Session Prerequisites
 This session assumes that you
understand the fundamentals of
 Development on Windows®
 ASP or Visual Basic®
 Introduction to .NET
 ASP Today
 Server Controls
 Data Controls
 ASP.NET Web Applications
 Business Objects
 Web Services
Introduction to .NET

VB C++ C# JScript …

Common Language Specification

Visual Studio.NET
ASP.NET: Web Services Windows
and Web Forms Forms

ADO.NET: Data and XML

Base Class Library

Common Language Runtime

 Introduction to .NET
 ASP Today
 Server Controls
 Data Controls
 ASP.NET Web Applications
 Business Objects
 Web Services
ASP Today
 Simple procedural programming model
 Access to COM Objects
 File system object
 No compiling, just save
 Support for Multiple Scripting languages
 Mix HTML and Code
 VBScript – Leverage VB Skills
ASP – ASP.NET Differences
 Code Readability – No spaghetti code
 Language Interoperability
 Compiled –
 The .NET Framework detects that the page is being run for
the first time and compiles it, storing the copy of it.
 In the traditional approach to ASP, pages were interpreted on
each request to the page
 Strongly typed –
 In traditional ASP, programmers were provided with only
variant data type, consuming more memory and not providing
ways for early binding -- something that is now possible with
 Web forms –
 Web Forms provide a rich UI of the pages in ASP.NET
 Web Services
ASP – ASP.NET Differences
 Control-based event-driven programming
model –
 Makes it easy to create powerful applications
similar to VB applications
 GUI and event logic separated
 Separate code and presentation –
 ASP.NET provides a powerful technique called
code behind. which allows you to separate code
from presentation.
 PostBack Complexity
 Code Reuse
 Deployment - No registry –
 This allows deployment by simply copying the
files, without having to bother with registry issues
ASP – ASP.NET Differences
 DLL Locking –
 In the previous versions of ASP, when the script used the
functions, the DLL was locked in the memory.
 Although ASP.NET cannot prevent the CLR from locking a
loaded assembly DLL on disk, it can support you by
ensuring that the physical DLLs in a Web application's
private assembly cache are never actually loaded by the
 Instead, shadow copies of the assembly DLLs are made
immediately prior to their use.
 These shadow assemblies--not the original files--are then
locked and loaded by the runtime.
 Because the original assembly files always remain unlocked,
you are free to delete, replace, or rename them without
cycling the Web server or having to use a registration utility.
 With ASP.NET, the Framework detects the new version and
replaces the old one
 Sessions
ASP – ASP.NET Differences
 Caching –
 Pages, and even parts of pages that are frequently
requested can now be cached for better
 Validation controls and server controls –
 For common validation a programmer used to
write a lot of code.
 This was difficult if there were different client
types for your page.
 A set of server controls, along with validation
controls, render the HTML, which is specific to the
 The programmer can even build several powerful
controls based on their specific needs
 Introduction to .NET
 ASP Today
 Server Controls
 Data Controls
 ASP.NET Web Applications
 Business Objects
 Web Services
ASP.NET Design Goals
 Event-based programming model similar
to Microsoft Visual Basic®

 Compiled code and support for multiple

languages, as opposed to ASP which was

 Allows third parties to create controls

that provide additional functionality –
custom (user) controls
ASP.NET Design Goals
 Rich set of validation controls that
reduce client-side programming

 Viewstate management using hidden




the auto-generated class,
along with a compiled instance of
Compiled .ASPX
the class, is stored in the:
WINDOWS\Microsoft.NET\Framework\version\Temporary ASP.NET Files folder,

All the subsequent page requests directly execute

the compiled code.

The runtime creates one instance of this

class per AppDomain.
Compiled .ASPX
One distinct AppDomain per running
ASP.NET Application is maintained.

Compiled .ASPX
Code behind




DLL creation – ASP.NET 1.1
 The code behind files for all the web forms in the project are compiled
into a DLL before deployment

 All .aspx file compiled into another DLL at runtime

 The ASP.NET runtime dynamically compiles an ASP.NET page the first

time a user requests it.

 First, it checks its cache to see whether that page has been compiled

 If it hasn't, it loads the .aspx file and generates a temporary source

code file that implements a class that represents that ASP.NET page.

 It then invokes the appropriate command-line compiler to compile the

generated source code into an assembly.

 Finally, the class that represents the ASP.NET page is instantiated to

handle the incoming request.
DLL creation – ASP.NET 2.0
 Second, you no longer have to separately compile your user-defined
code into an assembly that gets copied into the application's \bin

 All code, both generated and user-defined is now compiled by the

ASP.NET runtime into a single class.

 There is a new compileWith attribute in the @Page declaration. This

tells the ASP.NET runtime the name of the code separation file that
contains user-defined code.

 ASP.NET 1.x inherits attribute is no longer present. Recall that this

attribute told the ASP.NET 1.x runtime what class to derive the
ASP.NET page from.

 The code for button click in the code behind file is linked with the
button in the aspx file with the onclick attribute.
The default.aspx file in ASP.NET 1.x.
 <%@ Page debug="true" language="c#" Codebehind="Default.aspx.cs"
Inherits="Test._Default" %>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<HTML> <HEAD> <title>Default</title> </HEAD>
<body> <form id="Form1" method="post" runat="server">
<asp:Label id="Label1" runat="server">Hello, World!
<asp:Button id="Button1" runat="server" Text="Click Me">
</form> </body>
The code-behind file: default.aspx.cs in ASP.NET 1.x.

 namespace Test {
public class _Default : System.Web.UI.Page
protected System.Web.UI.WebControls.Label Label1;
protected System.Web.UI.WebControls.Button Button1;
private void Page_Load(object sender, System.EventArgs e)
{ // Put user code to initialize the page here }

#region Web Form Designer generated code

override protected void OnInit(EventArgs e)
{ // // CODEGEN: This call is required by the ASP.NET Web Form //
Designer. // InitializeComponent(); base.OnInit(e);

private void InitializeComponent()

{ this.Button1.Click += new
System.EventHandler(this.Button1_Click); this.Load += new
System.EventHandler(this.Page_Load); }
private void Button1_Click(object sender, System.EventArgs e)
{ Label1.Text = "Clicked me!"; }
} }
The default.aspx file in ASP.NET 2.0.

 <%@ page debug="true" language="C#"

compilewith="Default.aspx.cs" %>

<html> <head runat="server"> <title>Untitled

Page</title> </head>
<body> <form runat="server">
<asp:label id="Label1" runat="server">Hello, World!
</asp:label> <br /> <br />
<asp:button id="Button1" runat="server" text="Click
Me“ onclick="Button1_Click" />
</form> </body>
The code separation file: default.aspx.cs in
ASP.NET 2.0.
 using System;
namespace ASP
public partial class Default_aspx
void Button1_Click(object sender,System.EventArgs e)
Label1.Text = "Clicked me!";
ASP.NET 2.0 – Page Compilation Model

 The new code for the code separation file,

default.aspx.cs. only contains the event handler for
Button1's Click event.

 The reason this code is so much simpler is due to a

language feature called partial classes that is new to
both C# and VB.NET.

 This feature lets a class definition span multiple

source files, which is how VS.NET and ASP.NET can
hide all of the standard initialization code from you.

 To understand how partial classes work, we need to

take a closer look at the code that is generated by the
ASP.NET runtime.
ASP.NET 2.0 – Page Compilation Model

 There isn't a build step; you immediately start

running your Web application.

 The ASP.NET code no longer runs in IIS during

development. Instead, it runs in a new managed Web
server called Visual Web Developer Web Server.

 This new design means that you don't need to install

or configure IIS on a developer's computer.

