An essential component of online application security is session management. We fix a widespread issue in this post that lets potential attackers reuse existing session IDs to obtain unauthorized access to ASP.NET sessions even after they have been logged out. We'll go over how to apply best practices like SSL/TLS and secure cookie settings, as well as how to correctly invalidate sessions upon logout and regenerate session IDs upon login. You can safeguard your ASP.NET application against replay and session fixation attacks and provide a safer environment for your users by adhering to these rules.

How to Handle the Problem
1. Upon logout, invalidate the session
Make sure that when the user logs out, the session is appropriately invalidated. You can accomplish this by using Session.Abandon() in your logout procedure.
An illustration of the logout action

Example in Logout Action
public ActionResult Logout()
{
    // Clear the session
    Session.Abandon();
    Session.Clear();
    // Clear authentication cookies
    FormsAuthentication.SignOut();
    // Redirect to the login page or home page
    return RedirectToAction("Login", "Account");
}

Explanation

• Session.Abandon() marks the session as abandoned, which means that the session will no longer be used and a new session will be created for the next request.
• Session.Clear() removes all items from the session.
• FormsAuthentication.SignOut() logs the user out and clears the authentication ticket.

2. Regenerate the Session ID Upon Login
It's important to regenerate the session ID after a successful login to prevent session fixation attacks. This ensures that any previous session ID is no longer valid.

Example

public ActionResult Login(LoginViewModel model)
{
    if (ModelState.IsValid)
    {
        // Authenticate the user
        var isAuthenticated = Membership.ValidateUser(model.Username, model.Password);
        if (isAuthenticated)
        {
            // Regenerate session ID to prevent session fixation
            SessionIDManager manager = new SessionIDManager();
            string newSessionId = manager.CreateSessionID(HttpContext.Current);
            bool redirected = false;
            bool isAdded = false;
            manager.SaveSessionID(HttpContext.Current, newSessionId, out redirected, out isAdded);
            // Set authentication cookie
            FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);
            return RedirectToAction("Index", "Home");
        }
    }
    return View(model);
}

Explanation
The SessionIDManager is used to create a new session ID, which is then saved to the current session. This ensures that after logging in, the user’s session ID is different from the one used before authentication.

3. Enforce Session ID expiration
Set a shorter session timeout to minimize the risk of an old session ID being used.

Web. config Setting

<system.web>
    <sessionState timeout="20" />
</system.web>

Explanation
The timeout attribute specifies the number of minutes a session can be idle before it is abandoned. A shorter timeout can reduce the risk of session reuse.

4. Use SSL/TLS
Ensure that your application uses SSL/TLS to protect the session ID in transit. This prevents attackers from capturing the session ID via network sniffing.

5. Secure Cookies
Mark the session cookies as HttpOnly and Secure to prevent client-side access to the session ID and ensure they are only transmitted over secure connections.

Web. config Setting

<system.web>
    <authentication mode="Forms">
        <forms requireSSL="true" />
    </authentication>
    <sessionState cookieSameSite="Strict" />
</system.web>

Explanation

• requireSSL="true" ensures that cookies are only sent over HTTPS.
• cookieSameSite="Strict" helps prevent CSRF attacks by limiting the conditions under which cookies are sent.

Summary
By ensuring that the session is properly invalidated on logout, regenerating the session ID upon login, setting session expiration policies, and securing your application with SSL/TLS and secure cookies, you can effectively mitigate the risk of session fixation and replay attacks. This will enhance the overall security of your ASP.NET application.

This kind of testing includes evaluating several software components simultaneously, from beginning to end, and evaluates them collectively. Integration testing in the structured development process uses unit-tested modules as input, aggregates them into a bigger set, and runs integration tests according to the test plan's specifications to produce output results that trigger system testing. Because it allows you to test the system in real-time and gain valuable insights into how it functions, integration testing is crucial.

Difference between unit testing and integration testing
In unit testing, we concentrate on a brief section of code, typically one function or method. Verifying that a piece of code is functioning and delivering the desired outcome is the aim. In order to test the logic using fictitious data, external dependencies like as databases, APIs, or services are typically mocked.

