ASP.NET Security and Performance
Posted February 1, 2002
Chat Date: January 29, 2002
Chat Participants:
- Scott Guthrie, Lead Program Manager
- Shawn Nandi, Product Manager
- Erik Olson, Program Manager
- Susan Warren, Program Manager
- Fabio Yeon, Software Design Engineer
Jana_MS
Welcome to today's MSDN chat. Our topic is ASP.NET Security & Performance. I will ask the hosts to introduce themselves.
MS_Erik
Hi, I'm Erik Olson. I'm a program manager on Microsoft's .NET Framework team. Thanks for attending the chat today!
Shawn_MS
Hi I'm Shawn Nandi, Product Manager on the .NET Developer Platform team
FabioY_MS
I'm Fabio Yeon. I'm the performance dev on ASP.NET. Glad to be here.
Jana_MS
We will have one more host joining us in about 10 minutes. I will have him introduce himself when he arrives.
Jana_MS
OK. Let's begin. Fire away with your questions.
MS_Erik
Q: When I deal with ASP.net application security do I really only need to worry about RoleBaseSecurity ?
MS_Erik
A: No, not unless it's useful for your application. If you're using Windows security and impersonation
MS_Erik
or if you don't make role-based decisions, you don't have to use it.
MS_Erik
Role-based security is most interesting when you don't have roles that don't map well to Windows groups
MS_Erik
or if you're treating everyone as one Windows identity
ScottGu_MS
Hi, I'm Scott Guthrie and I work on ASP.NET
MS_Erik
Q: Is the permission set for asp.net assemblies set to full trust because the code group condition Zone:My Computer has the permission set FullTrust ?
MS_Erik
A: Yes, local code gets Full Trust by default. ASP.NET *requires* full trust for V1, which is a different from the Betas.
MS_Erik
Please see https://msdn2.microsoft.com/en-us/library/ms994923.aspx for details
FabioY_MS
Q: Vio : Quick question on viewstate and performance implications...are there any performance stats on how much on average it slows down your application e.g. 10%, 20% etc?
FabioY_MS
A: The performance impact of viewstate is dependent upon the cost of serializing it. Usually this translates to the number of controls and how much data each wants to save. Typically, for common pages the perf hit is in the 10% range,
FabioY_MS
though it can be more for pages, like for example, a data grid with many rows and columns.
FabioY_MS
For best performance, it's a good idea to turn off viewstate generation if the page is output only or the response processing doesn't rely on the viewstate.
MS_Erik
Q: To make cookie-auth (Forms Authentication) more secure, I am thinking about putting the person's host name in the cookie, and check that. Any comments on this and pointers on where/how to implement this?
MS_Erik
A: You can do this if you like. It doesn't work for all environments due to proxy servers, though. If you want to do this, you
MS_Erik
can handle the FormsAuthentication_OnAuthenticate event and handle all the cookie management or
MS_Erik
you can stick the host name in the User data field of the FormsAuth ticket and
MS_Erik
validate that it matches the request host in say, the Application_OnAuthenticateRequest event
MS_Erik
Q: but now when I try setting the trust level via <identity> to anything other than High I get error on the new().
MS_Erik
A: Right, it now requires Full. The URL I posted above talks about the change in detail.
MS_Erik
Q: With Passport authentication, the current object model requires an active HttpContext -- are there plans to modify this so that you can use the Passport Authentication in other scenarios?
MS_Erik
A: We're not planning on this right now. The reason is that it's tied to information in an Http request right now (cookies/headers/entity bodies).
Jana_MS
Great questions everyone! Our hosts are busy answering your questions, thanks for your patience during the pauses.
MS_Erik
Q: ViewstateMAC -- does this just throw a hash on the end, or is it also encrypted?
MS_Erik
A: It's just a hash (it's an HMACSHA1 MAC as per that RFC). It's not encrypted so nothing is hidden there.
MS_Erik
You still need SSL to ensure that data is hidden.
ScottGu_MS
Q: In ASP .NET, what and how much caching goes on with .aspx files? What about Web Services? How does this affect performance?
ScottGu_MS
A: We actually do a lot of caching under the covers.
ScottGu_MS
A: Specifically, we still all compiled Type objects in our cache -- and then setup file change notification dependencies on the origional .aspx or .asmx files. Likewise, for web services we cache
ScottGu_MS
A: the XML Serialization/Deserialization graph convertors using the Cache API as well.