 It also means that you can develop ASP.NET code

using a restricted user account without having to
reconfigure ASP.NET first.
ASP.NET 2.0 – Page Compilation Model
 After we run the application for the first time, we need to find
where ASP.NET places the generated files.

 It turns out, they're in a different location now. Because the

Visual Web Developer Web Server runs using your credentials,
you'll find the files in Local Settings\Temp\Temporary ASP.NET
Files\[virtual root]\[x]\[y].

 The code that the ASP.NET runtime generated for the

default.aspx page, declares part of the code for a class called
Default_aspx; its class definition is declared using the C# partial

 This code is combined at compile-time with the code which

contains the rest of the definition of the Default_aspx class.
Both of these files were compiled using the C# compiler into a
new assembly.
ASP.NET – Page Compilation Model
 The new page compilation model in ASP.NET 2.0 is simpler
because all the code for an ASP.NET page now resides in a single
class; there isn't a forced division of labor between the base class
and the derived class.

 Reduces developer error; in ASP.NET 1.x, you could forget to

recompile or copy your code-behind assemblies to the \bin
directory of your Web application. You could also accidentally
"change" the code in your code-behind file that has event handlers.

 ASP.NET now takes care of compiling all of the code in your Web
application, so that you have far fewer opportunities to make a
mistake while building or deploying your application.

 You can pre-compile your entire application into a single set of

assemblies. This is done using a new command-line utility called

 This makes it possible to deploy an ASP.NET application without

copying any source code files to a production server.
Execution Model
Source VB C# C++
Compiler Compiler Compiler

Managed Assembly Assembly Assembly

code IL Code IL Code IL Code

Common Language Runtime

JIT Compiler

Native Code

Operating System Services

 ASPX, ASP – Side by Side
 Simplified Programming Model
 Simplified Deployment
 Better Performance
 Caching
 Powerful Controls
 Simplified Browser Support
 Simplified Form Validation
 Code Behind Pages
 More Powerful Data Access
 Web Services
 Better Session Management
 No DLL Locking
 No DLL Registration
 Simplified Configuration
 Off-Line Capabilities
 Pagelets
Browser Compatibility – Browser Levels

 2 categories of browsers –
 Up level
 Support Jscript and JavaScript Version 1.2
 HTML version 4.0
 Microsoft Document Object Model (MSDOM)
 Cascading Style Sheets (CSS)
 Only the latest versions of IE fall under this
 Down level
 HTML version 3.2
Browser Compatibility
 ASP.NET server side controls automatically
determine the browser level that has
requested the page, and generate HTML code
appropriate to that browser.

 Thus, the need to code separately for different

browsers and their versions is eliminated.

 Just drop the sever side control on the form,

at runtime the server generates the
appropriate code.
Browser Compatibility
 For up level browsers, the server
controls will generate client-side
JavaScript that manipulates the MSDOM
and traps the action events directly on
the client-side.

 For down level browsers, the server

controls generate the standard HTML,
that requires the browser to perform a
round-trip to the server for triggered
action events
Anatomy of an ASP.NET Project
Anatomy of an ASP.NET Project
 Global.asax –
 Similar to the Global.asa file. Contains global events for this
Web Application

 Global.vb –
 This contains the event handling code corresponding to the

 HelloWorld.aspx (by default, this file is called

WebForm1.aspx) -
 This is where your ASP\HTML controls go in.

 HelloWorld.vb –
 This contains the event handling code for the corresponding
.aspx file

 Styles.css –
 Style sheet that can be used across the application
 In classic ASP all Web site related information was stored in the
metadata of IIS.
 Disadvantage that remote Web developers couldn't easily make Web-site
configuration changes.
 for example, if you want to add a custom 404 error page, a setting needs to
be made through the IIS admin tool, and you're Web host will likely charge
you a fee to do this .

 With ASP.NET, these settings are moved into an XML-formatted

text file (Web.config) that resides in the Web site's root

 Through Web.config you can specify settings like custom 404

error pages, authentication and authorization settings for the
Web site, compilation options for the ASP.NET Web pages, if
tracing should be enabled, etc
ASP.NET config files
 Each configuration file contains a nested hierarchy of XML tags
and subtags with attributes that specify the configuration

 Tags, subtags, and attributes are case-sensitive.

 Tag names and attribute names are camel-cased, which means

that the first character of a tag name is lowercase and the first
letter of any subsequent concatenated words is uppercase.

 Attribute values are Pascal-case, which means that the first

character is uppercase and the first letter of any subsequent
concatenated words is uppercase.

 Exceptions are true and false, which are always lowercase.

ASP.NET config files
 2 files related to configuration
 Web.config
 Machine.config

 Web.config is by default created for every web

application and is present in the application folder

 Web.config is used to specify application level


 Machine.config is used to specify machine level

configurations and is present under:
 C:\ WINNT\ Microsoft.NET\ Framework\ v1.1.4322\ CONFIG
ASP.NET config files
 Machine.config has <appSettings> tag that applies
configurations to applications.

 This tag should be used by developers to apply

common settings for all the applications

 For specific application settings web.config should

be used, this keeps machine.config manageable

 Deploying an application using XCOPY does not copy

the machine.config hence application settings given
in this file are left out
ASP.NET config files
 Multiple configuration files, all named
Web.config, can appear in multiple directories
on an ASP.NET Web application server.

 Each Web.config file applies configuration

settings to its own directory and all child
directories below it.

 Configuration files in child directories can

supply configuration information in addition
to that inherited from parent directories, and
the child directory configuration settings can
override or modify settings defined in parent
ASP.NET config files
 At run time, ASP.NET uses the configuration information provided by
the Web.config files

 The configuration settings are then cached for all subsequent requests

 ASP.NET detects changes to configuration files and automatically

applies new configuration settings to Web resources affected by the

 The server does not have to be rebooted for the changes to take effect.

 ASP.NET help protect configuration files from outside access by

configuring Internet Information Services (IIS) to prevent direct browser
access to configuration files.

 HTTP access error 403 (forbidden) is returned to any browser

attempting to request a configuration file directly.
ASP.NET config files
 Specifying Application-Wide Settings in
 At the root level is the <configuration> tag.

 Inside this tag you can add a number of other

tags, the most common and useful one being the
<system.web> tag, where you will specify most of
the Web site configuration parameters.

 To specify application-wide settings you use the

<appSettings> tag.

 Inside this tag you can specify zero or more

settings by using the <add ... /> tag.
ASP.NET config files
 For example,
 <configuration> <!-- application specific settings -->
<add key="connString" value="connection string" />
<system.web> ... </system.web>

 Now, in any of the ASP.NET Web pages in the Web site you can
read the value of the connString parameter like:
 Dim myConnection as New
ASP.NET config files
 Specifying Classes of Application-Wide Settings
 While you can use the appSettings tag if you intend to sell this
Web application or have it be used on other people's Web
sites, placing such parameters in the appSettings tag may
lead to problems.

 For example, imagine that you have a connection string

parameter named connString that you want to let be
configurable, so you create a key in the appSettings tag
named connString, as we did above. Well, imagine that the
person who's installing your application is trying to integrate
with his already-existing Web site. She might already have
such a configuration settings, which means she'll have to
change her setting and all the pages that reference it, to some
name that doesn't conflict with any of your setting names.

