I’m happy to announce the release of mojoPortal 2.3.8.1, available now on our download page.

What’s New?

Security Updates

Stronger password hashing for hashed password format. Previously we were using MD5 without salt, but now we use sha512 with a random 128 character salt per user. Existing users will be automatically updated to the stronger hash the next time they login.

For encrypted passwords we’ve also updated to use a 128 character random salt per user. Existing users will be updated with a salt the next time they login.

In version 2.3.7.6 we changed the SSL behavior to keep users in a secure session once they sign in. After the release we noticed that the canonical url was using https for secure requests and http for insecure requests which could affect SEO since the canonical url should not vary. We’ve changed it in this release such that if the page does not require SSL and the site does not require SSL for all pages, then the canonical url will use http, otherwise it will use https. This way it will be consistent and not vary to make sure there is no inconsistency if search engines happen to crawl the pages using https.

When a user’s roles are changed, the role cookie will now be updated automatically on the next authenticated page request. Previously, if you added a user to a role or removed him from a role he needed to logout and login again to get the new role cookie.

Usability Improvements

We’ve made the role permissions more clear on Page Settings and Feature Instance Settings. There has been some confusion in the past about a special case of permissions. By default Administrators and Content Administrators can access and edit any content without adding them to the allowed roles, but we had a special case where if you set the allowed roles to only Administrators then the content could be locked down to only Administrators and Content Administrators would no longer have access. In the past this has not been an obvious feature from the UI and users who did not know about that feature would mistakenly check the box for Administrators, accidently locking out Content Administrators. We’ve now made it more clear in the UI with radio buttons above the role lists for Page and Content View and Edit Permissions like this:

Note that if you want to lock some content down so that only Administrators can access it, you should set both the page view/edit permissions and the feature instance view/edit permissions to Only Administrators. Otherwise if you only secure the page, Content Administrators can still access the content instance from Content Manager outside the context of the page security.

A related change is that now if you have more than 20 roles, by default we use separate pages for page and feature instance permissions, and the site level permissions have been moved out of the Site Settings page into their own pages. This was done because of a change in behavior in ASP.NET after a recent security update. Now if a page is using postback with more than 1000 form elements, it causes an error, and we moved these things to reduce the number of form elements on a page because if you have a lot of roles the checkboxes for each role for each permission adds up to a lot of form elements and combined with other form elements on the site settings page and hidden elements used for viewstate some users were getting errors when they would save site settings due to too many form elements. There is a workaround to allow more form elements but we wanted to make it work without doing that so it seemed like a better idea to reduce the number of form elements by not having as many things all on one page. We also did some viewstate optimization to reduce un-needed viewstate in some features.

We also added paging to the /Admin/SecurityRoles.aspx page which shows the users for a given role, and we made the feature instance settings page use the same skin as the page when using page specific skins.

Blog Improvements

The blog now shows the post categories for a post in the post list and in the post detail. We’ve also implemented more of the Wordpress API, so in addition to being able to use Windows Live Writer, it is also now possible to use Wordpress clients such as the Blogsy app for iPad. I’ll be documenting that soon but basically you configure it as if you were using Wordpress.

Html Content Improvements

Several people have reported problems when trying to use javascript in the Html Content Feature, the WYSIWYG editors such as CKeditor and TinyMCE tend to do some “cleanup” on the markup which sometimes removed things that people intended to be there. In CKeditor for example you could get around it by saving while still in Html view, but the next time you opened the content in the editor it would run the “cleanup” and mess up your javascript. For content instances where you are using javascript and just want to edit the raw html without interferance from the WYSIWYG editor, you can go into the settings and un-check the box for “Use WYSIWYG Editor?”, and then it will just use a plain text area when you go to edit that content instance.

Most Additional Language Resource Files are Now In a Separate Download

As the number of translations and partial translations of resource files has grown over time, it has added to the size of the download, but more importantly it has increased the amount of time it takes for the ASP.NET compiler to compile the files for the initial request when a site is first started up, or the application pool is recycled such as when deploying an upgrade. Each of those .resx files is compiled by the ASP.NET compiler and over time as we have got so many of them it has become too much and it adds significant time to the initial site startup. So we now have a separate languagepack.zip that has the additional languages. You can copy the language resource files you need from there into your /App_GlobalResources folder. For those upgrading, you may already have a lot of existing resource files in that folder that you don’t need. My advice would be to delete the languages you are not supporting in your site from the /App_GlobalResources folder just before upgrading. Do not delete the English resource files though because those are needed for fallback when other languages have missing keys. The English files are named without a language code like Resource.resx and BlogResources.resx whereas other languages have a language code like Resource.ru.resx and BlogResources.ru.resx for Russian. The main package now only contains the resource files for English and Italian and the other languages are all in the languagepack.zip

WebStore Improvements

The way payment gateways was plugged in in the past for card processing gateways like Authorize.NET and PlugNPay was kind of a mess, it is now a true provider model so that new gateways can be implemented in separate assemblies (dlls) and plugged in by configuration, so it should be easier now to implement new gateways. I’ll be documenting this soon. It doesn’t affect PayPal or Google Checkout because those are special cases where we don’t process the credit card payment on our own site, it happens at the PayPal or Google Checkout site and those payment gateways can be used in addition to a standard card processing gateway where the user doesn’t leave your site to complete the transaction. The new provider model is only for standard card processing gateways.

