8 for Windows boot advanced options), open a command line prompt and use a bcdedit utility to explore the BCD (boot configuration database) content to see where Windows looks for the bootmgr file.


Once the cause of the problem is understood the fix is easy however the search for the cause has been significantly slowed down by an amount of misinformation that Google search returned.