MS_Erik
Q: Question: What is ViewState encoded with? Base64?
MS_Erik
A: That's right, Base64
MS_Erik
Q: Got it <trust level="High" /> won't work anymore it is just "Full" with the release version right ?
MS_Erik
A: Right :-(
MS_Erik
Q: Is there anything else I can do to make cookies more secure for authentication (besides faster expiry/SSL)
MS_Erik
A: SSL is the single best measure for protecting the cookie on the wire. I'd use it anywhere the cookie is sent.
MS_Erik
Short timeouts are also good.
MS_Erik
Be very careful how you store and validate credentials and make sure to valid input data before
MS_Erik
executing SQL queries for validation (parameterized stored procs are often best).
MS_Erik
If you want more control over the cookie, you can handle the event and encode IP addresses
MS_Erik
(or portions of IP addresses is probably more realistic)
ScottGu_MS
Q: I would like to use .Net in our application which currently runs on an island setup
ScottGu_MS
Q: of 3 or 4 Window 2000 Workstation Computers but with no server. Is this posible?
ScottGu_MS
A: It is possible to run ASP.NET applications on an island of workstations computers.
ScottGu_MS
A: One gotcha, though, is that workstation computers have a limit of only 10 simultaneous users.
ScottGu_MS
A: If 11 connect at exactly the same time, one will get an error indicating that the number of
ScottGu_MS
A: simultaneous users has been exceeded.
ScottGu_MS
A: As such, I'd only recommend doing this for some workgroup apps where you know that the number
ScottGu_MS
A: of concurrent users will be less than 10. For larger apps I'd recommend installing a copy
ScottGu_MS
A: of standard server on one of the workstation boxes (optionally having a user use that as a
ScottGu_MS
A: workstation box as well as a server if you are limited by the number of physical machines you can have).
MS_Erik
Q: Viewstate MAC -- so someone can edit the viewstate and then put a SHA1 hash on the end?
MS_Erik
A: No, it uses a server secret as part of the MAC computation. Unless you know the secret, you can't create a valid MAC. (end)
FabioY_MS
Q: Cuffer : What are the best objects/counters to monitor to gauge ASP.NET performance, or .NET performance in general?
FabioY_MS
A: It depends on the scenario. Obviously the "ASP.NET Applications\Requests/sec" is a must, followed by "Processor\CPU Utilization".
FabioY_MS
Beyond that "ASP.NET Applications\Errors Total", ".NET CLR Memory\# Gen ?? Collections" show if the app is stressing the garbage collected heap,
FabioY_MS
".NET CLR Exceptions\# of Exceps Thrown" show if exceptions are getting fired from your app. The ".NET CLR Interop" counters are good
FabioY_MS
if the app calls into COM objects.
Jana_MS
Great questions everyone! Our hosts are busy answering your questions, thanks for your patience during the pauses.
Jana_MS
Our hosts are committed to getting to as many questions as they can :)
Shawn_MS
Q: Mhensen: What is an average performance gain comparing asp asp/vb and .net
Shawn_MS
A: Typically applications show a 3x-4x increase immediately (due to the fact that ASP.NET uses compiled code). However using ASP.NET's caching features, it's possible to enhance performance even further.
Shawn_MS
See https://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspcachingfeatures.asp (END)
FabioY_MS
Q: tartufella : Would you recommend serializing a DataSet to ViewState or make use of Session variables?
FabioY_MS
A: Well, first, it's a very, very bad idea to serialize large objects into the Viewstate, since it must be sent to and from the
FabioY_MS
client. Using the session variable would be better, depending on your app. Other possible solutions include caching only the
FabioY_MS
needed data in a custom data structure in the application cache or fragment caching in an user control.
ScottGu_MS
Q: Is there anyway to ensure 24x7 operation on a single host when updating the code-base if dependency...
ScottGu_MS
Q: assemblies have incompatibilities. During the copy process, the assemblies are mismatched for a short period of time.
ScottGu_MS
A: One approach would be to always copy up assemblies in a separate directory on the box -- as opposed to overriding
ScottGu_MS
A: the live vroot (which could lead to code mismatches for short periods). Once all the assemblies have been copied
ScottGu_MS
A: up, then you could simply switch the "live" vroot config to point at the new directory. This will provide
ScottGu_MS
A: an "atomic" update of the site where you don't have to worry about either page or code-mismatches do to copying. (END)
MS_Erik
Q: A big issue for me is security of Web Services. I've heard this will be addressed in the Global Web Services Architecture, but until then, are there any recommendations as to how to secure a web method call besides Windows Authentication?