There was also some redundancy with the old way we implemented Authorize.NET and PlugNPay, they each had their own separate log for logging transactions which was redundant and would have only become worse if we kept adding new logs for each new payment gateway, so we now have a consolidated payment log used by all standard card processing gateways (ie ones that implement IPaymentGateway provider). The upgrade script will migrate existing data form the old Authorize.NET and PlugNPay Logs. Since our add on features Web Invoice Pro and Event Calendar Pro also use the payment gateways, we have corresponding upgrades of those features and you should upgrade them at the same time as you upgrade mojoPortal to make sure that going forward new transactions are being logged in the new common payment log (Note that this really only matters if you’ve been using Authorize.NET in those add on products).

In WebStore it is now also possible to move an order from one site user to another one on the AdminOrderDetail.aspx page. I’ve needed to do this in the past when the user who completed the order no longer works at the company that purchased a product so a different user needed to be able to get the product updates.

Miscellaneous

The Feed Manager now supports relative urls for use with internal feeds using the ~/ syntax to represent the site root.

When using Folder based child sites with related sites mode, closing the master site now closes all the sites

FCKEditor has been removed and is no longer included with mojoPortal because it is no longer kept up to date and doesn’t work well with newer browsers. CKeditor is the new generation of FCKeditor and we’ve included both of them for quite a while. Note however, that if you are upgrading from an older version, the FCKeditor files are still on disk from previouse installation, we are not deleting files during upgrades, so if you really wanted to keep using FCKeditor you could re-enable it by using a custom configuration file to plug in FCKeditor. But, my advice is don't use it, it has problems in newer browsers like IE 9 anyway and CKEditor is a better product.

Fixed a bug where the Janrain Engage sign in system wasn’t working correctly when using multiple sites with related sites mode, we’ve also updated to the newer Janrain Engage widget code.

Fixed some issues with theme caching where it wasn’t always loading the correct theme.skin file when using page specific skins.

Fixed a problem where the SiteRoot was being cached as a property on SiteSettings and then used in various places to build urls. The problem was that if you were accessing the site with more than one url such as using a domain name and by ip address, the cached site root might not be correct for the context of a specific request. This property has now been deprecated and all places in mojoPortal where we were using it are now using SiteUtils.GetNavigationSiteRoot() to make sure the site root is calculated in the context of the current request.

I'm happy to announce the release of mojoPortal 2.3.7.6, available now on our download page.

The major highlights of this release are support for Artisteer 3.1 and new Audio Player and Video Player features contributed by our newest team member Kerry Doan.

Artisteer 3.1 Support

For those who don't know Artisteer is a web desgin tool that makes it easy to create attractive web designs without any knowledge of HTML or CSS. Artisteer 3.1 was released on November 30 and I think it is the best version of Artisteer so far so I wanted to make it even easier to design skins for mojoPortal than it has been in previous versions. So we created a whole new set of Artisteer 3.1 skins that are included in this release of mojoPortal and we moved most of the older skins into the extra-skins.zip download that we make available with each release.

We've made a skin for each of the possible layout configurations in Artisteer 3.1, so the main thing is selecting the correct skin to start with as indicated in the documentation. In previous versions we didn't have examples for all the possible combinations so it sometimes required editing the layout.master file, but for this release one of the included skins should have exactly what you need in the layout.master file and as long as you choose the right one it should work much easier. The .artx files for all of the new designs are also available in the ArtisteerFiles.zip in case you'd like to modify any of the designs using Artisteer.

The changes in mojoPortal to support Artisteer 3.1 required some changes in the theme.skin file for skins created in older versions of Artisteer, so those of you with skins created in older versions will need to edit the theme.skin file of your existing skins as indicated in the  Important Skin Changes sticky thread in the design forum. You should always review that thread and the Upgrading From Previous Versions article before upgrading.

Speaking of skins, some of you have asked for the skin that we used previously on this site before our new design. That skin, designed by Joe Davis of i7MEDIA is now available in our extra-skins.zip and is named i7media-whitenblue

Audio and Video Players

The New Audio and Video features based on jPlayer are also an exciting addition to the built in feature set.

Huge thanks to Kerry Doan for his hard work on these features.

