johnk
  • Posts: 230
  • Joined: 23/04/2013
In the recommended.web.config (link below), the recommended version is 4.5

https://github.com/YAFNE...T/recommended.web.config 

However that version is no longer supported since Jan 2016.

https://blogs.msdn.micro...amework-4-4-5-and-4-5-1/ 

Hence please consider upgrading it to 4.7.1

Also could you release version 2.3 (which has many useful features). There are still 3 feature request pending in version 2.3. Maybe you could move these three things to the next version? Version 2.2.0 (the previous major version) was released in Feb 2015 🙂
Sponsor
johnk
  • Posts: 230
  • Joined: 23/04/2013
In web.config, I have following suggestions:

https://github.com/YAFNE...T/recommended.web.config 

Line 42: optimizeCompilations="false"
Reason: Please remove this sentence. Asp.net will now automatically set this. We dont need to manually set this to false.

Line 53: controlRenderingCompatibilityVersion="4.5"
Reason: Please remove this sentence. This in only required if we are targeting asp.net 2.0. For asp.net 4.5 and above, we dont need this sentence.

Line 53: enableEventValidation="false" validateRequest="false"
Any idea why these two are set to false? Many people use YAF forum as one small part of their website. If we disable validation in main web.config, it will disable validation for entire website (and open their entire website to XSS, SQL injection and other attacks). Most users may not know that they are opening their website up to been attacked/hacked by disabling validation. Hence if we dont need this, it is impt to remove these two sentences.

Line 122-127: <add name="HttpGet" /> <add name="HttpPost" />
These two are already added by default. Hence there is no point asking IIS to add it again.

Line 130: <validation validateIntegratedModeConfiguration="false" />
Can this line be removed for asp.net 4.5 and greater?

Line 132: Is <add name="YafTaskModule" and "UrlRewriter"> been added twice In line 49 and 134? Is that correct?

Line 143: <urlCompression doDynamicCompression="false" doStaticCompression="true" dynamicCompressionBeforeCache="false" />
Consider removing these three sentences. Let IIS server handle the default value. BTW, default value of doStaticCompression is already true and dynamicCompressionBeforeCache is false. Hence no point stating it again.
https://docs.microsoft.c...webserver/urlcompression 

Line 146-152: Change from VaryByHeader="User-Agent" to VaryByCustom="Browser"
Reason: https://stackoverflow.co...-or-varybycustom-browser 
tha_watcha
  • Posts: 4081
  • Joined: 06/03/2010
Can you make a pull request for the web.config changes?
UserPostedImage
johnk
  • Posts: 230
  • Joined: 23/04/2013
I am actually not familiar with github. Hence I am not sure how to do the pull request. Its on my todo list. 🙂
Zero2Cool
  • Posts: 1082
  • Joined: 26/04/2011
Originally Posted by: johnk

I am actually not familiar with github. Hence I am not sure how to do the pull request. Its on my todo list. :)



Can you copy/paste your suggested web.config into a post reply? I'll submit a pull request.
johnk
  • Posts: 230
  • Joined: 23/04/2013
I have cleaned up the two web.config files and uploaded them in following locations:

1. http://areapp.azurewebsi...commended.web.config.txt 
2. http://areapp.azurewebsi...ded-azure.web.config.txt 

Few important things:

1. As mentioned in second post (above), <add name="YafTaskModule" ...> and <add name="UrlRewriter" ...> appears twice. I have not changed those at all. Please have a look and see if that duplicate can be removed.
2. I have changed target framework from 4.5 to 4.7.1 (since support for 4.5 ended long time ago in Jan 2016)
3. Few hours ago, machine key validation was changed back from SHA256 to SHA1. I have changed it to HMACSHA256
YAF issue: https://github.com/YAFNET/YAFNET/issues/401 
SHA1 deprecated in September 2014: https://support.serverta...ha-1-and-moving-to-sha-2 
Possible key options: https://msdn.microsoft.com/en-us/library/w8h3skw9 (v=vs.100).aspx

The only issue I can see is that when user upgrades forum, it wont change the password from SHA1 (original value) to new HMACSHA256. Hence current users wont be able to login, until they do a forgot password and then change password (which will then store the new password in SHA 256 format).

4. Password format: This is currently stored as "Encrypted". The problem is that any site owner (or any hacker who hacked the site) can decrypt user password and then be able to use it on other sites. The correct value is "Hashed".

The only issue with that is exactly same as point 3 above. The user will have to do forgot password and change password to new value. Since originally it is stored as encrypted.

So I highly recommend changing both values in web.config at same time: SHA1 to HMACSHA256 and Encrypted to Hashed. This will give maximum security to YAF users and prevent their password from been decrypted in case YAF forum is hacked.

Overall I am eagerly waiting for YAF 2.3 release. We can make these changes in this "major" release. Please remember to add a note that user may be required to change their password one time to get latest security.
tha_watcha
  • Posts: 4081
  • Joined: 06/03/2010
I implemented the suggestions

Quote:

1. As mentioned in second post (above), <add name="YafTaskModule" ...> and <add name="UrlRewriter" ...> appears twice. I have not changed those at all. Please have a look and see if that duplicate can be removed.



Its included twice because the system.webServer section is only for IIS 7 and above

Quote:

Line 122-127: <add name="HttpGet" /> <add name="HttpPost" />
These two are already added by default. Hence there is no point asking IIS to add it again.