Integration testing examines how various system components interact with one another. Integration tests, as opposed to unit tests, verify that the integrated components function as intended in a realistic setting by using real or in-memory databases and other services. For a deeper understanding, let's dive right into the code.

Setting Up the .NET Core Project for Integration Testing
In this project, we will create a test environment using docker containers to create the test db using Postgres docker image. Create a test project inside your project solution using the .NET XUnit template.

Let's install all the necessary Nuget packages. Below is a list of packages that are required for testing.

• Microsoft.AspNetCore.Mvc.Testing
• AutoFixture
• AutoFixture.AutoMoq
• Testcontainers
• Test containers.PostgreSQL

For setting up the test environment we need to use the WebApplicationFactory class provided by Microsoft.Net.

Understanding the WebApplicationFactory
WebApplicationFactory<TEntryPoint> is used to create a TestServer for integration tests. `TEntryPoint` refers to the entry point class of the System Under Test (SUT), which is usually the Program.cs class.

To use this in our testing project, we first need to expose the Program.cs class. The reason for this is to inform the testing project that this is the entry point of the system.
There are two ways to expose the Program.cs class to the testing project.
First, add the below XML in your starting project (WebAPI project).

The second is to create a partial class with the name public partial class Program { }

Setting up the Postgres container for our testing environment requires us to construct a customized version of our WebApplicationFactory class. The WebApplicationFactory class, which is inherited and implements the IAsyncLifetime interface, is modified in the version shown below. With this implementation, all resources acquired by the test environment or Docker container are released once our tests in Visual Studio Test Explorer have concluded, ensuring that the Postgres container is disposed of appropriately.

We also need to set up Docker Compose to fetch the latest PostgreSQL image. Right-click on the solution, then choose the "Container Orchestration Support" option and select Docker Compose. This will automatically add the required files to your solution. Add the below to your docker-compose.yml file.

To signal that the class contains tests and to offer shared object instances among the tests in the class, test classes implement the IClassFixture class fixture interface. To do that, let's implement IClassFixture<TWebAppFactory> and create a BaseIntegrationTest Class.

To construct a completely functional test environment, we must create a database and the necessary tables inside it after retrieving the Postgres image. Include migration code in the BaseIntegrationTest class's constructor as well.

Now we are all set with the test environment and let's move to the actual test. Create a test class in my case.

Now let's run the test from VisualStudio Test Explorer; also, add a docker desktop to your PC. When we run the test first it will fetch the image from the docker hub with the label "postgres: label" and set up the container with our provided configuration in the docker-compose.yml file.

Docker fetched the PostgreSQL image for us.

Here, you can also create containers, and those containers will automatically be disposed of after the test finishes.

As you can see from the result, our test has also been passed also.

Conclusion
Integration testing ensures that different components of an application work together correctly, validating end-to-end functionality and detecting issues not covered by unit tests. It is crucial for identifying integration problems and verifying that the system meets its requirements as a whole. Thanks for reading!

Step 1: Create an account on Stripe and obtain credentials
You must get your API keys and create a Stripe account before you can begin the integration. Take these actions.

• Visit stripe.com to register or log in to Stripe.
• Open the Dashboard and find the API area.
• Make a copy of your publishable key and secret key. These keys are going to be used for Stripe application authentication.

Step 2: Make an application using the.NET API
To integrate Stripe, create a new ASP.NET Core API application. Download the.NET SDK from the.NET website if it isn't already installed on your computer.
Launch a terminal or command prompt.

The command to start a new API project is as follows.
dotnet new webapi -n SubscriptionSystem

Navigate to the project directory.
cd SubscriptionSystem

Step 3: Set Up Stripe in .NET
To use Stripe, install the Stripe NuGet package in your .NET application.

Install the Stripe package.
dotnet add package Stripe.net

Add your Stripe secret key to the configuration.

Open appsettings.json and add the following.
{
  "Stripe": {
    "SecretKey": "your_stripe_secret_key"
  }
}

Step 4: Implement Subscription Functionality
Now, let's implement the subscription functionality. We will create a StripeController to handle the subscription process.