There are also a number smaller improvements and bug fixes for things reported in the forums since the last release, and there is a change in behavior when using SSL. We no longer redirect out of SSL on pages marked as not requiring it for reasons discussed in the new document Use SSL.

Follow us on twitter or become a fan on Facebook

I'm happy to announce the release of mojoPortal 2.3.6.1, available now on our download page. We will submit this release to the Web App Gallery next week after we've had a chance to get any feedback from our early adopters.

Support for Artisteer 3.0 Beta

I had originally intended to package skins created with Artisteer 3.0 directly in this release and move the older Artisteer skins to the extraskins.zip download that we make available with each release. I thought that Artisteer 3.0 might ship before this release of mojoPortal, but it hasn't and it is still a beta, so I put the newer skins for Artisteer 3.0 in the extraskins.zip and kept the skins that work with the current official version of Artisteer in the main packages. But those of you working with Artisteer 3.0 Beta can create skins for mojoPortal using the ones we ship in the extrskins.zip download as a starting point. 

New Security Options

• It is now possible to require approval of new users before they can sign in, a setting in Site Settings enables it and you can specify email addresses to receive notification of new users that need approval, and a new button will appear on the member list page to find users not approved yet if you enable this. This is not a recommended configuration if you are doing ecommerce since it creates more barriers to completing a purchase if the user must wait for approval before he can sign in.
• It is now possible to require any user to change their password from a setting in user management.
• From Site Settings you can now configure it to require a user to change their password after password recovery or reset.
• There is now a custom error message you can configure in site settings if you are using a regular expression to validate password rules, you can provide an error message that explains the rules.

We also made the MS SQL packages of mojoPortal pre-configured for Medium Trust by default since this is the most common installation issue that people encounter. If you are hosted in Full Trust you can use the Web.fulltrust.config file.

Easier Content Re-Use

There is a new way to mark re-usable content as global content, which makes it available for page editors to add existing content to their pages. Joe Davis of i7MEDIA has made a nice video tutorial showing how to use this new feature, see the Global Content Section on this page.

Blog Improvements

• Someone asked for the ability to not create a 301 redirect when a post is renamed and the url changes. By default we believe this behavior is what should happen to automatically help with SEO when an url changes, but if you don't want that behavior you can turn it off by adding this to your user.config file: <add key="Blog:Create301OnPostRename" value="false" />
• It is now possible to use Bing Maps in the blog instead of Google Maps.
• There have been settings in the blog for a while to allow showing the right and left column content from the main blog page also on the blog post pages. Recently someone asked to be able to show upper and lower content when using skins that have 5 content panes, so we added these Web.config settings that you could add to user.config: <add key="Blog:ShowTopContent" value="true" /> <add key="Blog:ShowBottomContent" value="true" />
• Improved Feedburner integration. When using Feedburner, we now redirect to the feedburner feed instead of direct linking so that you can keep users subscribed to your original blog feed and not lose subscribers if you later decide to stop using Feedburner. See updated documentation Using Feedburner with your Blog.

Miscellaneous Little Improvements

• There is a new setting in Page Settings that allows you to control if pages appear in the child pages site map separately from if they appear in the menu
• added config setting to allow using a custom registration page url
• added config option to not re-suggest urls when renaming existing pages
• made it possible to exclude html content instances from search index for landing pages that one doesn't want to come up in search, this is in the feature instance settings for Html Content
• when moving items in pagelayout.aspx keep the item selected
• make it possible to move pages to the top or bottom of their page tree node in PageTree.aspx
• revamp of PageLayout.aspx thanks to Joe Davis - it required additional css so skins were all updated as well, see notes in this sticky thread for new css you need in your skin
• css and markup improvements in WebStore - thanks to Joe Davis
• when using excerpts in the feed manager make it possible to open the link in a new window
• added an instance setting in Image Gallery to control the background color used when resizing images
• update to a strong name signed version of NeatUpload so it can be installed in the GAC to make it work in Medium Trust hosting
• upgrade to CKeditor 3.5
• refactor system content templates and add new 2 column over 1 template from Jamie Eubanks
• make it possible to specify a different site map data source id for SiteMenu control
• when not combining css make urls relative
• updated Italian resources from Diego Mora
• updated Persian resources from Asad Samarian
• updated German resources from Jan Aengenvoort

Bug Fixes

• restore possibility to edit html content instances that are loaded by modulewrapper
• make IE specific css and favicon respect page specific skins
• fix bug in blog rss when using folder based child sites it was incorrectly resolving urls
• fix bug where the smiley base path was not resolving correctly if running in a virtual directory instead of root
• fix bug in pgsql data layer for survey
• fix bug in pgsql data layer for content catalog paging
• fix bug in sqlce data layer when adding features to child sites
• fix bug in timepicker - thanks David Dean
• fix issue where export to csv or word was not working correctly in IE 8 when ssl is enabled
• fix bug in webstore - add abstract to offer edit page
• fix bug in forum where external images were handled differently on edit page than thread page
• fix bug - don't show host name tab in site settings until after new site is created

As always, it is a good idea to backup your site and database before upgrading.

Corresponding Update For Form Wizard Pro

Users who have purchased  Form Wizard Pro, should upgrade at the same time to the new version of Form Wizard Pro 0.0.2.3, released today for compatibility with mojoPortal 2.3.6.1. This was needed because we updated to a new version of NeatUpload and Form Wizard Pro must use the same version of NeatUpload as mojoPortal or it will result in errors.

Follow us on twitter or become a fan on Facebook

mojoPortal 2.3.5.4 is now available on our download page.

This is a compatibility update for the changes in ASP.NET that resulted from the security patch recently released by Microsoft and now available from Windows Update. I blogged about this issue previously and provided a workaround for the compatibility issue, this new release eliminates the need for the workaround.

Before the security update, there was a possibility for a System.Security.Cryptography.CryptographicException when decrypting the role cookie if the machine key had changed and the user was already authenticated. We already had error handling for this error, but after the security update the behavior changed and it would throw a more generic HttpException there which we were not handling, and this would cause users who were previously authenticated to experience an error until they cleared the cookie. Even without a machine key change, the same error could happen if a user was authenticated before the windows update was applied, the error could happen for that user after the update was applied (because there were also changes to how cookies are encrypted in the security update) In this release we have added handling for the new more generic exception so the cookie will be reset if this error occurs and the user will not experience an error on your site.

We've also removed the previous workaround for the ASP.NET security issue since it is not needed after the update is applied.

Other Changes

Thanks to Steve Railsback of Colorado State University we have some new CSS that can be used to add images to the Administration menu. It uses some Crystal Icons which are licensed under LGPL. I've updated many of the included skins that ship with mojoPortal to use the new icons, you can easily add them to your skin by adding this to your style.config file:

<file cssvpath="/Data/style/adminmenu/style.css" imagebasevpath="/Data/style/adminmenu/">none</file>

It will transform the admin menu from a plain looking vertical list to a list of images with hover effects like this:

This release also has:

• upgrade to CKeditor 3.4.1
• upgrade to TinyMCE 3.3.9.2
• updated Italian resource files thanks to Diego Mora
• fixed a bug where menu items that were configured as unclickable were still clickable in the breadcrumbs

I'd also like to point out a new article in the skinning documentation written by Steve Land, Using Wireframe Skins. Steve has shared a skin he designed to solve the problem of how to keep your discussions with clients focused on functionality when you need to. It is a very common issue that the customer can easily get side tracked onto colors and other visual aspects which is fine if you are trying to discuss the design but distracting if you are trying to focus the discussion on functionality or other non-design aspects of the site. The wireframe skin can help with this because it is designed to not be distracting and to clearly represent that the design is not what is being shown. Please let Steve know if you find his wireframe skin useful, if there is interest he might make more variations.

Follow us on twitter or become a fan on Facebook

The fix for the ASP.NET  security bug is now available in windows update. However, the change has a negative side effect for the current release of mojoPortal which may cause authenticated users to experience an error on your site. The error occurs when trying to decrypt the role cookie which was encrypted before the update was applied. Previously, if there was an error decrypting a role cookie, it was throwing a System.Security.Cryptography.CrypotgraphicException (which we were handling so the user would not experience any error). After the windows update it now throws a more generic HttpException which the current release does not handle so the user will see the error page, and the only way to solve it is to clear the cookie. I have added handling for the changed error for the next release of mojoPortal, but you may begin seeing this error after you or your host applies the security fix.

There is one workaround you can do right away to solve this problem, you can add code to the ErrorPage.aspx in the root to clear the role cookie so that at least the user will only see the error page one time. To do this, edit the ErrorPage.aspx file with a text editor. At the top add this:

<%@ Import Namespace="mojoPortal.Business" %>
<%@ Import Namespace="mojoPortal.Business.WebHelpers" %>
<%@ Import Namespace="mojoPortal.Web" %>

then add this code to the bottom of the Page_Load event:

after this existing line of code:

if (disposable != null) { disposable.Dispose(); }

add this:

try
        {
            SiteSettings siteSettings = CacheHelper.GetCurrentSiteSettings();
            if (siteSettings != null)
            {
                string roleCookieName = SiteUtils.GetRoleCookieName(siteSettings);
                HttpCookie roleCookie = new HttpCookie(roleCookieName, string.Empty);
                roleCookie.HttpOnly = true;
                roleCookie.Path = "/";
                HttpContext.Current.Response.Cookies.Add(roleCookie);
            }
        }
        catch{}