 Ideally you'd like not to present your end user with this
headache. To avoid this complication you can "group" your
application's settings into a unique tag in the Web.config file.
That is, you can create a tag named: <MyAppSettings> in
Web.config and then use the <CODE<ADD code >< ...>as we
did earlier to add application-wide settings.
ASP.NET config files <customErrors/> tag

 Helps in custom error handling

 Giving user friendly error messages
 Errors can be handled on
 Page level OR
 Application level
Page Level Error Handling
 Handle the Page_Error event of the
ASP.NET page as follows:
protected override void Page_Error(EventArgs e)
{ // At this point we have information about the error

HttpContext ctx = HttpContext.Current;  

Exception exception = ctx.Server.GetLastError ();
string errorInfo = "<br>Offending URL: " +
ctx.Request.Url.ToString () + "<br>Source: " +
exception.Source + "<br>Message: " +
exception.Message + "<br>Stack trace: " +
ctx.Response.Write (errorInfo); 
// To let the page finish running we clear the error
ctx.Server.ClearError ();
Page Level Error Handling
 This will work for only one page
 So this code has to be repeated on each
 Instead you can follow the Page
Controller Pattern
Application Level Error Handling
 Remember the Global.asax file!

 From the moment you request a page in your browser to the moment
you see a response on your screen a complex process takes place on
the server.

 Your request travels through the ASP.NET pipeline.

 In the eyes of IIS each virtual directory is an application.

 When a request within a certain virtual directory is placed, the pipeline

creates an instance of HttpApplication to process the request.

 The runtime maintains a pool of HttpApplication objects. The same

instance of HttpApplication will service a request it is responsible for.

 This instance can be pooled and reused only after it is done processing
a request.
Application Level Error Handling
 The ASP.NET runtime parses your global.asax,
compiles a class derived from HttpApplication and
hands it a request for your web application.

 HttpApplication fires a number of events.

 One of them is Error.

 To implement your own handler for application-level

errors your global.asax file needs to have code

 When any exception is thrown now—be it a general

exception or a 404—it will end up in
Application Level Error Handling
 protected void Application_Error(Object
sender, EventArgs e)
{ // At this point we have information about
the error
HttpContext ctx = HttpContext.Current; 
Exception exception =
ctx.Server.GetLastError (); 
string errorInfo = "<br>Offending URL: "
+ ctx.Request.Url.ToString () +
"<br>Source: " + exception.Source +
"<br>Message: " + exception.Message +
"<br>Stack trace: " + exception.StackTrace; 

ctx.Response.Write (errorInfo); 
// To let the page finish running we clear the
error ctx.Server.ClearError ();
Application Level Error Handling
 Be careful when modifying global.asax.

 The ASP.NET framework detects that

you changed it, flushes all session state
and closed all browser sessions and—
in essence—reboots your application.

 When a new page request arrives, the

framework will parse global.asax and
compile a new object derived from
HttpApplication again.
Setting Custom Error Pages In
 If an exception has not been handled by the
Page object, or the HttpApplication object and
has not been cleared through
Server.ClearError() it will be dealt with
according to the settings of web.config.

 When you first create an ASP.NET web

project in Visual Studio .NET you get a
web.config for free with a small
<customErrors> section:

 <customErrors mode="RemoteOnly" /> With

this setting your visitors will see a canned
error page.
Setting Custom Error Pages In
 The mode attribute can be one of
the following:
 On – error details are not shown to anybody, even
local users. If you specified a custom error page it
will be always used.

 Off – everyone will see error details, both local

and remote users. If you specified a custom error
page it will NOT be used.

 RemoteOnly – local users will see detailed error

pages with a stack trace and compilation details,
while remote users with be presented with a
concise page notifying them that an error
occurred. If a custom error page is available, it will
be shown to the remote users only.
Setting Custom Error Pages In
 Displaying a concise yet not-so-pretty
error page to visitors is still not good
enough, so you need to put together a
custom error page and specify it this
 <customErrors mode="RemoteOnly"
px" />

 Now, when the error occurs you will see a

detailed stack trace and remote users will be
automatically redirected to the custom error
page, GeneralError.aspx.
Setting Custom Error Pages In
 The <customErrors> tag may also contain
several <error> subtags for more granular
error handling.

 Each <error> tag allows you to set a custom

condition based upon an HTTP status code.
 E.g. you may display a custom 404 for missing
pages and a general error page for all other
 <customErrors mode="On“
<error statusCode="404"
redirect="~/errors/PageNotFound.aspx" />

 The URL to a custom error page may be relative

(~/error/PageNotFound.aspx) or absolute.

 The tilde (~) in front of URLs means that these URLs

ASP.NET Session State
 Session is the time duration during which the client is
connected to the server.

 Every session has a start time, end time and session


 A session expires when the user logs out or when the

session time out period elapses, with no activity from
the client

 In traditional ASP sessions were managed by the web

server process using cookies and the session ID
ASP.NET Session State
 Session ID is an alphanumeric value created by the
server to uniquely identify the client.

 This value is sent by the server to the client and is

stored on the client machine is a text file called

 With every client request this cookie data is sent to

the web server so that the server recognizes the
client and handles the session data for that client

 This method of session handling in ASP was called

in-process since session handling was done by the
same process which manages the web server and
was cookie based.
ASP.NET Session State
 This method had some drawbacks-
 Process dependent –
 ASP session state exists in the process that hosts ASP; thus
the actions that affect the process also affect session state.
When the process is recycled or fails, session state is lost.
 Session data cannot persist across server starts
 Server farm limitations –
 Session data cannot be shared by multiple servers where there
are web server farms.
 In-process session handling is machine specific and the
session data remains on the machine in which the session
handling process is running
 So if the client visits another server in the server farm the
session data is not accessible there
 Cookie dependent -
 Clients that don't accept HTTP cookies can't take advantage of
session state.
 Some clients believe that cookies compromise security and/or
privacy and thus disable them, which disables session state on
the server.
ASP.NET Session State
 ASP.NET session state solves all of the above problems
associated with classic ASP session state:
 Process independent –
 ASP.NET session state is able to run in a separate process from the
ASP.NET host process.
 If session state is in a separate process, the ASP.NET process can
come and go while the session state process remains available. Of
course, you can still use session state in process similar to classic
ASP, too.
 Support for server farm configurations –
 By moving to an out-of-process model, ASP.NET also solves the server
farm problem.
 The new out-of-process model allows all servers in the farm to share a
session state process.
 You can implement this by changing the ASP.NET configuration to point
to a common server.
 Cookie independent –
 ASP.NET implements cookieless session state by using simple
configuration setting in the web.config file, <sessionstate> tag.
ASP.NET Session State
 Session state settings in ASP.NET are
configured through the ASP.NET XML
configuration file config.web.

 <configuration>
<sessionstate mode="inproc"
cookieless="false" timeout="20"
source=;user id=<user
server="" port="42424" />
ASP.NET Session State
 Attributes of the sessionstate tag -
 Mode –
 The mode setting supports three options: inproc, sqlserver, and
 As stated earlier, ASP.NET supports two modes: in process and
out of process.
 There are also two options for out-of-process state
management: memory based (stateserver), and SQL Server
based (sqlserver).
 Cookieless –
 The cookieless option for ASP.NET is configured with this simple
Boolean setting.
 Timeout –
 This option controls the length of time a session is considered valid.
 The session timeout is a sliding value; on each request the timeout
period is set to the current time plus the timeout value
ASP.NET Session State
 Sqlconnectionstring - The sqlconnectionstring identifies the
database connection string that names the database used for
mode sqlserver.

Server - In the out-of-process mode stateserver, it names the
server that is running the required Windows NT service:

Port - The port setting, which accompanies the server setting,
identifies the port number that corresponds to the server setting
for mode stateserver.
ASP.NET Session State
 In-process Mode –
 In-process mode simply means using ASP.NET session state in a similar
manner to classic ASP session state.

 That is, session state is managed in process and if the process is re-cycled,
state is lost.

 Given the new settings that ASP.NET provides, you might wonder why you
would ever use this mode.