Creating the DTOs
First, create the necessary DTOs for handling Stripe data.

PaymentDto.cs
namespace SubscriptionSystem.Dtos
{
    public class PaymentDto
    {
        public string PaymentMethodId { get; set; }
        public string CustomerId { get; set; }
    }
}

StripePaymentRequestDto.cs
namespace SubscriptionSystem.Dtos
{
    public class StripePaymentRequestDto
    {
        public string Email { get; set; }
        public string PaymentMethodId { get; set; }
    }
}

StripeProductDto.cs
namespace SubscriptionSystem.Dtos
{
    public class StripeProductDto
    {
        public string Id { get; set; }
        public string Name { get; set; }
        public long Amount { get; set; }
        public string Currency { get; set; }
        public string Interval { get; set; }
    }
}

SubscriptionDto.cs
namespace SubscriptionSystem.Dtos
{
    public class SubscriptionDto
    {
        public string SubscriptionId { get; set; }
        public string CustomerId { get; set; }
        public string ProductId { get; set; }
    }
}

Creating the Service Interface and Implementation
Create an interface for the Stripe service and its implementation.

IStripeService.cs
using SubscriptionSystem.Dtos;

namespace SubscriptionSystem.Interfaces
{
    public interface IStripeService
    {
        Task<string> CreateCustomerAsync(string email, string paymentMethodId);
        Task<string> CreateSubscriptionAsync(string customerId, string priceId);
        Task CancelSubscriptionAsync(string subscriptionId);
        Task<StripeProductDto> CreateProductAsync(string name, long amount, string currency, string interval);
    }
}

StripeService.cs
using Stripe;
using SubscriptionSystem.Dtos;
using SubscriptionSystem.Interfaces;

namespace SubscriptionSystem.Services
{
    public class StripeService : IStripeService
    {
        public async Task<string> CreateCustomerAsync(string email, string paymentMethodId)
        {
            var options = new CustomerCreateOptions
            {
                Email = email,
                PaymentMethod = paymentMethodId,
                InvoiceSettings = new CustomerInvoiceSettingsOptions
                {
                    DefaultPaymentMethod = paymentMethodId
                }
            };
            var service = new CustomerService();
            var customer = await service.CreateAsync(options);
            return customer.Id;
        }

        public async Task<string> CreateSubscriptionAsync(string customerId, string priceId)
        {
            var options = new SubscriptionCreateOptions
            {
                Customer = customerId,
                Items = new List<SubscriptionItemOptions>
                {
                    new SubscriptionItemOptions { Price = priceId }
                },
                Expand = new List<string> { "latest_invoice.payment_intent" }
            };
            var service = new SubscriptionService();
            var subscription = await service.CreateAsync(options);
            return subscription.Id;
        }

        public async Task CancelSubscriptionAsync(string subscriptionId)
        {
            var service = new SubscriptionService();
            await service.CancelAsync(subscriptionId);
        }

        public async Task<StripeProductDto> CreateProductAsync(string name, long amount, string currency, string interval)
        {
            var productOptions = new ProductCreateOptions
            {
                Name = name,
            };
            var productService = new ProductService();
            var product = await productService.CreateAsync(productOptions);

            var priceOptions = new PriceCreateOptions
            {
                UnitAmount = amount,
                Currency = currency,
                Recurring = new PriceRecurringOptions { Interval = interval },
                Product = product.Id,
            };
            var priceService = new PriceService();
            var price = await priceService.CreateAsync(priceOptions);

            return new StripeProductDto
            {
                Id = price.Id,
                Name = product.Name,
                Amount = price.UnitAmount.Value,
                Currency = price.Currency,
                Interval = price.Recurring.Interval
            };
        }
    }
}

Creating the Controller
Create a StripeController to handle the subscription process.
StripeController.cs

using Microsoft.AspNetCore.Mvc;
using SubscriptionSystem.Dtos;
using SubscriptionSystem.Interfaces;

namespace SubscriptionSystem.Controllers
{
    [ApiController]
    [Route("api/[controller]")]
    public class StripeController : ControllerBase
    {
        private readonly IStripeService _stripeService;

        public StripeController(IStripeService stripeService)
        {
            _stripeService = stripeService;
        }

        [HttpPost("create-customer")]
        public async Task<IActionResult> CreateCustomer([FromBody] StripePaymentRequestDto paymentRequest)
        {
            var customerId = await _stripeService.CreateCustomerAsync(paymentRequest.Email, paymentRequest.PaymentMethodId);
            return Ok(new { CustomerId = customerId });
        }

        [HttpPost("create-subscription")]
        public async Task<IActionResult> CreateSubscription([FromBody] SubscriptionDto subscriptionDto)
        {
            var subscriptionId = await _stripeService.CreateSubscriptionAsync(subscriptionDto.CustomerId, subscriptionDto.ProductId);
            return Ok(new { SubscriptionId = subscriptionId });
        }

        [HttpPost("cancel-subscription")]
        public async Task<IActionResult> CancelSubscription([FromBody] SubscriptionDto subscriptionDto)
        {
            await _stripeService.CancelSubscriptionAsync(subscriptionDto.SubscriptionId);
            return NoContent();
        }

        [HttpPost("create-product")]
        public async Task<IActionResult> CreateProduct([FromBody] StripeProductDto productDto)
        {
            var product = await _stripeService.CreateProductAsync(productDto.Name, productDto.Amount, productDto.Currency, productDto.Interval);
            return Ok(product);
        }
    }
}

Step 5. Handling Stripe Webhooks
Stripe webhooks allow your application to receive notifications about changes to your customer's subscription status. To handle webhooks.

1. Create a Webhook Endpoint: This endpoint will receive webhook events from Stripe.
2. Verify the Webhook Signature: Ensure that the event is from Stripe by verifying the signature.

Setting Up the WebhookStripeController.cs[HttpPost("webhook")]
public async Task<IActionResult> Webhook()
{
    var json = await new StreamReader(HttpContext.Request.Body).ReadToEndAsync();
    try
    {
        var stripeEvent = EventUtility.ConstructEvent(
            json,
            Request.Headers["Stripe-Signature"],
            "your_stripe_webhook_secret"
        );

        // Handle the event
        if (stripeEvent.Type == Events.CustomerSubscriptionCreated)
        {
            var subscription = stripeEvent.Data.Object as Subscription;
            // Handle the subscription creation
        }
        else if (stripeEvent.Type == Events.CustomerSubscriptionDeleted)
        {
            var subscription = stripeEvent.Data.Object as Subscription;
            // Handle the subscription cancellation
        }

        return Ok();
    }
    catch (StripeException e)
    {
        return BadRequest();
    }
}

Update the Dependency Injection in the Program.cs
Make sure to register the Stripe service in the dependency injection container.

Program.cs
builder.Services.AddScoped<IStripeService, StripeService>();
builder.Services.AddScoped<ProductService>();
builder.Services.AddScoped<SubscriptionService>();

Conclusion
In this article, we went through the steps to integrate Stripe for subscription payments in an ASP.NET Core API application. This includes setting up Stripe, creating the necessary DTOs, implementing the service interface, and creating a controller to handle subscription functions. This template allows you to easily manage customer creation, product development, and subscription lifecycles. Stripe’s integration enhances your application by providing secure and reliable payment processing.

In.NET Core, access modifiers are essential for specifying how accessible classes, methods, and variables are. One of the main tenets of object-oriented programming (OOP) is encapsulation, which they assist enforce by deciding which sections of your code can access which members. The many kinds of access modifiers that are available in.NET Core will be discussed in this article, along with usage examples.

1. What are Access Modifiers?
In C#, classes, methods, properties, and other members can have their accessibility level specified using keywords called access modifiers. Access modifiers assist guard against accidental changes or misuse of your code by allowing you to manage which areas of your codebase can communicate with a specific class or member.

2. Types of Access Modifiers in .NET Core
There are five main access modifiers in .NET Core:

• Public
• Private
• Protected
• Internal
• Protected Internal
• Private Protected

Let's dive into each of these access modifiers.

3. Public Access Modifier
The public access modifier makes a class, method, or property accessible from any other code in the same assembly or another assembly that references it. It is the most permissive access level.

Example
public class Car
{
    public string Color { get; set; }
    public void Drive()
    {
        Console.WriteLine("The car is driving.");
    }
}

In this example, the Car class, its Color property, and the Drive() method are all accessible from any other code.

4. Private Access Modifier
The private access modifier restricts access to the containing class only. This means that members declared as private cannot be accessed from outside the class they are declared in.

Example

public class Car
{
    private string engineNumber;
    public void StartEngine()
    {
        Console.WriteLine("The engine has started.");
    }
}

Here, the engine number field is private and can only be accessed or modified by members of the Car class.

5. Protected Access Modifier
The protected access modifier allows access to the containing class and any class that derives from it. It is useful when you want to allow derived classes to access certain members of the base class.

Example
public class Vehicle
{
    protected int speed;
    public void Move()
    {
        Console.WriteLine("The vehicle is moving.");
    }
}
public class Car : Vehicle
{
    public void Accelerate()
    {
        speed += 10; // Accessible because Car inherits from Vehicle
        Console.WriteLine("The car is accelerating.");
    }
}

In this example, the speed field is protected, allowing the Car class to access it.

6. Internal Access Modifier
The internal access modifier limits access to the current assembly. This means that members marked as internal can be accessed by any code within the same assembly, but not from another assembly.

Example
internal class Engine
{
    internal void Start()
    {
        Console.WriteLine("Engine started.");
    }
}

Here, the Engine class and its Start() method are internal, meaning they can be accessed by any code within the same assembly but not from other assemblies.

7. Protected Internal Access Modifier
The protected internal access modifier is a combination of protected and internal. It allows access from any code within the same assembly and from derived classes in other assemblies.

Example
public class Vehicle
{
    protected internal int speed;
    public void Move()
    {
        Console.WriteLine("The vehicle is moving.");
    }
}

In this example, the speed field is accessible within the same assembly and by derived classes in other assemblies.

8. Private Protected Access Modifier
The private protected access modifier is a combination of private and protected. It allows access only within the containing class or derived classes that are within the same assembly.

Example
public class Vehicle
{
    private protected int speed;
    public void Move()
    {
        Console.WriteLine("The vehicle is moving.");
    }
}

Here, the speed field is accessible only within the Vehicle class and any derived classes in the same assembly.

9. Choosing the Right Access Modifier
Choosing the appropriate access modifier is important for maintaining the integrity and security of your code. Here are some guidelines:

• Use private for members that should only be accessible within the class.
• Use protected when you want derived classes to access members of the base class.
• Use internally for members that should be accessible across the same assembly but hidden from other assemblies.
• Use public for members that need to be accessible from any code.
• Use protected internal when you want to combine the accessibility of protected and internal.
• Use private protection when you want to restrict access to the containing class and derived classes within the same assembly.

10. Conclusion
Access modifiers are an essential part of object-oriented programming in .NET Core. They help you define the visibility and accessibility of your classes, methods, and variables, ensuring that your code is secure, modular, and easy to maintain. By understanding and correctly using access modifiers, you can better control the structure and behavior of your application, leading to more robust and reliable software.

When designing your classes and members, always consider the appropriate access level that aligns with the intended use of your code. This will help you avoid unintended access and maintain a clear and maintainable codebase.

Ever pondered the workings of a C# code? What is occurring behind the scenes? Let's dig deep into the history of C# code execution in this blog post, focusing on the crucial element known as CLR, which is in charge of carrying out our code.

Prior to delving into the fundamentals of CLR, let's grasp some fundamental ideas,

A controlled code: what is it?
Managed code, or just code that executes under the supervision of a runtime environment, is code that we write with a language compiler that targets a runtime.

Why Managed Code?
Managed code with a runtime environment gives a number of benefits.

• Memory Management
• Security
• Cross Platform compatibility
• Cross-language integrity
• Exception handling
• Debugging and profiling services etc.

How does it operate?
Every runtime loadable portable executable (PE) file, such as dll and exe, has metadata and a common Intermediate language (CIL) that identifies types, members, and references. These are produced by language compilers. This method is used by the runtime to find and load classes, arrange memory, and resolve method invocation. A built-in compiler will convert CIL to native code while the procedure is running. One way to sum up the managed code execution process is as follows.

1. Compiling source code to CIL by Language compiler]
2. Translating the CIL to native code during execution
3. Running the code using the metadata from the PE file with provided memory management, Type checking, and exception handling.

Fantastic We now understand what managed code is and how a runtime interacts with it. Let's get right into Core CLR. The runtime environment supplied by.net core, known as Core CLR, is in charge of managing code execution. There are several language compilers that target the Core CLR runtime, including Visual Basic, C#, Visual C++, F#, Perl, and COBOL. Let's use C# as an example to delve deeper into the CLR.

Our language compiler creates metadata and translates C# code into Common Intermediate Language (CIL), a low-level, CPU-independent set of instructions that was formerly known as Microsoft Intermediate Language (MSIL). A language compiler creates this intermediate, which CLR will then further compile into machine code. CLR receives this.

Let's now examine the function of CLR. CLR must compile CIL to native code based on the architecture of the target machine in order to carry out the instructions given in the form of CIL..NET offers two methods for this purpose.

1. Just-in-time compiler (JIT)
2. Native Image Generator

Just-in-time compiler
JIT converts the CIL to machine code during runtime on demand when the content of assembly is loaded and executed.

How it works?

• The method is executed, CLR hands over the CIL for the method to JIT
• JIT will translate the code to machine code
• The Generated machine code is cached, so the subsequent calls to the method will be handled from the cache.
• Native machine code is executed by the CPU.

Types of JIT
.net core runtime includes several types of JIT compilation strategies.

Tired Compilation
Aims to provide fast startup and High throughput. It involves compiling the methods in two tiers.

• Tier 0 – Quick JIT: Methods are initially compiled with minimal optimization to provide faster throughput
• Tier 1 – Optimized JIT: Methods that are executed frequently are recompiled with higher optimization.

Regular JIT
These are the regular JIT, Where the methods are initially compiled with higher optimization and cached.

• Pre-compilation (Ready to Run – R2R): R2R is a case of ahead-of-time compilation, where the CIL code is compiled to native code during the build time itself.
• Dynamic Profile Guided Optimization: This is a highly advanced option, where the runtime collects profiling information about the application while it runs and uses this data to optimize the code.

Native Image Generator
JIT compiler converts the CIL code to machine code when methods defined in the assembly are invoked. This will have a negative impact on the performance, and also, the code generated by the JIT compiler is bound to the process that triggered the compilation. It cannot be shared among other processes. To allow the generated machine code to be shared among multiple processes, the CLR supports ahead-of-time compilation (AOT) mode. This mode uses Ngen.exe I to convert CIL to machine code as JIT does, but slightly in a unique way.

How does Ngen.exe work?
It performs CIL to Machine code conversion before running the application. It compiles the entire assembly, one at a time, and stores the machine-generated code in Native Image Cache as a file on the disk.

Now let’s go back to the CLR, Let’s see what the other functionalities of CLR other are than converting CIL to Machine Code. Another key role of the CLR is to perform Verification of the CIL code. The CLR always examines the CIL code to make sure it is type-safe. Type safety means the code only accesses the memory locations it is authorized to do. This type of safety verification makes sure the objects are isolated from each other and it avoids any kind of corruption. CLR uses various verification steps like,

• Verifies the value assigned to the variable matches the declared types.
• Verifies the method calls using the correct number and type of the arguments.
• Validate the meta data and make sure the members are defined correctly matching their metadata, external libraries used are resolved properly.

Like these, various validations are available. Finally, the CLR does the job of executing the generated machine code. During this time CLR provides a lot of added functionalities like Garbage Collection, Thread Handling, Interoperability, etc. These we will discuss in detail in my upcoming blog.