Today I found out that I will be attending TechEd 2006 in Boston.  Thanks of course to my new employer Pets Best Pet Insurance.  I am looking forward to seeing many friends again and checking out the latest and greatest technologies.  Look for me at the Windows Workflow Foundation and other WinFX sessions.  I will probably hit an IIS 7 session or 2 as well.  Of course I will probably spend a fair amount of time in the cabana area also.

If you are going to be there and would like to say hello in person then lets meet up.

Time is nearing for the first Boise Code Camp.  I will be doing 2 presentations on DotNetNuke and several others will be presenting a lot of other great material.  I put a lot of effort in getting door prizes for the event.  We are close to having enough prizes that most attendees should go home with something.  Of course the session material is the most valuable aspect, but winning a copy of Visual Studio Team Suite with MSDN wouldn't hurt either.

This week I started reading Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow.  I can't recommend this book enough.  Stefan is a great guy as well.  I had opportunity to meet him on a couple different visits to Redmond.  I wish I had this book 2 years ago when I started looking at the Membership and Role API's in .NET 2.0.  (Yes, I was looking these things 2 years ago.  They were announced at the PDC in Oct. 2003).

Today I found a bonus nugget of goodness I had to share that is indirectly related to ASP.NET 2.0 security.  On Page 429 Stefan explains why all the SQL objects in the Microsoft SQL providers for .NET 2.0 explicitly reference DBO as the object owner.  (ex. dbo.aspnet_Memberhsip)  It turns out that SQL 2000 takes a performance hit if the object owners are not explicitly declared in stored procedures, views, etc.  The performance hit is significant enough that Microsoft did a QFE on ASP.NET 1.1 SQL Session state.  I had no idea and I figured many others also were clueless about the patch for Session State as well as the performance issue.

Check out Todd Carter's blog for some more details.  It also includes a link to the .NET 1.1 Session State fix.

This week has been absolutely amazing.  Sr. level .NET developer jobs are showing up everywhere.  Here is a list off the top of my head.

Amphire
Healthwise
Micron
Comsys
TEK systems
Idaho Commerce and Labor
Innova Systems International
WillowTree Software
neoreef

.NET guru Scott Hanselman has started a new podcast.  No excuses, just get over there and subscribe to it.

www.hanselminutes.com

I checked today and the script I wrote yesterday is working!  I was feeding the entire URI to the tracker which makes the document path show up with the protocol as the folder name in the tool.  I decided to modify the TrackIt function slightly.  I am peeling off the protocol from the link and prepending it with my own folder name to make it easy to distinguish document downloads for other content.

Enjoy!

function TrackIt(link)
{
// Remove the conversion to Lowercase if you are on a Case sensitive web server
var slashes = link.href.indexOf("//") + 2;
var docPath = link.href.toLowerCase().substring(slashes, link.href.length);
urchinTracker("/#docs/" + docPath);
}

Previously I blogged about possible solutions for tracking downloads with Google Analytics.  The solution I am going to experiment with first is to dynamically add the tracking code to my download links via JavaScript.  I spent quite a bit of time on my script to make it cross-browser compatible and so that it would handle proper timing of execution based on the loading of the links.  I also used a regular expression to limit the tracking to specific link types.  Hopefully those match most cases.  If all goes well I will probably wrap all of this into a simple ASP.NET control that can be added to an page you want tracked. 

First off you need the standard Google tracking scripts:

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">
_uacct = "UA-XXXXXX-X";
urchinTracker();
</script>

Second is my new download tracking script.  I have placed it in a separate file for browser caching and easy updating.  Also it has the defer="defer" attribute so that IE will not load the script until the content has finished loading.  XHTML compliance required me to include a value for the attribute.  Please let me know if you come up with any improvements to the script or if you find any errors.  Thanks to quirksmode for info on the dynamic event models and dean edwards for info on deferred script execution.