 The reasoning is quite simple: performance. The performance of session

state, e.g. the time it takes to read from and write to the session state
dictionary, will be much faster when the memory read to and from is in
process, as cross-process calls add overhead when data is marshaled back
and forth or possibly read from SQL Server.

 In-process mode is the default setting for ASP.NET. When this setting is
used, the only other session web.config settings used are cookieless and

 So after setting a session state value, stop and start the ASP.NET process
(iisreset), the value set before the process was cycled will be lost.
ASP.NET Session State
 Out-of-process Mode
 Included with the .NET SDK is a Windows® NT service: ASPState.
This Windows service is what ASP.NET uses for out-of-process
session state management. To use this state manager, you first
need to start the service. To start the service, open a command
prompt and type:
 net start aspnet_state
In web.config
Session State
 <configuration>
<sessionstate mode="stateserver"
cookieless="false" timeout="20"
sqlconnectionstring="data source=;user id=<user
id>;password=<password>" server=""
port="42424" />

 We changed only from inproc mode to stateserver mode.

 This setting tells ASP.NET to look for the ASP state service on
the server specified in the server and port settings—in this case,
the local server.

 Now set a session state value, stop and start the IIS process
(iisreset), and continue to have access to the values for our
current state.
ASP.NET Session State
 SQL Server Mode
 The SQL Server mode option is similar to that of the
Windows NT Service, except that the information persists to
SQL Server rather than being stored in memory.
 To use SQL Server as our session state store, we first must
create the necessary tables and stored procedures that
ASP.NET will look for on the identified SQL Server. The .NET
SDK provides us with a SQL script (state.sql) to do just that.
 state.sql
 The state.sql file contains the SQL commands used to create
the ASPState database. This script creates two tables and
several stored procedures. ASP.NET uses both the tables
and the procedures to store data in SQL Server. I would
recommend reading through state.sql to learn more about
what it is doing.
 The state.sql file can be found in [system
ASP.NET Session State
 In web.config
 <configuration>
<sessionstate mode="sqlserver" cookieless="false"
timeout="20" sqlconnectionstring="data
source=MySqlServer; user id=ASPState;
password=1Gr8State" server=""
port="42424" />
 Now set a session state value, stop and start the IIS process
(iisreset), and continue to have access to the values for our
current state.
 In fact, we could cluster the SQL Servers such that if one SQL
Server happened to be unavailable, another server that was
replicating its data could take its place.
 This provides a level of reliability that was not available in ASP.
ASP.NET Session State
 Cookieless State –
 This feature allows sites whose clients
choose not to use cookies to take
advantage of ASP.NET session state.
 This is done by modifying the URL with an
ID that uniquely identifies the session:
 http://localhost/(lit3py55t21z5v55vlm25s55)/App
 ASP.NET will modify relative links found within
the page and embed this ID.
 Thus, as long as the user follows the path of
links the site provides, session state can be
 However, if the end user re-writes the URL, the
session state instance will most likely be lost.
ASP.NET Session State
 In web.config -
 <configuration>
<sessionstate mode="stateserver"
cookieless="true" timeout="20"
source=;user id=<user
server="" port="42424" />
 Once cookieless is set to true, ASP.NET will
do the work necessary to enable cookieless
session state. Also note that all modes are
supported for cookieless sessions.
Authorization & Authentication
 Authentication and Authorization are two interrelated security

 Authentication is a process of identifying a user, while

authorization is the process of determining if an authenticated
user has access to the resource (s) they requested.

 Authentication is achieved by the user sharing credentials that

verify the user's identity.

 Whenever a user logs on to an application, the user is first

authenticated and then authorized.

 ASP.NET Web applications, by default, allow the users

requesting a page, an anonymous access.

 There are different techniques available for determining the

identity of an anonymous user.
Authentication & Authorization
 Understanding how ASP.NET and IIS Handle
Authentication and Authorization
 Both IIS - Microsoft's Web server software - and ASP.NET
provide means for authentication and authorization.

 ASP.NET is not a stand-alone product - rather, it utilizes IIS.

 When a request comes in for an ASP.NET Web page, the

request is sent to the Web server software (IIS), which
performs authentication and authorization.

 Depending on the settings in IIS and the user accessing the

site, these checks might pass or they might not.

 If the user is not authenticated, or does not have access,

they're request will be stopped and an appropriate message
will be returned.

 If, however, the request passes IIS's authentication and

authorization, the request will be handed off to the ASP.NET
engine, which can impose its own authentication and
authorization schemes.
Authentication & Authorization
 The following shows the sequence of authentication
and authorization actions performed by IIS and
ASP.NET on an incoming request.
 The incoming request is first checked by IIS. If the IP
address from where the request is sought is not allowed
access to the domain, IIS denies the request.

 IIS allows anonymous access by default and hence requests

are automatically authenticated. However, this can be
overridden for each application within IIS. Next in the
sequence IIS performs this authentication, if it has been
configured to do so.

 The authenticated user request is passed to ASP.NET.

 ASP.NET checks whether Impersonation is enabled or not.

By default impersonation is not enabled in ASP .NET.
Authentication & Authorization
 If impersonation is enabled, ASP.NET executes with the
identity of the entity on behalf of which it is performing
executing the task.

 If impersonation is not enabled, the application runs with the

privileges of the ASPNET user account.

 Finally, the identity that has been authenticated and checked

for in the previous steps is used to request resources from
the OS.

 ASP.NET uses two forms of authorization:

 FileAuthorization - relies on NTFS file permissions for granting
 UrlAuthorization - in the Web.config file you can specify the
authorization rules for various directories or files using the
<authorization> element.

 If access is granted (successful authorization), ASP .NET

returns the user's request through IIS.
Authentication & Authorization
Authentication & Authorization
 Authentication Providers –
 ASP.NET provides three ways to authenticate a
 Windows authentication,
 Forms authentication, and
 Passport authentication

 It is the job of the authentication provider to verify

the credentials of the user and decide whether a
particular request should be considered
authenticated or not.

 The authentication scheme an ASP.NET Web

application uses can be configured in its
Web.config file.
Authentication & Authorization
 Windows Authentication Provider –
 The Windows authentication provider is the default provider for

 It authenticates users based on the users' Windows accounts.

 Windows authentication in ASP.NET actually relies on IIS to do the


 IIS can be configured so that only users on a Windows domain can

log in.

 If a user attempts to access a page and is not authenticated, they'll

be shown a dialog box asking them to enter their username and

 This information is then passed to the Web server and checked

against the list of users in the domain.

 If the user has supplied valid credentials, access is granted.

 The identity of the user is then passed to the ASP.NET engine.

Authentication & Authorization
 There are four different kinds of
Windows authentication options
available that can be configured in
 Anonymous Authentication:
 IIS doesn't perform any authentication check.
IIS allows any user to access the ASP .NET
 The server uses a built in account (IUSR_[
machine name] by default) to control the
permissions on the files.
 The browser does not send any credentials or
user info with this type of request.
 Browsers Supported: Any
 Encryption Type: None
Authentication & Authorization
 Basic Authentication (Clear Text) :
 For this kind of authentication, a Windows user name
and password have to be provided to connect.

 The server requests the user to log on and a dialog box

appears in the browser that allows the user to enter the
credentials that are needed.

 These credentials must match the user credentials

defined on the files that the user is attempting to access.

 However, this information is sent over the network in

plain text and hence this is an insecure kind of

 Basic Authentication is the only mode of authentication

older, non-Internet Explorer browsers support.
Authentication & Authorization
 Digest Authentication:
 It is same as Basic Authentication but for the fact that the
password is hashed before it is sent across the network.
However, to be using Digest Authentication, we must use IE 5.0
or above.