MS_Erik
A: Currently, the built in support relies on the HTTP protocol. You can get a strong level of security with
MS_Erik
SSL and client certs or use other forms of Windows auth. If you want to roll your own crypto on the SOAP
MS_Erik
message, that's possible but you need to be careful with it. I'd definitely recommend
MS_Erik
going with an established crypto alg (lots of these in the box) and checking out the SignedXml class.
MS_Erik
You're right that message level stuff that's not related to HTTP is coming
MS_Erik
You can also disable the documentation procotol and GETs for production services
MS_Erik
that you don't want folks to discover(end)
ScottGu_MS
Q: Follow Up to Indey's Question: Is it possible to use apache to serve the asp.Net pages thus overcoming the 10 connection limit?
ScottGu_MS
A: It is actually possible to host ASP.NET on different web servers. ASP.NET specifically exposes a "hosting API" via the
ScottGu_MS
A: System.Web.Hosting namespace that makes this extensibility possible. Stay tuned over the next few weeks -- we will be
ScottGu_MS
A: providing a sample (with complete C# source) demonstrating how to take advantage of this extensibility. (END)
FabioY_MS
Q: cenk: Is the viewstate compressed to increase the performance?
FabioY_MS
A: Viewstate is currently not compressed. It is only BASE64 encoded and machine key hashed (by default).
ScottGu_MS
Q: Viewstate, is it possible for a user to modify the ViewState and eventual modify varialbes in our code?
ScottGu_MS
A: No -- by default ViewState is encoded with a MAC (message authentication check) encryption key private to the server.
ScottGu_MS
A: This will cause a postback to fail if a hacker attempts to modify the viewstate values on the client to spoof
ScottGu_MS
A: your code on the server. As such, you don't need to worry about this type of attack. (END)
MS_Erik
Q: When building large web farms it is necessary to keep the encryption/validation settings in sync. Generating keys is easy - do have a recommended way of updating multiple web.config files simultaneously?
MS_Erik
A: Is it necessary to keep them in sync. I'd recommend that you deploy them similar to the rest of the app bits.
MS_Erik
Things like Application Center can do replication for you. Sorry, I don't have a better answer here.(end)
MS_Erik
Q: We're waiting to get single sign-on. In the meantime, is there any added support in ASP.NET that I can use for SSO? Preferably easily migrated to an LDAP directory later.
MS_Erik
A: Unfortunately, ASP.NET doesn't have any direct support for this. You can integrate SSO solutions using ASP.NET
MS_Erik
It's easy to plug into the authentication infrastructure by handling the Authentication event. However,
MS_Erik
this only fires for requests to content types that ASP.NET owns, so it's not as general as an ISAPI filter.
MS_Erik
For ASP.NET content, it works well.
FabioY_MS
Q: JoshM_MVP : Question: Are there ever situations in which the application will be rebuilt by ASP .NET besides the first time since a compile? The rebuild seems to take a while and be a performance hit, does this ever happen more than once?
FabioY_MS
A: Pages will be recompiled if: "machine.config" is changed; "web.config" is changed; "global.asax" is changed; or any of the files in the "bin" directory are changed. If only individual aspx pages are changed, then only those pages
FabioY_MS
should recompile at the next request.
Shawn_MS
Q: cenk : is there a new product coming which will replace COM+ layer. I heard something called Indigo?
Shawn_MS
A: COM+ Services can be accessed by .NET applications by using the .NET Enterprise Services classes (part of the .NET Framework). There are no plans to replace these services.(END)
ScottGu_MS
Q: Is ASP.net more difficult to learn than ASP (a newbie :-) ?
ScottGu_MS
A: We hope ASP.NET is easier. A lot of what we've tried to do with ASP.NET is reduce the number
ScottGu_MS
A: of concepts and code you need to right -- and really simplify common tasks (validation, security, etc)
ScottGu_MS
A: To learn more about ASP.NET I'd really recommend checking out: https://www.asp.net which is the official
ScottGu_MS
A: ASP.NET website. There are a lot of samples, whitepapers, books and forums where you can learn more.