Here is the actual downloadtracker.js code

// We dont want the try adding the tracking code until the page links are loaded
if (document.addEventListener) {
document.addEventListener("DOMContentLoaded", addEvents, null); // Firefox
} else {
addEvents(); // IE : Call the function immediately because the script is referenced with the defer attribute supported by IE
}

function addEvents()
{
// quit if this function has already been called
if (arguments.callee.done) return;
// flag this function so we don't do the same thing twice
arguments.callee.done = true;
for (i=0; i <document.links.length; i++)
{
var x = document.links[i];
// Only attach tracking code to specific file types
var extensions = new RegExp(".+\.(zip|pdf|xls|doc|csv|txt|ppt|xml|rtf)$");
var doc = x.href.toLowerCase().match(extensions);
if (doc)
{
if (x.attachEvent)
{
x.attachEvent('onclick', function () {TrackIt(window.event.srcElement)}); // IE
} else {
x.addEventListener('click', function () {TrackIt(this)}, false); // Firefox
}
}
}
}

function TrackIt(link)
{
// Remove the conversion to Lowercase if you are on a Case sensitive web server
urchinTracker(link.href.toLowerCase());
}

Rick Strahl says: Get Excited About IIS 7.0.  Having seen it myself I wholeheartedly agree. 

Like many others I am trying Google Analytics.  I first heard of the JavaScript tracking technique with LiveStats 7.  One feature that kept me from liking the technique they use for tracking is that it is difficult to track file downloads.  I work with a lot of content management systems that would require quite a bit of modification to add the required scripts to file download links.  However, the information you can get from this tracking technique is otherwise far superior to anything you can ever get from  traditional log analysis.  Ideally I would like to dynamically add the tracking code to all download links in my content.  The 2 ideas floating in my head at the moment are:

#1  Add an ISAPI filter in IIS that would parse all output and add the tracking code to any download links that match RegEx patterns.  Perhaps all PDF download links for example.

#2  If possible, use JavaScript injected in the content pages to dynamically add events like onClick to elements like the anchor tag.  I already have to inject the tracker scripts so it would be great if I could inject a page parser script as well. 

Anyone have other ideas or thoughts on the possibility of these options?  I don't do ISAPI so #1 is out for me unless I can hire it out.

It seems like forever ago that I started recommending Fredrik Normen's Permission Manager.  Recently I was tasked to find a way to restrict nodes in a SiteMap based on Permission.  Today I completed that task and thought I would share it with the world.  First of all, I appoligize for writing the code in VB.NET (employers standard), but you can all compile it and reference it from C# so get over it.

What I did to create the PermissionXmlSiteMapProvider was to inherit directly from XmlSiteMapProvider and then extend 2 methods.  First of all I extended the Initialize method so that I could verify that it was configured properly.  Since it is dependent on the presence of Permission Manager and it properly working I added a simple check to verify that it has a provider.

The second method to override for the addtion of Permission to a SiteNode was IsAccessibleToUser.  Thankfully the siteNode can have extra attributes on it without complaint.  I used that to check for the permission attribute.  If it is there then a call to Permission Manager is done for the named permission and the currently logged in user.

After configuring my applications to use my new Provider I restrict access to nodes as easy as this:

Since I built on top of the XmlSiteMapProvider I also get the ability to do Roles restriction and a combination of Roles and permission:

It is important to note a few things that I ran into while working on this solution.  You must enable Security Trimming.  If you will restrict based on Roles you also must enable RoleManager.  Restricting via Roles is a little quirky as described in the MSDN Site Map Providers document.  Specifically review the Security Trimming section.

Here is the siteMap section of Web.config that implements the PermssionXmlSiteMapProvider:

<siteMap enabled="true" defaultProvider="PersmissionXmlSiteMapProvider">
  <providers>
    <add name="PersmissionXmlSiteMapProvider" 
           type="IDCL.Web.Security.PersmissionXmlSiteMapProvider, IDCL.Web"
           description="Permission xml site map provider"
           securityTrimmingEnabled="true"
           siteMapFile="Web.sitemap"/>
  providers>
siteMap>