 The server requests the user to log on and also sends a NONCE
used to encrypt the password.

 The browser uses the NONCE to encrypt the password and

sends this to the server.

 The server then encrypts its own copy of the user's password
and compares the two. If they match and the user has
permissions, access is granted.

 Browsers Supported: Internet Explorer 5 only

 Limitations: Not as secure as Integrated. Requires the server to

have access to an Active Directory Server that is set up for
Digest Authentication.

 Encryption Type: Based on NONCE sent by server.

Authentication & Authorization
 Integrated Windows Authentication (split
into two sub categories) :
 In this kind of authentication technique,
passwords are not sent across the network.

 The application here uses either the Kerberos

or challenge/response protocols to authenticate
Authentication & Authorization
 Kerberos, a network authentication
protocol, is designed to provide strong
authentication for client-server

 It provides the tools of authentication and

strong cryptography over the network to
help to secure information in systems
across entire enterprise.
Authentication & Authorization
 The server requests a user to log on. If the
browser supports Kerberos, The following takes
 IIS requests authentication.
 If the client has not logged on to a domain, a dialog box
appears in Internet Explorer requesting credentials, and
then contacts the KDC to request and receive a Ticket
Granting Ticket.
 It then sends the Ticket Granting Ticket along with
information about the IIS server to the KDC.
 If the IE Client has already successfully logged into the
domain and received a Ticket Granting Ticket, it sends
this ticket along with info about the IIS server to the KDC
 The KDC issues the client a Resource Ticket.
 The Client passes this ticket to the IIS server.
 Kerberos uses tickets generated at a Ticket Granting
Server (KDC) to authenticate. It sends this ticket to the IIS
server. The browser does NOT send the user's password
across to the server.
Authentication & Authorization
 Browsers Supported: Internet Explorer
versions 5.0 and above

 Limitations: the server must have access

to an Active Directory server. Both the
server and the client must have a trusted
connection to a KDC.

 Encryption type: Encrypted ticket.

Authentication & Authorization
 Windows NT Challenge/Response –
 The server requests the user to log on. If the browser
supports Windows NT Challenge/Response, it automatically
sends the user's credentials if the user is logged on.

 If the domain that the user is on is different than the server's

domain, or if the user is not logged on, a dialog box appears
in Internet Explorer requesting the credentials to send.

 Windows NT Challenge/Response uses an algorithm to

generate a hash based on the user's credentials and the
computer that the user is using. It then sends this hash to
the server. The browser does not send the user's password
across to the server.

 Browsers Supported: Internet Explorer versions 3.01 and

Authentication & Authorization
 Limitations: Requires point-to-point connection. Typically, a
circuit is closed after a "401 unauthorized " error message;
however, when negotiating an Windows NT
Challenge/Response authentication sequence (which
requires multiple round trips), the server keeps the circuit
open for the duration of the sequence after the client has
indicated that it will use Windows NT Challenge/Response.

 CERN proxies and certain other Internet devices prevent this

from working. Also, Windows NT Challenge/Response does
not support double-hop impersonations (meaning that once
passed to the IIS server, the same credentials cannot be
passed to a back-end server for authentication, for example,
when IIS uses Windows NT Challenge/Response, it cannot
then authenticate the user against a SQL Server database on
another computer by using SQL Integrated security).

 User Rights Required: The user account accessing the

server must have "Access this computer from the network "

 Encryption Type: NTLM Hash algorithm that is also

Authentication & Authorization
 Orders of Precedence:
 When the browser makes a request, it always
considers the first request to be Anonymous.
Therefore, it does not send any credentials.

 If the server does not accept Anonymous or if the

Anonymous user account set on the server does
not have permissions to the file being requested,
the IIS server responds with an "Access Denied"
error message and sends a list of the
authentication types that are supported by using
one of the following scenarios:
 If Windows Integrated is the only supported method (or if
Anonymous fails), then the browser must support this
method to communicate with the server.

 The server tries Kerberos first, and if this fails, then the
server falls back to Windows NT Challenge/Response. If
this fails, the server does not try any of the other
Authentication & Authorization
 If Basic is the only supported method (or if Anonymous
fails), then a dialog box appears in the to get the credentials,
and then passes these to the server.

 It attempts to send the credentials up to three times. If these

all fail, the browser does not connect to the server.

 If both Basic and Windows Integrated are supported, the

browser determines which method is used. If the browser
supports Kerberos or Windows NT Challenge/Response, it
uses this method.

 It does not fall back to Basic. If Windows NT

Challenge/Response and Kerberos are not supported, the
browser uses Basic, Digest, or Fortezza if it supports these.

 The order of precedence here is Basic, Digest, and then

Authentication & Authorization
 When your browser establishes a connection with
a Web site by using Basic or Windows Integrated
authentication, it does not fall back to Anonymous
during the rest of that session with the server.

 If you try to connect to a Web page that is marked

for Anonymous only after authenticating, you are
denied. (This may or may not hold true for

 When Internet Explorer has established a

connection with the server by using an
authentication method other than Anonymous, it
automatically passes the credentials for every new
request during the duration of the session
Authentication & Authorization
 Passport Authentication Provider –
 Passport authentication is a centralized
authentication service.

 This uses Microsoft's Passport Service to

authenticate the users of an application.

 If the authentication mode of the application is

configured as Passport and if the users have
signed up with Microsoft's Passport Service, then
the authentication formalities are pushed over to
Passport servers.

 Passport uses an encrypted cookie mechanism to

identify and indicate authenticated users.
Authentication & Authorization
 If the users have already been signed into
passport when they visit the application
page, ASP.NET will consider them as
authenticated. Otherwise, the users will be
redirected to Passport servers to login.

 Upon successful login, the user is

redirected back to the ASP.NET Web page
that they initially tried to access.

 If you use Hotmail you already have a

Passport account and are familiar with the
process from an end-user's
Authentication & Authorization
 Forms Authentication Provider –
 The forms authentication provider uses
custom HTML forms to collect
authentication information.

 As an ASP.NET developer using forms

authentication, you must write your own
logic/code to check the user's supplied
credentials against a database or some
other data store.

 When a user is successfully identified via

forms authentication, the user's credentials
are stored in a cookie for use during the
Authentication & Authorization
 The method of authentication to use is specified in
the Web application's Web.config file:
 <!-- For Windows Authentication... -->
<authentication mode="windows">
<!-- For Passport Authentication... -->
<authentication mode="passport">
<!-- For Forms Authentication... -->
<authentication mode="forms">

 ASP .NET also supports custom authentication providers.

 Setting the authentication mode for the application to

"none" and then writing our own code to perform
authentication can achieve this.

 For example, we might install an ISAPI filter in IIS that

compares incoming requests' IP address with a list of
source IP addresses and considers the request to be
authenticated only if the IP address is found in the source
list. In this example, we can set the authentication mode to
"none" in Web.config file. This will prevent any of the default
authentication providers from being triggered.
ASP.NET Authorization
 The purpose of authorization is to
determine whether an identity should be
granted the requested type of access to
a given resource. There are two
fundamental ways to authorize access
to a given resource:
 File authorization
 Performed by the FileAuthorizationModule, and
is active when you use Windows
 It does an access control list (ACL) check of the
.aspx or .asmx handler file to determine if a
user should have access.
 Applications can further use impersonation to
get resource checks on resources that they are
ASP.NET Authorization
 URL authorization
 Performed by the URLAuthorizationModule, which maps
users and roles to pieces of the URL namespace.

 This module implements both positive and negative

authorization assertions.

 That is, the module can be used to selectively allow or

deny access to arbitrary parts of the URL namespace for
certain sets, users, or roles.

 The URLAuthorizationModule is available for use at any

time. You only need to place a list of users and/or roles in
the <allow> or <deny> elements of the <authorization>
section of a configuration file.
ASP.NET Authorization
 To establish the conditions for access to a
particular directory, you must place a
configuration file that contains an
<authorization> section in that directory.

 The conditions set for that directory also apply

to its subdirectories, unless configuration files
in a subdirectory override them.

 The general syntax for this section is as

 <[element] [users] [roles] [verbs]/> An element is
required. Either the users or the roles attribute must
be included. Both can be included, but both are not
required. The verbs attribute is optional
ASP.NET Authorization
 The permissible elements are <allow> and
<deny>, which grant and revoke access,

 Each element supports three attributes, which

are defined in the following table.
 Attribute – Role –
 Identifies a targeted role for this element.
 The associated IPrincipal object for the request
determines the role membership.
 You can attach arbitrary IPrincipal objects to the context
for a given request and they can determine role
membership in whatever way you like.
 For example, the default WindowsPrincipal class uses
Microsoft Windows NT groups to determine role
ASP.NET Authorization
 Attribute – users
 Identifies the targeted identities for this element.

 Attribute – verbs
 Defines the HTTP verbs to which the action applies, such as GET, HEAD, and

 Anonymous users are also denied.

 The following example grants access to Kim and members of the

Admins role, while denying it to John and all anonymous users:
 <authorization>
<allow users="Kim"/>
<allow roles="Admins"/>
<deny users="John"/>
<deny users="?"/>
Both users and roles can refer to multiple entities by using a comma-
separated list, as shown in the following example.

 <allow users="John, Kim, contoso\Jane"/> Notice that the domain

account (contoso\Jane) must include both the domain and user name
ASP.NET Authorization
 In addition to identity names, there are two special identities, as
 * - Refers to all identities
 ? - Refers to the anonymous identity

 To allow John and deny everyone else, one might construct the
following configuration section.
 <authorization>
<allow users="John"/>
<deny users="*"/>

 The following example lets everyone do a GET, but only Kim can
use POST.
 <authorization>
<allow verb="GET" users="*"/>
<allow verb="POST" users="Kim"/>
<deny verb="POST" users="*"/>
ASP.NET Authorization
 Rules are applied using the following heuristics:
 Rules contained in configuration files at lower directory levels take precedence over
rules at higher directory levels.

 The system determines which rule takes precedence by constructing a merged list of
all rules for a URL, with the most recent (nearest in the hierarchy) rules at the head of
the list.

 Given a set of merged rules for a URL, the system starts at the head of the list and
checks rules until the first match is found.

 Note that the default configuration for ASP.NET contains an <allow users="*">
element, which authorizes all users.

 If no rules match, the request is allowed unless otherwise denied.

 If a match is found and the match is a <deny> element, it returns the 401 status code.

 Applications or sites can easily configure a <deny users="*"> element at the top level
of their site or application to prevent this behavior.

 If an <allow> matches, the module does nothing and lets the request be processed

 There is also a <location> tag that you can use to specify a particular file or directory
to which settings wrapped by that tag (between <location> and </location> tags)
should apply.
ASP.NET Impersonation
 When using impersonation, ASP.NET applications can
optionally execute with the identity of the client on whose behalf
they are operating.

 The usual reason for doing this is to avoid dealing with

authentication and authorization issues in the ASP.NET
application code.

 Instead, you rely on Microsoft Internet Information Services (IIS)

to authenticate the user and either pass an authenticated token
to the ASP.NET application or, if unable to authenticate the user,
pass an unauthenticated token.

 In either case, the ASP.NET application impersonates whichever

token is received if impersonation is enabled.

 The ASP.NET application, now impersonating the client, then

relies on the settings in the NTFS directories and files to allow it
to gain access, or not.

 Be sure to format the server file space as NTFS, so that access

permissions can be set.
ASP.NET Impersonation
 Impersonation is disabled by default.

 For ASP compatibility, the user must explicitly enable


 If impersonation is enabled for a given application,

ASP.NET always impersonates the access token that
IIS provides.

 That token can be either an authenticated user token,

or the token for the anonymous user (such as
IUSR_MACHINENAME). The impersonation occurs
regardless of the type of authentication being used in
the application.

 Only application code is impersonated; compilation

and configuration are read as the process token.
ASP.NET Impersonation
 The result of the compilation is put in the "Temporary
ASP.NET files" directory.

 The account that is being impersonated needs to

have read/write access to this directory.

 If an application is on a universal naming convention

(UNC) share, ASP.NET will always impersonate the
token provided to IIS to access that share unless a
configured account is used.

 If an explicit configured account is provided,

ASP.NET will use that account in preference to the IIS
UNC token.

 Applications that do want per-request impersonation

can simply be configured to impersonate the user
making the request
ASP.NET Impersonation
 Impersonation is disabled at the computer level by default and,
unless overridden, all the application domains inherit this

 You can enable impersonation by putting a configuration file in

the application root directory.

 As is the case with other configuration directives, this directive

applies hierarchically.

 It is respected by nested applications in the hierarchy, unless

explicitly overridden.

 The default value for this setting is as follows.

 <impersonation enable="false"/>
 A minimal configuration file to enable impersonation for an
application might look similar to the following example.
 <!-- Web.config file. -->
<identity impersonate="true"/>
ASP.NET Impersonation
 There is also name support for running an application as a configurable
identity. For example:
 <identity impersonate="true" userName="contoso\Jane"
 This enables the entire application to run as contoso\Jane, regardless of the
identity of the request, as long as the password is correct. This type of
impersonation can be delegated to another computer.

 You can programmatically read the identity of the impersonated user,

as shown in the following example.
 [Visual Basic]Dim username As String =
 [C#]String username =
 In the preceding example, userName and password are stored in clear text
in the configuration file.
 Although IIS will not transmit .config files in response to a user agent
request, configuration files can be read by other means, for instance by an
authenticated user with proper credentials on the domain that contains the
 To help increase security, the identity section supports storage of encrypted
userName and password attributes in the registry as shown in the following
 userName="registry:HKLM\Software\AspNetIdentity,Name"
ASP.NET Impersonation
 The portion of the string after the keyword
registry and before the comma indicates the
name of the registry key that ASP.NET opens.

 The portion after the comma contains a single

string value name from which ASP.NET will
read the credentials.

 The comma is required, and the credentials

must be stored in the HKLM hive.

 If the configuration format is incorrect,

ASP.NET will not launch the worker process
and the current account creation failure code
path will be followed.
ASP.NET Impersonation
 The credentials must be in REG_BINARY format,
containing the output of a call to the Windows API
function CryptProtectData.

 You can create the encrypted credentials and store

them in the registry with the ASP.NET Set Registry
console application(Aspnet_setreg.exe), which uses
CryptProtectData to accomplish the encryption.

 You should configure access to the key storing the

encrypted credentials so that access is provided only
to Administrators and SYSTEM.

 Because the key will be read by the ASP.NET process

running as SYSTEM, you should set the following
 Administrators:F
 ProcessAccount:R
ASP.NET Impersonation
 This provides two lines of defense to
protect the data:
 The ACL permissions require the identity
accessing the data to be an Administrator.
 An attacker must run code on the server
(CryptUnprotectData) to recover the
credentials for the account.
Implementing Impersonation
 Impersonate the IIS Authenticated
Account or User
 To impersonate the Microsoft Internet
Information Services (IIS) authenticating
user on every request for every page in an
ASP.NET application, you must include an
<identity> tag in the Web.config file of this
application and set the impersonate
attribute to true. For example:
 <identity impersonate="true" />
Implementing Impersonation
 Impersonate a Specific User for All the Requests of
an ASP.NET Application
 You can specify the userName and password attributes in
the <identity> tag of the Web.config file for that application.
For example:
 <identity impersonate="true" userName="accountname"
password="password" />
 Note: The identity of the process that impersonates a
specific user on a thread must have the "Act as part of the
operating system" privilege.
 By default, the Aspnet_wp.exe process runs under a
computer account named ASPNET.
 However, this account does not have the required privileges
to impersonate a specific user.
 You receive an error message if you try to impersonate a
specific user.
 This information applies only to the .NET Framework 1.0.
This privilege is not required for the .NET Framework 1.1.
Implementing Impersonation
 To work around this problem, use one
of the following methods:
 Grant the "Act as part of the operating
system" privilege to the ASPNET account
(the least privileged account).

 Note Although you can use this method to

work around the problem, Microsoft does
not recommend this method.

 Change the account that the

Aspnet_wp.exe process runs under to the
System account in the <processModel>
configuration section of the Machine.config
Implementing Impersonation
 Impersonate the Authenticating User in Code
 (User.Identity) only when you run a particular section of
code, you can use the code to follow.

 This method requires that the authenticating user identity is

of type WindowsIdentity.

 Visual Basic .NET

Dim impersonationContext As
Dim currentWindowsIdentity As
Identity = CType(User.Identity,
Context = currentWindowsIdentity.Impersonate()
'Insert your code that runs under the security context of the
authenticating user here.
ASP.NET Page Life Cycle
ASP.NET Page Life Cycle
 Each time a request arrives at a Web server
for an ASP.NET Web page, the first thing the
Web server does is hand off the request to
the ASP.NET engine.

 The ASP.NET engine then takes the request

through a pipeline composed of numerous
stages, which includes verifying file access
rights for the ASP.NET Web page,
resurrecting the user's session state, and so

 At the end of the pipeline, a class

corresponding to the requested ASP.NET
Web page is instantiated and the
ProcessRequest() method is invoked
ASP.NET Page Life Cycle
 This life cycle of the ASP.NET page starts with a call
to the ProcessRequest() method.

 This method begins by initializing the page's control


 Next, the page and its server controls proceed

through various steps which include managing view
state, handling postback events, and rendering the
page's HTML markup.

 The life cycle ends by handing off the Web page's

HTML markup to the Web server, which sends it back
to the client that requested the page.
ASP.NET Page Life Cycle
 Stage 0 - Instantiation
 The life cycle of the ASP.NET page begins with
instantiation of the class that represents the
requested ASP.NET Web page
 When an ASP.NET Web page is visited for the first
time the ASP.NET engine auto-generates a class
 The purpose of this auto-generated class is to
programmatically create the page's control
 That is, the class is responsible for
programmatically creating the Web controls
specified in the page's HTML portion.
ASP.NET Page Life Cycle
 All ASP.NET server controls can have a
parent control, along with a variable
number of child controls.
 The System.Web.UI.Page class is derived
from the base control class
(System.Web.UI.Control), and therefore
also can have a set of child controls.
 The top-level controls declared in an
ASP.NET Web page's HTML portion are the
direct children of the auto-generated Page
 Web controls can also be nested inside
one another.
ASP.NET Page Life Cycle
 Since server controls can have children, and each
of their children may have children, and so on, a
control and its descendents form a tree of
 This tree of controls is called the control
 The root of the control hierarchy for an ASP.NET
Web page is the Page-derived class that is auto-
generated by the ASP.NET engine.
 When the control hierarchy is constructed, the
properties that are explicitly set in the declarative
syntax of the Web control are assigned in the
 E.g. the Button Web control has its Text property
set to "Submit!" in the declarative syntax –
Text="Submit!" – as well as in the auto-generated
class—Button1.Text = "Submit!"
ASP.NET Page Life Cycle
ASP.NET Page Life Cycle
 Stage 1 - Initialization
 This stage is marked by having the Page
and controls fire their Init events.
 With regards to view state it is important
for two reasons;
 First, server controls don't begin tracking view
state changes until initialization stage is over.
 Second, when adding dynamic controls that
utilize view state, these controls will be added
during the Page's Init event and not during the
Load event
ASP.NET Page Life Cycle
 Stage 2 - Load View State
 The load view state stage only happens when the
page has been posted back.
 During this stage, the view state data that had
been saved from the previous page visit is loaded
and recursively populated into the control
hierarchy of the Page.
 It is during this stage that the view state is
 The view state can become invalid due to a
number of reasons, such as view state tampering,
and injecting dynamic controls into the middle of
the control hierarchy.
 LoadViewState method is commonly Overridden
to customize the data received by the control at
the time it is populated.
ASP.NET Page Life Cycle
 Stage 3 - Load Postback Data
 The load Postback data stage also only happens
when the page has been posted back.
 A server control can indicate that it is interested in
examining the posted back data by implementing
the IPostBackDataHandler interface.
 In this stage in the page life cycle, the Page class
enumerates the posted back form fields, and
searches for the corresponding server control. If it
finds the control, it checks to see if the control
implements the IPostBackDataHandler interface.
 If it does, it hands off the appropriate postback
data to the server control by calling the control's
LoadPostData() method.
 The server control would then update its state
based on this postback data.
ASP.NET Page Life Cycle
 Stage 4 - Load
 When the Load event fires, the view state
has been loaded, along with the postback
data. If the page has been posted back,
when the Load event fires we know that the
page has been restored to its state from
the previous page visit.
ASP.NET Page Life Cycle
 Stage 5 - Raise Postback Event
 This occurs after all controls that implement the
IPostBackDataHandler interface have been
updated with the correct postback data.
 During this operation, each control is flagged with
a Boolean on whether its data was actually
changed or remains the same since the previous
 ASP.NET then sweeps through the page looking
for flags indicating that any object's data has been
updated and fires RaisePostDataChanged.
 The RaisePostDataChanged event does not fire
until all controls are updated and after the Load
event has occurred.
 This ensures data in another control is not
manually altered during the
RaisePostDataChanged event before it is updated
with postback data.
ASP.NET Page Life Cycle
 Stage 6 - Save View State
 The Page class constructs the page's view
state, which represents the state that must
persist across Postback.
 The page accomplishes this by recursively
calling the SaveViewState() method of the
controls in its control hierarchy.
 This combined, saved state is then
serialized into a base-64 encoded string
 is persisted to the hidden __VIEWSTATE
form field.
ASP.NET Page Life Cycle
 Stage 7 - Render
 In the render stage the HTML that is
emitted to the client requesting the page is
 The Page class accomplishes this by
recursively invoking the RenderControl()
method of each of the controls in its
ASP.NET Page Life Cycle
 Stage 8 – Disposal
 After the page's HTML is rendered, the
objects are disposed of.
 During the Dispose event, you should
destroy any objects or references you have
created in building the page.
 At this point, all processing has occurred
and it is safe to dispose of any remaining
objects, including the Page object.
 <asp:Label runat="server" ID="lblMessage"
Font-Name="Verdana" Text="Hello, World!">
</asp:Label> <br />
<asp:Button runat="server" Text="Change
<asp:Button runat="server" Text="Empty

 private void btnSubmit_Click(object sender,

EventArgs e)
lblMessage.Text = "Goodbye, Everyone!";
 Each control is responsible for storing its
own state, which is accomplished by adding
its changed state to its ViewState property.

 The ViewState property is defined in the

System.Web.UI.Control class, meaning that all
ASP.NET server controls have this property

 If you examine the simple properties of any

ASP.NET server control you'll see that the
properties read and write directly to the view
The ViewState Property
 E.g.
 public string Caption
string text = (string) ViewState [“Caption"];
if (text != null)
return text;
return string.Empty;
ViewState [" Caption "] = value;
 As this code sample illustrates, whenever a
control's property is read, the control's
ViewState is consulted.

 If there is not an entry in the ViewState, then

the default value for the property is returned.

 When the property is assigned, the assigned

value is written directly to the ViewState.

 The ViewState property is of type

System.Web.UI.StateBag. The StateBag class
provides a means to store name and value
Timing the Tracking of View State
 The StateBag class has the
TrackViewState() method

 This method is called at the end of the

initialization stage, which happens after
the instantiation stage.

 The StateBag class tracks the changes

to the values of various controls after
TrackViewState() method is invoked
 The ASP.NET view state imposes two performance
hits whenever an ASP.NET Web page is requested:
 On all page visits, during the save view state stage the Page
class gathers the collective view state for all of the controls
in its control hierarchy and serializes the state to a base-64
encoded string.

 Similarly, on postbacks, the load view state stage needs to

deserialize the persisted view state data, and update the
controls in the control hierarchy.

 The __VIEWSTATE hidden form field adds extra size to the

Web page that the client must download.

 For some view state-heavy pages, this can be tens of

kilobytes of data, which can require several extra seconds
(or minutes!) for modem users to download.

 Also, when posting back, the __VIEWSTATE form field must

be sent back to the Web server in the HTTP POST headers,
thereby increasing the postback request time.
 As a page developer, you can specify that a control
should not save its view state or the view state of its
children controls by setting the control's
EnableViewState property to False (the default is

 The EnableViewState property is defined in the

System.Web.UI.Control class, so all server controls
have this property, including the Page class.

 You can indicate that an entire page's view state need

not be saved by setting the Page class's
EnableViewState to False.

 This can be done either in the code-behind class with

Page.EnableViewState = false; or as a @Page-level
directive—<%@Page EnableViewState="False" %>.
 Not all Web controls record the same amount
of information in their view state.

 The Label Web control, for example, records

only programmatic changes to its properties,
which won't greatly impact the size of the
view state.

 The DataGrid, however, stores all of its

contents in the view state.

 For a DataGrid with many columns and rows,

the view state size can quickly add up!
 The DataGrid stores its contents in the view state so
the page developer doesn't need to rebind the
database data to the DataGrid on each and every
page load, but only on the first one.

 The benefit is that the database doesn't need to be

accessed as often.

 If, however, you set a DataGrid's EnableViewState

property to False, you'll need to rebind the database
data to the DataGrid on both the first page load and
every subsequent postback.

 For a Web page that has a read-only DataGrid, you'd

definitely want to set the DataGrid's EnableViewState
property to False.
 After the page has collected the view state information for all of
the controls in its control hierarchy in the save view state stage,
it persists it to the __VIEWSTATE hidden form field.

 This hidden form field can, of course, greatly add to the overall
size of the Web page.

 The view state is serialized to the hidden form field in the Page
class's SavePageStateToPersistenceMedium() method during
the save view state stage, and is deserialized by the Page
class's LoadPageStateFromPersistenceMedium() method in the
load view state stage.

 With just a bit of work we can have the view state persisted to
the Web server's file system, rather than as a hidden form field
weighing down the page.

 To accomplish this we'll need to create a class that derives from

the Page class and overrides the
SavePageStateToPersistenceMedium() and
LoadPageStateFromPersistenceMedium() methods.
 The view state is serialized and deserialized by the
System.Web.UI.LosFormatter class—the LOS stands
for limited object serialization—and is designed to
efficiently serialize certain types of objects into a
base-64 encoded string.

 The LosFormatter can serialize any type of object that

can be serialized by the BinaryFormatter class, but is
built to efficiently serialize objects of the following
 Strings
 Integers
 Booleans
 Arrays
 ArrayLists
 Hashtables
 Pairs
 Triplets
 What is the structure of the Page
class's view state object?

 The view state of a control represents

the view state of that control along with
the view state of all of its children

 Since the Page class forms the root of

the control hierarchy, its view state
represents the view state for the entire
control hierarchy.
 The Page class contains a
SavePageViewState(), which is invoked
during the page life cycle's save view state

 The SavePageViewState() method starts by

creating a Triplet that contains the following
three items:
 The page's hash code. This hash code is used to ensure that
the view state hasn't been tampered with between
 The collective view state of the Page's control hierarchy.
 An ArrayList of controls in the control hierarchy that need to
be explicitly invoked by the page class during the raise
postback event stage of the life cycle.
 The Second item is generated by the Page by calling
the SaveViewStateRecursive() method, which is
defined in the System.Web.UI.Control class.

 SaveViewStateRecursive() saves the view state of the

control and its descendents by returning a Triplet
with the following information:
 The state present in the Control's ViewState StateBag.
 An ArrayList of integers. This ArrayList maintains the
indexes of the Control's child controls that have a non-null
view state.
 An ArrayList of the view states for the children controls. The
i th view state in this ArrayList maps to the child control
index in the i th item in the ArrayList in the Triplet's Second
 By default, the LosFormatter class applies the MAC.

 You can, customize whether or not the MAC occurs by setting

the Page class's EnableViewStateMac property.

 The default, True, indicates that the MAC should take place; a
value of False indicates that it should not.

 You can further customize the MAC by specifying what hashing

algorithm should be employed.

 In the machine.config file, search for the <machineKey>

element's validation attribute.

 The default hashing algorithm used is SHA1, but you can

change it to MD5 if you like.
 Ideally the view state should not need to be
encrypted, as it should never contain
sensitive information.

 If needed, however, the LosFormatter does

provide limited encryption support.

 The LosFormatter only allows for a single

type of encryption: Triple DES.

 To indicate that the view state should be

encrypted, set the <machineKey> element's
validation attribute in the machine.config file
to 3DES.
 In addition to the validation attribute, the <machineKey> element
contains validationKey and decryptionKey attributes, as well.

 The validationKey attribute specifies the key used for the MAC;
decryptionKey indicates the key used in the Triple DES

 By default, these attributes are set to the value

"AutoGenerate,IsolateApp," which uniquely autogenerates the
keys for each Web application on the server.

 This setting works well for a single Web server environment, but
if you have a Web farm, it's vital that all Web servers use the
same keys for MAC and/or encryption and decryption.

 In this case you'll need to manually enter a shared key among

the servers in the Web farm.
 A catalog used on an e-commerce site might only
change once a week.

 .NET Web application could be built that provides a

front-end interface for that catalog, allowing
customers to purchase products.

 When a customer is simply browsing the catalog, the

system is making (in most cases) network calls to a
back-end database server.

 The database server is also doing calculations on the

data, such as a join query, and returning results.

 This type of configuration is quite common, be it a

catalog or some other type of commonly requested
data from a database.
 However, the design in the above example can be
improved upon.

 We know that the data in the database only changes

once a week, and we know that there are several
performance costs associated with retrieving the data

 Executing of the ASP.NET code to make the database


 Use of the network for the Web server to

communicate with the database server.

 Work done on the database server to compile and

execute the query (or simply execute stored
<%@ Page Language="VB" %>
<%@ OutputCache Duration="30" VaryByParam="*"
<script runat =server>
Public Sub Page_Load()
Response.Write (DateTime.Now.ToString())
End Sub
 <table cellpadding=5>
<a href="varybyparam_get.aspx?
category=Camping">Camping</a></td> <td>
<a href="varybyparam_get.aspx?
category=Climbing">Climbing</a></td> <td>
 <soap:Envelope

<Add xmlns="Web Service Namespace">
SOAP Envelope – Server Response

 <soap:Envelope

<AddResponse xmlns="Web Service Namespace">
Connection Authors

Select … from authors
Connection Publishers

Select … from
Authors DataGrid