FabioY_MS
Q: tartufella : I'm often confused when I compile apps in Release mode whether I should also change the web.config compile section to debug="false"
FabioY_MS
A: Yes, change the setting to "false" when deploying it. The default template in VS has it enabled to allow debugging during development.
MS_Erik
Q: How safe are sessions in asp.net?
MS_Erik
A: The session data is stored on the server so the major risk is session prediction or hijacking.
MS_Erik
Using sessions over cleartext is subject so the same kind of interception attacks that any cookies
MS_Erik
or request URL methods are. The session id itself is 120 bits of CryptGenRandom data in base 32,
MS_Erik
so it's quite strong against prediction. Using it over SSL is a good idea to mitigate the risk of interception(end)
FabioY_MS
Q: cenk : Is the cache object thread-safe?
FabioY_MS
A: Yes, it is.
ScottGu_MS
Q: Are you coming out with any good examples of creating new server controls (adding security, managing viewstate, emitting browser specific html)?
ScottGu_MS
A: We are definitely coming out with some examples that specifically demonstrate this. We are also maintaining
ScottGu_MS
A: and building up a large collection of control samples (many with code) that you can freely download from
ScottGu_MS
A: the server control gallery on: https://www.asp.net (just click the server control tab and browse from there).
ScottGu_MS
A: I'd recommend checking it out to learn more (there is also a good listserv on that page that you can join
ScottGu_MS
A: to ask server control development questions, etc. (END)
MS_Erik
Q: If I'm creating my own ticket, must I call FormsAuthentication.Initialize()
MS_Erik
A: I don't think so. The FormsAuth module should take care of that for you. If not, it will throw and you'll know :-)(end)
ScottGu_MS
Q: To Scott Guthrie, In August last year you dropped a hint of a special fun project that you and Susan were working on that would be much more grand than IBuySpy. Can you expand on this yet?
ScottGu_MS
A: We are actually still actively working on it. It is getting closer -- although still a little further out. Stay tuned to www.asp.net
ScottGu_MS
A: for more info on it once it ships. :-) (END)
FabioY_MS
Q: Mark-MDNUG : I would like to create an application mapping within IIS for ASP.NET to handle all incoming requests - in order to set up path rewriting for folders. EG foo.com/*folder*/. Would this be a major performance hit?
FabioY_MS
A: It depends. There should be very little perf hit for pages that would have been handled by ASP.NET anyways. On the other hand, if the requests are for static content, then
FabioY_MS
there would be a much bigger hit, since they can be served up faster by IIS.
FabioY_MS
Q: MichaelG : In ASP.NET, I can use objects much more freely, correct? Only I use COM Interop do I really need to worry? No more chunky calls?
FabioY_MS
A: Correct. As long as you stay within managed code (and the same process), calls between objects are very cheap (i.e. no marshalling, threading issues, etc. of classic COM).
FabioY_MS
You still need to worry if you use COM Interop, though, since then you have to play nice with COM.
ScottGu_MS
Q: ViewState: can't someone spoof the comuter MAC and then cause havoc?
ScottGu_MS
A: The ViewState MAC relies on a 512 bit private key on the server.
ScottGu_MS
A: This makes the key pretty unguessable (trillions of possibile values)
ScottGu_MS
A: unless you explicitly send them the key.
ScottGu_MS
Q: Scott, you said before that enableviewstatemac is enabled by default - v1 docs specify otherwise
ScottGu_MS
A: The docs are wrong because this was a late change we made right before V1 shipped (we didn't update
ScottGu_MS
A: the docs). In Beta2 it was off by default -- but for V1 enableviewstatemac is on by default.
ScottGu_MS
A: You can change the default value (if you want to) either in the web.config or machine.config files.
MS_Erik
Q: what permissions does the ASPNET account have to have to allow the creation/use of the System.Security.Cryptography classes?
MS_Erik
A: It depends on the classes. Most of them should work fine--they're just code and don't require other System resources.
MS_Erik
If you need to use CAPI key containers (e.g. with the RSA stuff), it needs to be able to read that key container.