At least in my tests some functions didn't work unless i add this lines to the web.config

Quote:

Hence please consider upgrading it to 4.7.1



The current version in 2.3.0 is 4.6.2. Using the newest .NET version 4.7.2 is not a good idea. Hosting Providers usually upgrade to the latest framework version fast. But not Users who run there own servers. This caused to many troubles in the past. Until the adoption rate is faster we stick with version 4.6.2 for now.

Quote:

Also could you release version 2.3 (which has many useful features). There are still 3 feature request pending in version 2.3. Maybe you could move these three things to the next version? Version 2.2.0 (the previous major version) was released in Feb 2015 :)



The last major version is 2.24 not 2.20 which was released in 2017. Version 2.30 is currently in Alpha stadium. Releasing it now is not an option. And if don't have as much free time as i want, so it will take some more time to finish this release.

Is there any feature you need so i could release a version 2.25?


UserPostedImage
johnk
  • Posts: 230
  • Joined: 23/04/2013
Thank you for your help with this. The only feature I would very much like is responsive design - since around 65-70% of my visitors are using mobile devices.

Edit:

1. Could you also sync up changes in both web.config files? Example also change "encrypted to hashed" in azure web.config

2. I did some more research for <add name="YafTaskModule" ...> and <add name="UrlRewriter" ..

It looks like we can safely remove the duplicate in <httpModules>. This is because IIS 6 does not support 4.6. framework. Hence people who upgrade to YAF 2.25 will be using IIS 7 or more.

IIS 6 can only be installed in windows 2003 Server (and not on Windows 2008 Server): https://forums.iis.net/t...Server+2008+with+IIS+6+0 
Link: https://stackoverflow.co...1935534/iis6-and-net-4-5 
version 4.6 is only supported in Windows 2008 Server and above: https://support.microsof...eb-installer-for-windows 
tha_watcha
  • Posts: 4081
  • Joined: 06/03/2010
Originally Posted by: johnk

Thank you for your help with this. The only feature I would very much like is responsive design - since around 65-70% of my visitors are using mobile devices.

Edit:

1. Could you also sync up changes in both web.config files? Example also change "encrypted to hashed" in azure web.config

2. I did some more research for <add name="YafTaskModule" ...> and <add name="UrlRewriter" ..

It looks like we can safely remove the duplicate in <httpModules>. This is because IIS 6 does not support 4.6. framework. Hence people who upgrade to YAF 2.25 will be using IIS 7 or more.

IIS 6 can only be installed in windows 2003 Server (and not on Windows 2008 Server): https://forums.iis.net/t...Server+2008+with+IIS+6+0 
Link: https://stackoverflow.co...1935534/iis6-and-net-4-5 
version 4.6 is only supported in Windows 2008 Server and above: https://support.microsof...eb-installer-for-windows 



1. Done

2. Thanks i didnt know that. I also removed the duplicated httphandlers section


UserPostedImage
johnk
  • Posts: 230
  • Joined: 23/04/2013
Awesome. Since there are no more duplicates you can also remove these two lines from both web.config files:

<remove name="YafTaskModule" />
<remove name="UrlRewriter" />
tha_watcha
  • Posts: 4081
  • Joined: 06/03/2010
Originally Posted by: johnk

Awesome. Since there are no more duplicates you can also remove these two lines from both web.config files:

<remove name="YafTaskModule" />
<remove name="UrlRewriter" />



done

Quote:

Thank you for your help with this. The only feature I would very much like is responsive design - since around 65-70% of my visitors are using mobile devices.



Thats the only feature that is not finished and will take the most time, you have to stick with the mobile theme for now.

UserPostedImage
Zero2Cool
  • Posts: 1082
  • Joined: 26/04/2011
Originally Posted by: johnk

Thank you for your help with this. The only feature I would very much like is responsive design - since around 65-70% of my visitors are using mobile devices.



Are you using YAF stand alone or within a shell of an application?
johnk
  • Posts: 230
  • Joined: 23/04/2013
I am currently using YAF as a part of the application.
Zero2Cool
  • Posts: 1082
  • Joined: 26/04/2011
Originally Posted by: johnk

I am currently using YAF as a part of the application.



So, you're using the ASP.NET SampleApplication or just blended YAF into your own Application?

I am asking because I did mine off the Sample Application and was able to modify a lot of the UI to be responsive. If I can do it, I know you would be able to. It took me about 16-20 hours to do. It's very generic and un-themed though.
johnk
  • Posts: 230
  • Joined: 23/04/2013
I built the application from scratch and integrated it with YAF. I can certainly change CSS to make it responsive. The only problem is that with every new YAF release, I would have to manually check every page to make sure everything is still working correctly. Hence it is always preferable to make these changes at the source. In addition, by changing it at the source, lots of people will also benefit from these changes.
Users browsing this topic
    Forum Jump  
    • You cannot post new topics in this forum.
    • You cannot reply to topics in this forum.
    • You cannot delete your posts in this forum.
    • You cannot edit your posts in this forum.
    • You cannot create polls in this forum.
    • You cannot vote in polls in this forum.

    About Us

    The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

    Powered by Resharper Donate with PayPal button

    Project Twitter Updates

    Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved