Thursday, December 20, 2012

Introducing the Real Studio WebSDK

As one of the most requested features since the initial release of the Real Studio Web Edition, Real Studio 2012r2 includes the first public release of our Web Control SDK. You can find the SDK in the Extras folder, which contains documentation, some example projects and even a tool for creating your own IDE icons!

jQuery Calendar Sample Project
Originally designed as a way to simply allow developers to wrap existing controls (which it still does), the WebSDK has been expanded to allow the creation of custom controls from scratch. Developers who are familiar with Real Studio, HTML, CSS and JavaScript will find it easy to create whatever comes to mind.

Because there is the potential for a single project to use many different controls from different developers, Real Software created a central registry where developers are encouraged to reserve their preferred javascript namespace (see the documentation for more info on how to do this).

We've already received and reserved 12 namespaces and we're looking forward to seeing the controls you create!

Monday, December 17, 2012

A Great Alternative to Visual Basic

UPDATE June 2013: Real Studio is now Xojo. Read why Xojo is a great alternative to Visual Basic.

Did you know that Real Studio is a great alternative to Microsoft Visual Basic? That's right, if you have used VB in the past or are considering using it now, you might want to instead take a look at Real Studio (Xojo) to see if it will fit your needs better.

What's wrong with VB?
When referring to "Visual Basic", it usually means one of two things: VB6 or VB.NET. There are current problems with both of these. I'll start with VB6.

Visual Basic 6, or VB6, was last updated in 1998. In its heyday, it was a very popular development tool and was used to create a wide variety of apps, especially in-house applications used by small businesses. Surprisingly, it is still in use today, even though it was effectively abandoned by Microsoft years ago. In fact, many consultants using Real Studio make a pretty good living migrating older projects from VB6 to Real Studio. And many of our customers are former VB users.

If VB6 still works today, why even consider switching? As I mentioned, it's no longer updated by Microsoft. Although it does work in more recent versions of Microsoft Windows, that does not mean it works well. The IDE is also rather difficult to use as it uses the now derided MDI (multiple document interface) style that results in lots of small windows embedded in a main window. And the VB6 language is not very sophisticated. In particular, it is not fully object-oriented making many tasks more difficult than they need to be and your code more complex.

So what about VB.NET? That is newer, right? Surely it doesn't have these limitations. And that would be correct. VB.NET uses Visual Studio as its IDE and Visual Studio is modern and powerful. VB.NET is a a fully object-oriented language, supported by the powerful .NET framework.

But in both cases, VB.NET is complex and difficult to learn. Because Visual Studio is designed to work with a wide variety of programming languages (C#, C++, VB.NET), it can often confound people simply looking to quickly create apps. And VB.NET is a decent language, but the .NET framework is large, powerful and complex. Microsoft changes it rapidly and it can be overwhelming for many developers.

Why Real Studio?
Here at Real Software, we strive to keep things simple. We want to make it so that anyone can create their own apps and we strongly feel that Real Studio is the best way to do that.

As in the tale of Goldilocks and the Three Bears, Real Studio is "just right". It is more powerful than VB6 while at the same time more approachable than VB.NET. It is likely you will have your first app created in Real Studio before you even finish downloading and installing Visual Studio!

And don't forget that Real Studio is a cross-platform development tool. With Real Studio, a single project can create desktop apps that works on Windows, OS X and Linux. You are not forced to do your development on Windows, either. Do you want to do development on OS X or Linux? You can do that with Real Studio. In fact, any single development platform can create apps for all the other platforms supported by Real Studio. If you are developing on OS X, you can create apps for OS X, Windows, Linux and even the web.

Yes, Real Studio can also create web applications. Of course, so can VB.NET (using ASP.NET), but ASP.NET requires a Microsoft server running IIS. Real Studio web applications can be deployed as simple stand-alone applications or can be deployed using Apache, the most common web server on the planet, using Windows, OS X or Linux.

Simple stated, Real Studio allows you to quickly create apps.

Similarities between Visual Basic and Real Studio
Real Studio makes a great alternative for Visual Basic because it shares many similarities with it. This is a short list of some of the things that VB users will find familiar:

Real Studio uses a programming language that is very similar to Visual Basic. It has commands like If..Then..Else, For..Next, While..Loop, Dim and more. You'll have no trouble at all reading (or writing) Real Studio code. You will also find the object-oriented capabilities of VB.NET quite similar to Real Studio. If you've used Visual Studio at all, you'll find that Real Studio works similarly but is far simpler to learn.

Data Types
Real Studio shared many of the same data types with VB6 and VB.NET, including: Integer, Double, String, Currency, Boolean, Variant.

Real Studio has many common controls that will be familiar to you, including: Buttons, Labels, TextFields, TextAreas, ListBoxes (grids), PopupMenus, ProgressBars, toolbars and more.

VB6 and Real Studio Controls

Differences between Visual Basic and Real Studio
Of course, Real Studio also has quite a few differences from Visual Basic as well.

Shared Libraries
Real Studio cannot create DLLs, ActiveX controls, .NET assemblies or any kind of shared libraries. Since these are all Windows-specific technologies, that is somewhat understandable. You’ll either need to rethink your design or just re-use these components from within Real Studio (and thus limiting yourself to deploying only on Windows).

Compiler and Run-time
Real Studio apps are compiled to native code. They do not contain byte-code that is run by a virtual machine (as with .NET). The run-time library is included with your applications so there is nothing additional that needs to be installed on users' computers.

Language and Framework
As I’ve mentioned before, Real Studio is fully object-oriented. Unlike VB6, you can have classes that use inheritance and other object-oriented features.

The Real Studio framework is designed to be simple to use and support cross-platform applications. It is different than the VB6 framework and the .NET framework.

File I/O
One of the biggest differences between VB6 and Real Studio is file I/O. Real Studio consolidates all its file processing into a few classes: FolderItem, TextInputStream, TextOutputStream and BinaryStream. VB6 uses hard-coded file paths and less flexible file access methods, primarily because it only needs to work with Windows-specific file paths.

Data Types
Real Studio is strongly typed, just like VB.NET. VB6 allows you to do some things the “old-school” BASIC way, the most significant of which is using variables without declaring them (the type is inferred by a suffix on the name). Real Studio does not allow this. Use the OPTION EXPLICIT command in all your Visual Basic code to have VB enforce explicit variable declarations.

Switching to Real Studio
We offer a tool to help make it easier for you to make the switch from VB to Real Studio. Our Visual Basic Migration Assistant can help you move your VB projects over to Real Studio, but only at a high level. This tool moves your project files, source code and user interface (to some extent) to a Real Studio project. The tool does not convert the code in any way, nor does it create a working version of your VB project in Real Studio. It is just a means for you to get your code into Real Studio so you can refer to it while working on the Real Studio version without having to keep a copy of VB around.

If you find yourself frustrated with VB.NET or are looking for something to replace VB6, be sure to test out Real Studio. It might be "just right" for you!

Friday, December 14, 2012

WebSDK: Image Delivery Hints

When delivering custom web controls to your developers or customers, it can be problematic if your control has required images. Here are some hints to make the process easier on you and your customers:

1. Embed needed images right in your controls as private base64 constants... just like your IDE icon! This means that your users will not have to add lots of additional assets to their projects to get your controls to run, nor do you run the risk of name conflicts with other images!

Private Constant myImageConstant as String

2. Create WebPicture properties on your control so the variables don't go out of scope.

Private Property myImage as WebPicture

3. Convert these base64 strings into WebPictures in the Open() event:

myImage = new WebPicture = DecodeBase64(myImageConstant)
myImage.mimetype = "image/png" //This MUST match the image data
myImage.filename = "myImage.png"
myImage.session = nil //Very Important!

4. Make sure that any images that will not change from Session to Session are stored in a Shared Property so they are only stored once!

Shared Private Property myImage as WebPicture

You should only initialize them once as well. Using the code from step 2:

If myImage = nil then
  myImage = new WebPicture = DecodeBase64(myImageConstant)
  myImage.mimetype = "image/png" //MUST match the image data
  myImage.filename = "myImage.png"
  myImage.session = nil //Very Important!
End If

NOTE: Make sure you set the Session property to nil, otherwise it will only be available in the session that created it!

5. Use Spritesheets for better compression. If you have lots of little images that will be used all the time, it might be worth it to combine them into a single larger image and then use CSS to specify the section of the image to use at runtime. A single image means one download, and from then on, the browser will use the one from its cache.

WebSDK: Deferring User Commands

One of the things that trips up new and experienced web app developers on a regular basis is the concept of what commands can be sent to the browser at what time during the initial setup of a web control. The general idea is this:

When the Open() event fires, the control has not been delivered to the page yet. Sending commands to manipulate the control will likely result in javascript errors.

When the Shown() event fires, the control has been delivered to the page, has been set up, and is ready to receive javascript commands.

It seems fairly straightforward, and yet we still get a lot of questions about why users can't do this or that in their applications in the Open event.

If you're creating custom web controls for distribution, there is a way to help users avoid this issue, but it takes careful thought on your part because it's easy to get things out of order if you don't plan ahead.

One solution is to defer calls to ExecuteJavascript in the Open event and send them at the beginning of the Shown event:

  1. Create two private properties on your control:
    Private deferredCommands() as String
    Private inOpenEvent as Boolean = False
  2. Override the ExecuteJavascript method:
    Sub ExecuteJavaScript(Script As String)
      if ControlAvailableInBrowser() or not InOpenEvent then
        deferredCommands.Append script
      end if
    End Sub
  3. Create an event definition for Shown()
  4. Implement the Shown() event:
    if Ubound(deferredCommands)>-1 then
    End If
    RaiseEvent Shown()
  5. Create an event definition for Open()
  6. Implement the Open() event:
    InOpenEvent = True
    RaiseEvent Open()
    InOpenEvent = False
Using this method, you can be sure that user code will not be sent to the browser before your control and its code reaches the browser.

BE CAREFUL! If you only defer some commands, you could cause user code to execute out of order. For example, if you defer property assignments but not function calls, a function may get called before the user property assignments have been set.

Thursday, December 13, 2012


One of the great new features in Real Studio 2012 Release 2 is the WebCanvas class for web projects. This class provides an implementation of the HTML 5 Canvas that uses an API that is very similar to the Canvas control used by desktop projects.

When you add a WebCanvas to your web page, you get a Paint event where you can do your drawing using the "g As WebGraphics" parameter. Taking a look at WebGraphics, you can see that it shares many of the same properties and methods of the Graphics class used by desktop projects.

There are Draw and Fill commands for drawing shapes, pictures and strings. You can use the properties to control the size of the drawing pen as well as font and style information.

In addition, there are two additional properties, LineCap and LineJoin, that control how lines are drawn.

So what can you do with a WebCanvas? Pretty much everything you could do using a desktop Canvas control, including drawing: your own custom controls, graphs, pictures, text and more. You can even do animations, however, due to general Internet latency you will find that they cannot update as frequently. They will still work, but depending on the latency between the user's browser and the server running the web application, you may find a noticable delay. However, with careful use of a WebTimer, you may be able to create some animations, such as the CanvasClock example that is included with Real Studio 2012 Release 2.

CanvasClock is a web implementation of the desktop GraphicalClock example. It draws an analog clock on the screen (in a WebCanvas) and then uses a Timer to animate the second hand.

In addition, there are several other new examples included with Real Studio 2012r2 that demonstrate WebCanvas: CanvasBoxes, CanvasChart and WebGridExample.

CanvasChart has been incorporated into our updated example web application, which you can view here:

Click on the "Sales Chart" button on the toolbar to view a chart of invoice amounts created using WebCanvas. You can even click on individual points on the chart to view the actual amount.

Lastly, you can check out the Using WebCanvas video on the Real Software YouTube channel:

Give WebCanvas a try and use it to make great looking web applications with Real Studio!

Wednesday, December 12, 2012

TextArea LineSpacing and LineHeight

New to Real Studio in 2012 Release 2 are two new properties for TextArea: LineHeight and LineSpacing. As you might guess, these properties control the height of individual lines in a TextArea and the amount of space between each and every line in the TextArea. These properties affect all the text in the TextArea.

LineHeight and LineSpacing are fully supported on OS X Cocoa and Windows apps. LineSpacing works on Linux, but only if the Text Area contains a single TextSize.

You can change these properties using either the Properties Pane or in code.

This value is a simple integer that sets the line spacing. For example, if you wanted the text in the TextArea to be double-spaced, then you would set LineSpacing to 2. LineSpacing is a Double so you can also using a decimal such as 1.5. So in the Open event handler of a TextArea, you can simply use this code:

Me.LineSpacing = 1.5

Used to adjust the height of each line, LineHeight allows you to adjust the height using whatever is specified as the TextUnit for the TextArea. So on OS X, you can adjust the LineHeight using points like this (in the TextArea Open event handler):

Me.LineHeight = 18

You can see the differences in the screenshot below:

Tuesday, December 11, 2012

Web Apps, WebSessions and Threads, Oh My!

During the 2012r2 beta cycle a bug was reported regarding data bleed between WebSessions but were unable to reproduce it internally. We've been looking into the issue today as we finally have an example project that reliably reproduces the problem. If you see this behavior in your project, please be aware this bug:

  • Only appears to happen on the default page
  • Only happens if you're using a tight-loop or thread with a low sleep period
  • Any data that has been entered by a user in one session will appear in the same fields on another browser.

What you can do about it

If you're using a thread or a loop, set a sufficiently large sleep period. Unfortunately the low threshold seems to be somewhat dependent on the speed of the hardware you are running on, so you may need to do some experiments.

What we're doing about it

We're working diligently on isolating and fixing this bug. Our plan is to have a new beta out with this and a few other minor fixes soon.

Introducing the Crypto Module


With the release of Real Studio 2012r2, we can take the wraps off our new Crypto module. This module provides access to additional hashing algorithms SHA-1, SHA-256, and SHA-512, as well as keyed hashing functions HMAC and PBKDF2.

The language reference for the Crypto module is available at, but I'll give you an overview of everything it does right here.

Simple Hashing

The Crypto.Hash function provides you access to the simplest hashing. You pass in a MemoryBlock and any of the Crypto.Algorithm values, and get back a binary hash. For users familiar with our MD5 function, the code Crypto.Hash("password",Crypto.Algorithm.MD5) and MD5("password") both return identical results.

There are also convenience functions Crypto.MD5, Crypto.SHA1, Crypto.SHA256, and Crypto.SHA512, if you don't need the flexibility the Crypto.Hash function provides.

Hash-Based Message Authentication Code (HMAC)

Crypto.HMAC works much like Crypto.Hash, except that it requires one additional parameter: a key. In simplest terms, HMAC produces hashes that are "stronger" than non-HMAC hashes.  A very common use of HMAC is to add a "salt" value to a password. Rather than simply applying the salt to the beginning or end of the password before sending it to MD5, you can use the salt as the key and produce a stronger hash.

For example, this code:

Const Password = "password"
Const Key = "key"

Dim PlainHash As String = EncodeHex(Crypto.Hash(Key + Password,Crypto.Algorithm.MD5)
Dim HMACHash As String = EncodeHex(Crypto.HMAC(Key,Password,Crypto.Algorithm.MD5))

Results in

PlainHash = 084201E2889684A768A54EA3B0E05D6D
HMACHash = A95669C550C0C9CC91EF29A91873CA4F

To a human, those results appear very similar. To a computer, the HMACHash will be harder to break.

Password-Based Key Derivation Function 2 (PBKDF2)

Building upon HMAC, PBKDF2 is even more secure, simply because it is much slower. In fact, it is as slow as you want it to be. The Crypto.PBKDF2 function adds two parameters: Iterations and Length. Iterations is the number of loops the function will make, which essentially means the greater the iterations, the slower the function. Length is the number of bytes you want the desired hash to be.

Following up on the earlier example, we can run a the same values through PBKDF2 at 1,000 iterations and retrieve a 16 byte hash:

Dim PBKDF2Hash As String = EncodeHex(Crypto.PBKDF2(Key,Password,1000,16,Crypto.Algorithm.MD5))

Produces the hash 1C0792068A80FD07931CD4A86C001D27

Now here's the beauty of PBKDF2. On my machine, the plain MD5 hash took 0.02ms. The HMAC-MD5 hash took 0.03ms. The PBKDF2-MD5 took 1.22ms. This means my computer could brute force the HMAC-MD5 at a rate of about 30,000 hashes per second. But the PBKDF2 could only achieve about 1,000 hashes per second. Every computer is different, of course. But regardless, being 30 times slower is still quite valuable.

Web Application Code Execution Order Change

We made an important change in Real Studio 2012r2 with regards to code execution order. Until now, commands sent to a browser were queued in such a way that it was possible for property assignments to get out of order with other commands if you were not careful. While this internal queuing process worked for our internal framework (we were able to control the process with our own controls), with the advent of the Web Controls SDK, we had to switch to something that makes a little more sense to the average user.

For example, if your code looked something like this:

  MoviePlayer1.DesktopURL = "DesktopMovie.mp4"
  MoviePlayer1.MobileWifiURL = "WifiMovie.mp4"

It was possible for the code to be sent to the browser like this:

  MoviePlayer1.DesktopURL = "DesktopMovie.mp4"
  MoviePlayer1.MobileWifiURL = "WifiMovie.mp4"

In this case it was possible that the previous movie would start playing and then a new one would load because the properties were set second. Our controls were designed to handle this internally, but it made for some very hard to find bugs. 

As mentioned above, starting in 2012r2, property assignments and method calls are sent to the browser in the order they are specified in your code. We suspect that this will clear up a number of strange bugs that have been reported about properties not getting set properly.

Monday, December 10, 2012

Marketing your app for free!

So you have created a pretty cool Real Studio app that you think others could use.  Why not sell it?  Maybe you didn’t plan to sell it or maybe you developed it with the hopes it could help bring in some extra cashflow.  Either way, here are a few tips on free marketing for your app!

First, I want to tell you about a great opportunity.  As many of you know we have recently announced sessions for the Real Studio Developer Conference, taking place April 23-26 in Orlando, Florida.  This will be our biggest event of the year with one-of-a-kind educational and networking opportunities.  If you use Real Studio to make some or all of your income, you need to be there!  If you are just a hobbyist and want to learn more about how to leverage your Real Studio skills, you need to be there!  And if you are evaluating Real Studio to see if its the right app development tool for you, what better place to make your decision than after talking to people who rely on it and have used it for years? 

We will have some sessions at the conference that will greatly benefit anyone who wants to effectively sell their app.  To call out a few, Richard Duke, CEO of Mediatec, will discuss How to Succeed in Business Using Real Studio.  In this session he will talk about rapidly creating and deploying apps, pricing, sales incentives, system maintenance and further ways to generate income.  Another session I am really looking forward to is Ingo Molitor’s (founder of Bluetelligence LLC) session on the Mac App Store!  Ingo is going to talk about Apple’s requirements for the MAS, code signing and Gate Keeper.   Also, did you see we have TWO sessions on iOS?  That’s right.  iOS in Real Studio - basic and advanced.  This is THE place to be if you want to learn more about Real Studio and get your hands on the latest and greatest from Real Software.  Today we are offering $200 off the price of registration.  I promise you will be glad you came!

There are tons of things you can do to market your app, many which come with a hefty price tag.  Thanks to social media, internet accessibility and a little creativity, there are some free things you can do to help get the word out and start some momentum. 

8 Free Marketing Ideas!

1. Create a website or blog for your app:  Creating a web presence for your app is paramount.  For those who are not creatively inclined there are a lot of free templates out there to help you get started, like Tumblr and Blogger.  Having a dedicated URL to pass out to prospects is very important and your URL needs to be something they can easily remember.  Additionally, you will want to put your URL everywhere - in your email signature, on your Facebook page, Twitter, etc.  And be sure to add social media buttons to your blog or website (like Facebook, Twitter, Digg, etc.) so visitors can share your app with their community. 

2. Create a video to showcase your app:  Always remember to show don’t tell!  Screenshots are a good way to feature your app, but a video is worth so much more.  And I’m not talking professional quality demo video.  Just record yourself walking through your app, show prospects how to use it, and why it’s worth downloading.  Once your video is complete you will want to feature it on your website, upload it to YouTube, Vimeo, Facebook, Twitter, and Pinterest.  Spread the word!  Make sure to add relevant tags to help with some SEO!

3. Twitter:  Did you know Twitter has well over 500 million users and over 340 million tweets per day (source)?  And it’s free!  While not all 500 million people are in your target market, it is a great way to spread the word about your app to a large community.  Simply tweeting about what makes your app special is not going to generate too much buzz,  but using it to get in front of key industry people to request reviews or connect with the media - can make a big impact to helping to spread the word.

4. Guest Blog Posts:  Many of the big-name blogs out there welcome guest posts.  Not only do you get to talk about your labor of love in front of a new audience that you otherwise would not have connected with, but you will also get a link to your own URL, which will get you some good SEO.  Good SEO = more traffic, more downloads and more conversions!  Keep in mind, however, that simply writing a sales pitch for your app will probably not get accepted.  Try to think about a topic that would be of interest.. maybe a problem your app can solve?  Talk about it generally and then offer some solutions.  Even if your topic is not 100% relevant to your app that is OK!  Geoff recently wrote a guest blog post on password security for LockerGnome and that generated a nice traffic boost for us!  Also, did you know we accept guest blog posts?  If you have an idea for something you think might be interesting to our audience, email it to and we will try to work it into our blog rotation!

5. We Will Help You:  Did you know that besides guest blog posts Real Software also offers a number of opportunities to help market your app?  If you submit a press release to us at, we will send it to our news list that includes hundreds of media contacts and we will post it on our forums which is used by 7300 developers.  Additionally, if you have a good story, we may want to include it in a customer success story that we will pitch to the media on your behalf! 

6. Facebook:  I have mentioned a few things about Facebook already, but be sure to leverage your own network to help spread the word.  Post your video to your own page and ask your friends to share it!  Your friends will see it, share it with their friends, and their friends friends and so on!  That’s how to go viral! You should also create a Page for your app!  It’s a great way to get your existing users together and tell them the latest and greatest about your app!

7. Banner Swap:  One thing that I don’t see happening much on the app sites I visit is banner swaps.  Help out your fellow Real Studio developers and they’ll help you!  Reach out to someone else who has an app and a website/blog and offer to swap banner ads.  You will each benefit from it and it’s a nice way to get some free marketing.

8. Public Relations:  Think outside of the box.... really, really far outside of it!  Sure you could purchase the biggest booth and a full page ad with Mac World, and also put banner ads on every website you can think of, but that comes with a hefty price tag!  Take a different spin on an old concept or think of something new and exciting.  Make a theme song for your app, hand out bumper stickers, or even dress up as your app. 

Create unique shareable content that others with talk about and the viral effect will happen naturally.  If you’re not sure about an idea, feel free to email me:

Happy Marketing!

Thursday, December 6, 2012

Follow up Regarding Password Security

I'd like to follow up on my earlier post about Password Security and what companies can do to keep their users safe. Security Ledger just posted about a computer that can attempt up to 348 billion passwords per second, cracking any 8 character password in as little as 5.5 hours. I'm not talking about a super computer in some university lab, this machine looks like something anyone could build. Meaning any person or organization with a big incentive to crack passwords could build something like this. 

I can't think of a better reason to change your passwords to something long, ideally a sentence made up of many words. Such a passphrase (rather than password) would be quite difficult for even a computer such as this one to crack.

Notice in the article which hashing types can be cracked the fastest. PBKDF2, which will be available in Real Studio 2012 r2, is not specifically mentioned. However, it is almost certainly one of the "slow hash" algorithms that were tested.

Wednesday, December 5, 2012

TabView for iOS

We continue to make progress on supporting iOS development in Real Studio. Last week we focused on the iOS TabView.
The TabView is similar to our current TabPanel control in some ways but there are three important differences:

1. TabView tabs are always along the bottom, whereas in a TabPanel they are along the top. A TabView can include icons or not, though a TabView that doesn't include icons is rare.

2. A TabPanel is a control. A TabView is not. While a TabPanel can be just about any size and positioned just about anywhere on a layout, a TabView must either consume the entire screen (as in the example above) or one portion of a SplitView. The Settings application on iPad is an example of a SplitView. 

3. A TabPanel can contain other controls. A TabView cannot. Well, to be more correct, a TabView can contain other layouts which can contain controls.

This brings up an important difference between how you will build iOS apps compared to how you are used to building desktop and web applications today. Because most of the applications you create will be universal (supporting both iPhone and iPad) you will be creating "views" which are simply layouts of controls (much like container controls today) and then dropping those views onto things like a tab in a TabView. This allows you to easily share these views between your iPhone and iPad user interfaces. Consider, for example, that the Settings app on iPhone only shows you the left side (the list of settings) initially. You then tap a setting to see its details. Those details are a separate view. The two views (list and detail) are shared by both the iPhone and iPad versions of Settings. The only difference is that the iPad version uses a SplitView to display both since there's enough screen space available.

These differences won't change much about how you work. After all, a view is pretty much the same as a container control, a window or a webpage. But as you can see, the TabView is a bit different from the TabPanel control you use on the desktop today.

I'll be blogging with more progress as we continue, stay tuned!

Tuesday, December 4, 2012

Limiting Simultaneous Web App Connections

Ever wanted to limit the number of users that could connect to your site from the same IP address? It's easy to do from the Session class.

1. Create a Shared Property on the Session class: Clients as Dictionary

2. Add a page to your app telling the user that there are too many users connected from their IP address, named TooManyUsers.

3. At the top of the Session.Open event, add the following code:

if clients = nil then clients = new Dictionary
dim addr as string = self.RemoteAddress
clients.value(addr) = clients.Lookup(addr,0) + 1
if clients.Lookup(addr,0) > 2 then
end if

4. In Session.Close:
dim addr as string = self.RemoteAddress
clients.value(addr) = max(0,clients.Lookup(addr,0) - 1)

Now, whenever a new session is created, it will increment the connection count for the IP address it is connecting from. If the number ever goes above 2, the user will be redirected to the TooManyUsers page. 

If you want to be really creative, put a WebTimer on the TooManyUsers page:

Period = 5000 (5 seconds)
Mode = 1 - Single

In the Timer1.Action event, set the code to something like:


This will not only show the user the error, but then after a short period of time, it will redirect them to another page of your choice, freeing up the server connection for another user.

Monday, December 3, 2012

10 Tips to Improve Password Security

In a recent Wired article, Mat Honan, the journalist whose Apple and Amazon account passwords were famously hacked, wrote about how passwords will no longer protect us and that they should be killed off. He made some excellent points about the weaknesses of password security both from the individual and company perspectives. Many people don't bother to use very secure passwords. I had high hopes, from the title of the article, that Mat was going to propose a new solution. He didn't.

Though, as Mat pointed out, it's unlikely anything will replace passwords anytime soon, that doesn't mean systems can't be improved. If you work for a company that has an application with users who log-in, there are steps you can take to improve the security of your users and their passwords. Here are 10 methods we use (or are in the process of implementing) to protect our customers at Real Software.

1. Don't Limit Password Length

The longer a password is, the more time it takes to guess it. Netflix limits the length of passwords to 10 characters! Unbelievable! For reasons I'll get into in tip #8, there is no reason whatsoever to limit the length of a password. 

2. Do Have a Minimum Length

Short passwords are easier to guess so have a minimum length. Our minimum is eight characters.

3. Don't Let the User Include Their User Name in the Password

If the user can choose their user name, they will often choose one that is a combination of their first and last names or initials. Many systems use the user's email address which is essentially public. To prevent the user from simply using this as their password or as most of their password, make sure their user name is not present inside the password they choose.

4. Don't Require Silly Characters

Requiring the user to have numbers or uppercase letters in their password achieves nothing. Length and uniqueness is what matters. Numbers and case result in the user creating passwords they can't remember. If they can't remember them, they write them down which is not good. As you will see in tip #6, there are easy ways to get the user to create a long password.

5. Don't Allow the User to Use a Common Password

It's probably not surprising to you that people often choose the same passwords as other people. 4.7% of people choose "Password" as their password. 9.8% of people use either "123456" or "12345678" as their password. Of the top 10,000 most frequently used passwords, 91% of them are in top 1000. At Real Software, we don't allow users to create a password that is on the top 10,000 list. You can download the top 10,000 list for use in your applications.

6. Suggest a Memorable Sentence

Single words are poor passwords because they are easy to guess and encourage (or at least, don't discourage) the reuse of passwords. Instead, suggest to your users that they create a sentence. Sentences will almost always be longer than any single word. The sentence should be connected to your company or the service or product your company provides. That makes the password easy to remember. Imagine if your Netflix password was "Julia Roberts is the bomb!" That's going to be easy to remember because your brain associates film actresses with films. Spaces can be problematic as the user can accidentally type more than one. However, even if they run the words together, it's still long and memorable. An ideal system would account for spaces allowing one space between words but no spaces at the beginning or end of the sentence.

7. Don't Call Them Passwords

Password implies a single word. But you now know that a sentence is far better. Instead, call it a "Personal Identification Phrase". That will encourage the user to create a series of words. In fact, if you support the use of spaces, you could have a three or four word minimum for the user's PIP.

8. Don't Store the User's Password

One reason a hacker will attempt to break into a system is to gain access to user information. They don't want just one user's password, they want all of them. We know that users use the same passwords with multiple systems, even though we warn against this. Should a hacker break in, you don't want to be providing all of your users passwords to the hacker. There's a couple of things you can do to secure your user's passwords:

First, don't store the user's password at all. Instead, store a hash of the user's password. Hashing is basically one-way encryption. When the user enters their password to log in, you simply create a hash of it and compare it to the hashed version you have stored. If they match, you know that the user entered the same password they entered when they set up their password without storing the password itself.

Second, you need to use a strong hashing function. MD5 is no longer enough. You could use SHA256 but there's one that's even better: PBKDF2. The advantage of PBKDF2 is that it's designed to be slow. In fact, it's about 1000 times slower than SHA256. Hackers take those 10,000 common passwords and hash them then so they can compare them to the hashed passwords they got when they broke in to your system. If you use PBKDF2, it's going to take them 1000 times longer. Real Studio users will be happy to hear that PBKDF2 will be available in Real Studio 2012 R2 due before the end of the year.

Third, do more than just hashing their password, generate a unique number that is added to the password before you hash it. This unique number is called a "salt" and can be stored with the user's account. What does this accomplish? As I mentioned earlier, hackers will have a predefined list of hashed passwords and will compare this list against your user's hashed password. If you add a salt, even if the hacker can see the salt for each user, they will have to re-hash those 10,000 common passwords for every user in your database since each user has a unique salt. That makes the amount of work the hacker has to do far greater. In fact, if you have 100,000 users, the hackers job is 100,000 times harder.

Ideally, you should use a cryptographically-secure random number generator. A typical random function (such as the one built-in to Real Studio) will produce well-documented patterns. We are looking into providing a cryptographically-secure random number generator in a future release of Real Studio. Each time the user changes their password, generate a new, random salt.

Last but not least, don't even store their hashed password with their user account. Instead, store their hashed password-salt combination in a separate table that is not in any way linked to their user account. When the user attempts to log in, simply take what they enter, add their salt, hash it, then query your password database table for that value. If you find it, they have entered a valid password. Should a hacker break in, the only way to determine which passwords go with which users would be to guess each users password correctly, which is unlikely.

To make life even more difficult for the hacker, generate several bogus hashes in this table for each valid one you add. That just makes their job many times more difficult. Here's a more detailed article about this last point.

9. Don't Provide the User with a List of Pre-Defined Security Questions

When setting up an account, many systems ask you to choose a security question they will ask you if you forget your password. The problem with this is that the questions tend to be asking about information that is not that difficult to discover online. They tend to use the same questions as other systems as well making the answers even less secure. Instead, let the user provide the question as well as the answer and encourage them to come up with a question that is unlikely to ever be asked of them or would arouse their suspicion if it were asked.

10. Want to Change Your Password? Sign-in Again

Users will sometimes login to a system then forget to logout. Of course your system should automatically log the user out after several minutes of inactivity. However, someone else nearby could go to the computer when the user is away and change their password and email address (if you allow the user to change these themselves) effectively locking the user out of the system. Instead, when the user wishes to change their email address or password, require that they login again so you are sure they are authorized to do so.

Implementing these 10 suggestions will make your systems far more secure and will reduce the chance you'll be the target of bad press if someone breaks into your system and steals your user data.