MS_Erik
The symmetric stuff should be fine(end)
MS_Erik
Q: Is viewstate encoding secure or not? I know it's not SSL, but I hear all this talk of 512 bit private key on the server and it sounds pretty secure for many purposes
MS_Erik
A: It's reasonably secure against tampering but it doesn't *hide* data in viewstate. That's where you want SSL.(end)
Shawn_MS
Q: Boston01: Someone earlier mentioned the performance hit incurred when an aspx page is first compiled. Is there any way to automatically compile all pages in a project as soon as it's deployed?
Shawn_MS
A: We are considering including automatic compilation in upcoming versions of ASP.NET. the best approach currently is to hit the page once after it is deployed. (END)
Jana_MS
We are going to have to wrap up this chat in about 15 minutes. The hosts will answer a few more questions.
FabioY_MS
Q: mmcconnell1618 : How bad is the performance hit when using Server.Transfer? Is it minimal because the transfer takes place on the server in the ASP Process?
FabioY_MS
A: Since Server.Transfer aborts further processing of the page then redirects, the perf impact is pretty minimal.
ScottGu_MS
Q: We are in the process of making recommendations on ASP.NET vs ASP. While the ASP.NET caching is an obvious
ScottGu_MS
Q: plus - IIS6 supposedly supports caching of ASP pages. Is this true? Is ASP.NET still going to perform better on IIS6?
ScottGu_MS
A: We think ASP.NET will perform about 3 times better than classic ASP on IIS6 (of course this depends a little
ScottGu_MS
A: on the scenario). There are a lot of perf optimizations in ASP.NET above and beyond classic ASP. Also,
ScottGu_MS
A: the caching features in ASP.NET are a lot richer than classic ASP on IIS6. For example, with ASP.NET you can
ScottGu_MS
A: output cache regions of a page as opposed to just the entire page -- which dramatically increases the types
ScottGu_MS
A: of caching optimizations you can do.
ScottGu_MS
A: In general, regardless of perf, I think the biggest reason to go to ASP.NET over classic ASP is in developer
ScottGu_MS
A: productivity. ASP.NET apps require less code and time than classic ASP -- which directly impacts your time to market.
ScottGu_MS
A: For more info on the choice (ASP vs ASP.NET), I'd recommend reviewing the "Why ASP.NET" whitepaper on https://www.asp.net. (END)
MS_Erik
Q: Turkish: Follow-up: We are trying to create the RSACryptoServiceProvider and cannot with the ASPNET user...what should we do?
MS_Erik
A: Right, it tries to create a key for you with the no-arg ctor.
MS_Erik
You have to pass the ctor an explicit CspParameters object. You can e.g. set
MS_Erik
CspParameters.Flags == CspProviderFlags.UseMachineKeyStore or use a named container
MS_Erik
that you can get at from ASPNET.(end)
Swarren
Q: How much performance hit do we take by using Web Forms controls all over the place?
Swarren
A: Web Forms Controls are definitely a bit slower for the first time a page is rendered, but if you can use output caching the
Swarren
perf hit is usually moot. And the encapsulation they provide really helps keep the cost of maintaining the application down. (end)
MS_Erik
Q: does anyone know what is required to allow the ASPNET account to write to the eventlog?
MS_Erik
A: It can write to it, but it can't create the category which requires writing to HKLM. If you precreate your
MS_Erik
category, it should work with playing with ACLs. Another strategy is to use a
MS_Erik
ServicedComponent derived class running as COM+ service app with a strong idenity.
MS_Erik
This is great for all sorts of situations where you need more permissions.(end)
Jana_MS
Our hosts have agreed to stay until 1:15 PST (an additional 15 minutes) to continue answering your questions. This has been a great chat! Thank you to everyone!
ScottGu_MS
Q: How does Response.End() end all processing of code? How can I do the same elsewhere?
ScottGu_MS
A: Internally we actually throw a thread abort exception -- which is what stops all further execution on the running stack trace.
ScottGu_MS
A: You can actually do this yourself if you look at the System.Threading.Thread class. Alternatively, just call Response.End()
ScottGu_MS
A: all we'll do it for you. (END)
MS_Erik
Q: How do we go about setting up a web farm configuration considering that the security keys ASP.NET uses by default are machine specific.
MS_Erik
A: You need to configure a consistent <machineKey> section for the farm.
MS_Erik
There are some KB's on generating strong keys (it uses the RngCryptoSerivceProvider and hex encodes the output)
MS_Erik
to generate strong random keys.(end)
FabioY_MS
Q: SPerryMVP : If you had to name one item that effects the performance of ASP.NET the most what would it be?
FabioY_MS
A: I'd say that there are two: compiled code and output cache.
Swarren
Q: Is it possible to hook up user controls to tags on in the html at runtime?
Swarren
A: Sure, Page.LoadControl() does not require a register directive in the page *unless* you are trying to set properties
ScottGu_MS
Q: Scott Follow-up to Response.End() Answer: Does that mean if we catch that in our routines we can keep processing to perform necessary clean-up in controls we build for distribution?
ScottGu_MS
A: The best approach is to use a finally block to perform this type of cleanup (that way it happens regardless of whether a Response.End
Swarren
of the user control, and it's a single file page. And easy workaround is to make a code-behind user
ScottGu_MS
A: occurs. Also -- note that the Dispose method on pages (surfaces as the Page_Unload event) and controls also still fire
ScottGu_MS
A: when a Response.End occurs. As such, you can do cleanup code in there as well before the request finally ends. (END)
Swarren
control, which has a precompile type ( and thus doesn't require the Register directive)
ScottGu_MS
Q: Is that thread exception by Response.End() faster or slower than letting the page go through the rest of the events after Init?
ScottGu_MS
A: Response.End() is faster than letting a page render and continue to execute. (END)
ScottGu_MS
Q: What support can I get for ANSI text files (to read and parse them)?
ScottGu_MS
A: The System.IO class namespace supports a variety of classes that let
ScottGu_MS
A: you read, parse and write both unicode and ANSI text files. (END)
Swarren
Q: Is there a way to pass renderable ASP.NET code as literal text?
Swarren
A: Could you clarify the scenario please?
Jana_MS
VS chat sessions are also advertised on the start page of visual studio under: On-line community->experts->technical Chats.
MS_Erik
Q: : lets the mail be sent. Am I missing something with the relay settings or is this a permission issue regarding the new aspnet account?
MS_Erik
A: It could be a permission issue. The ASPNET account can't read the metabase and in some cases, the CDO objects
MS_Erik
try to do this. I think you can often work around this by setting the SmtpServer property in your code.
MS_Erik
If you need to grant read ACLs to the metabase for ASPNET, you can do this with the metaacl utility on MSDN.(end)
ScottGu_MS
Q: I have a solution now with many small e-commerce stores. Each one of the pages of the stores is just one line: Server.Transfer("/codebase/realpage.asp")
ScottGu_MS
A: One solution is to do a Response.Redirect that instead does a client-side redirect to your codebase file. That way
ScottGu_MS
A: you could migrate them to ASP.NET one at a time -- or just have all the existing apps use classic ASP and have
ScottGu_MS
A: new applications written using ASP.NET. (END)
MS_Erik
Q: How much overhead in incurred when using impersonation in ASP.NET? Do you recommend using this now that ASP.NET runs as ASPNET account?
MS_Erik
A: Impersonation adds almost no cost. IIS creates (and caches for some time) the token regardless so it's just the
MS_Erik
cost of putting in on a thread. It's trivial.
MS_Erik
The decision should be on if you want access control checks to be done for things in your code
MS_Erik
(e.g. when you programatically open a file, do you want to check ASPNET or the remote user)
MS_Erik
or are you building a trusted-subsystem model where you check at the gate or using role based security.(end)
ScottGu_MS
Q: Will MS publish any ASP.NET for Managers whitepaper? Explaining on bussiness terms why choose ASP.NET ?
ScottGu_MS
A: We are going to be working on more whitepapers along these lines. Two resources to check out now are
ScottGu_MS
A: the "Why ASP.NET" whitepaper at: https://www.asp.net/whitepaper/whyaspnet.aspx
ScottGu_MS
A: Also, checkout the "Customers" tab on the www.asp.net site. It contains a list of live customers today
ScottGu_MS
A: and will be growing significantly in the next few weeks (many names are being saved for the official
ScottGu_MS
A: marketting launch in Feb). We will also be augmenting the list of customers will case studies describing
ScottGu_MS
A: what they've done and the success they've had. (END)
Swarren
Q: How can I format data in the DataGrid's ItemDataBound event? Are there performance penalties related to this?
Swarren
A: OnItemDataBound can be a great spot to customize the appearance of the UI based on the data.
Swarren
You might want to check out the XML DataGrid control download in the control gallery on https://www.asp.net for an example.
Swarren
Re performance, you assign the formatted data to a control property by either indexing into
Swarren
the Control's collection of the Item (fast) or using Item.FindControl (a bit slower, since it uses reflection). (eom)
MS_Erik
Q: I have to upload a file to my site that needs to be processed by the system. Can I kick of a task that will do this so the user is not waiting?
MS_Erik
A: You might consider using MSMQ for this. There are some easy to use wrappers and you there's
MS_Erik
also good Frameworks supports for writing NT services to read the queue and drain it. You can
MS_Erik
handle things async if you want to, but if you don't want to block the client, you usually
MS_Erik
have to invent some script/refresh code that polls periodically.(end)
ScottGu_MS
Q: But with Server.Transfer I get the current application's application vars, sessions, etc, but I get the codebase code. Thus I get multiple "applications" that function indepentantly, but code maintenance is easy (just one shared directory)
ScottGu_MS
A: You can do the same thing with ASP.NET (it also supports Server.Transfer). What you'd then have would be two directories -- one for
ScottGu_MS
A: ASP.NET and one with ASP code. You'd then have multiple applications living within each directory. (END)
FabioY_MS
Q: ClubStew : Would a better replacement algorithm for controls' view states be better so that data isn't added each time?
FabioY_MS
A: Perhaps, but the viewstate must be very generic to support a wide variety of controls. User controls, for example, could store a
FabioY_MS
minimal amount of data in viewstate as long as they knew how to re-create the data back from it.
ScottGu_MS
Q: AdRotator how to keep track of certain ad impressions and clickthroughs?
ScottGu_MS
A: There is an "AdCreated" event on the AdRotator control that you can handle to have code
ScottGu_MS
A: execute every time an impression is created. This lets you track ad impressions.
ScottGu_MS
A: For Ad clickthroughs I recommend having the ad link to a separate clickthrough tracking
ScottGu_MS
A: url on your site which updates a database -- and then does a Response.Redirect to the
ScottGu_MS
A: actual target site. (END)
MS_Erik
Q: SMTPServer was set to "localhost"; Should it be set to the IP address?
MS_Erik
A: I'm really not sure, but I think if it's a actually a local server, it needs the metabase read perms. If you don't want
MS_Erik
to do that, you might consider calling it from a ServicedComponent derived class running with more privilege.(end)
ScottGu_MS
Q: Will the Beta 2 IBUYSPY Store run on asp.net v1? If not, what tweaks are necessasry to make it run?
ScottGu_MS
A: We are in the process of updating the IBuySpy Store for the final bits (we are fixing the last bugs now!)
ScottGu_MS
A: It should be posted soon onto www.asp.net. (END)
Jana_MS
Our hosts are so committed to answering your questions that they are going to stick around for a few more minutes.
Swarren
Q: I have ASP.NET code stored in a database... e.g "<asp:Label id="lbl" runat="server" text="My Label" />... How can I pass that text so that it will be parsed by ASP.NET?
Swarren
A: Page.ParseControl("some tag") returns an instance of the control representated by the tag.
Swarren
You can just insert the instance into the control tree. Note that databinding expressions within the tag and not evaluated!
MS_Erik
MichaelG : How much slower is Base64 encoding than Hex encoding, and what is the class for hex encoding?
MS_Erik
A: I don't know about the perf. Here's my HexEncoding, though :-)
MS_Erik
static string BytesToHexString(byte[] input) {
MS_Erik
StringBuilder sb = new StringBuilder(64);
MS_Erik
int i;
MS_Erik
for (i = 0; i < input.Length; i++) {
MS_Erik
sb.Append(String.Format("{0:X2}",input[i]));
MS_Erik
}
MS_Erik
return sb.ToString();
MS_Erik
}
MS_Erik
You were probably hoping for something better :-) (end)
ScottGu_MS
Q: AdRotator yes, but how do u know which Ad is being served..I am aware of the Event..and ideas?
ScottGu_MS
A: Within the event handler (Which is fired by the AdRotator) you can interact with the AdRotator server control to
ScottGu_MS
A: determine which ad was picked -- and then write your logging code within it to track the viewed customer impressions. (END)
MS_Erik
Q: Can you change the password for the ASPNET account without damaging the ASP.NET process? Does it need to be synced? (remember IWAMSYNC?)
MS_Erik
A: No, it will break it. It stores the password as an LSA secret so the process can be launched.
MS_Erik
It has to be in sync with the SAM (end)
Swarren
Q: on many sites, including "my own" (ISU Vetmed), the viewstate param typically exceeds 90K when only about 10 controls are in the page. This is after a fair amount os use, though.
Swarren
A: You can (and should) consider disabling viewstate -- it many cases the page doesn't require it.
Swarren
There's an EnableViewState property on all controls, and also at the page level. For information
Swarren
about analyzing whether you need viewstate, check out the MSDN article at: https://msdn2.microsoft.com/en-us/library/ms972427.aspx
ScottGu_MS
Q: When I set ErrorPgae parperty of a page, it works as it sould . On eror, I get redirected the page I specified in the property. But there is no information about the error or exception in the request object of page. How can you get this information
ScottGu_MS
A: Two ways to log this information: the first is by handling that particular Page's Page_Error event -- and then logging
ScottGu_MS
A: the error details on that page before the redirect occurs to the error status page.
ScottGu_MS
A: Alternatively, you can handle the Application_Error event within the Global.asax file -- this event gets fired
ScottGu_MS
A: everything *any* error occurs anywhere within an ASP.NET application (that way you don't need to have a separate
ScottGu_MS
A: Page_Error event on each page. (END)
FabioY_MS
Q: cenk : Can we pass DataReader between processes? for example COM+ components returning DataReader instead of DataSet? will that still work?
FabioY_MS
A: While a DataReader can be remoted to another managed process, it is really not recommended, since it's a major perf hit. Each and every method call will be marshalled back to the original process. Passing DataSet may be easier,
FabioY_MS
though the best solution would be to glean the needed data from the DataReader and pass a "pre-processed" chunk of data.
MS_Erik
Q: Ouch - what if I want to sync the ASPNET account between at web server and a SQL Server to use Integrated security?
MS_Erik
A: That does hurt. I know that's a legit scenario. We'll try to work on something for it.(end)
Swarren
Q: swarren: can you comment on my question about the stateful ibuyspy components?
Swarren
A: The OrderDetails class is a data class, filled by methods in the Orders class as you note.
Swarren
We chose the lightweight data access component approach over class OOP to keep the code and simple and clean as possible.
FabioY_MS
Q: Andre : Is it feasible for a site that has thousands of concurrent users to support session variables for each user?
FabioY_MS
A: Absolutely! We've made sure that the session state performs well and scales. Of course, this is contigent on not having megabytes of data per session, but then, you should know not to do that... :)
Swarren
Q: When we expect the V 1.0 of IBuySpy? What differences between Beta2 and RTM?
Swarren
A: I'm working on it feverishly, and if all goes well it will be out at the end of this week. There have been a
Swarren
small number of bug fixes and the changes that where detailed in the "rcbuilds" document, but mostly
Swarren
we're trying to ensure that the samples install securely, with a secure connection to the database.
Swarren
So we have a new setup routine we're working the kinks out of now.
Swarren
Q: If we disable to ViewState, will the ASP .NET pages able to preserve the form values?
Swarren
A: No, you do need viewstate enabled on the control whose values you want to round trip.
Jana_MS
Thanks for joining us today! You've asked some great questions. Unfortunately, it is time to end. Thank you to our hosts, Scott, Erik, Susan, Shawn & Fabio.
ScottGu_MS
Thanks for joining us on the chat -- we enjoyed it a lot! :-)
Jana_MS
The transcript from today's chat will be posted within 7 working days on https://msdn.microsoft.com/chats/.
ScottGu_MS
Check out https://www.asp.net for more information on ASP.NET and the ASP.NET Community
Jana_MS
For additional links on today's topic, please visit the following:
Jana_MS
White Paper: https://www.asp.net/whitepaper/whyaspnet.aspx
Shawn_MS
Thanks all
Jana_MS
Website: https://www.asp.net
Jana_MS
Newsgroup: https://msdn.microsoft.com/newsgroups/default.asp?url=/newsgroups/loadframes.asp?icp=msdn\&slcid;=us&newsgroup;=microsoft.public.dotnet.framework
Jana_MS
Comparison: https://www.gotdotnet.com/team/compare/default.aspx
Jana_MS
Thank you to all our participants. Have a great day/night!
.gif "Top of Page")
Top of Page