appSettings,
Authentication,
config,
debug,
Error Handling,
InProc,
Session State,
SQL Server,
Web,
Web.config,
Web.config Tutorial
When the site goes live change the debug setting to false which will make the site have a little better performance.
<compilation defaultLanguage="C#" debug="true" />
Customer errors can be handled be turned off but I prefer them to be turned on as below.
<customErrors mode="Off" />
You can also do per page tracing so that you can turn off application Tracing and have trace="true" at the top of a single page.
<trace enabled="true" requestLimit="10" pageOutput="true" traceMode="SortByTime" localOnly="true"/>
ASP.NET provides a configuration system we can use to keep our applications flexible at runtime. In this article we will examine some tips and best practices for using the configuration system for the best results.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="ConnectionInfo" value="server=(local);database=Northwind;Integrated Security=SSPI" />
</appSettings>
</configuration>
Multiple File Configuration
The appSettings element may contain a file attribute that points to an external file. Let’s change our web.config to look like the following
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings file="dbsettings.config"/>
</configuration>
Next, we can create the external file ‘dbsettings.config’ and add an appSettings section with our connection information.
<appSettings>
<add key="ConnectionInfo" value="server=(local);database=Northwind;Integrated Security=SSPI" />
</appSettings>
If the external file is present, ASP.NET will combine the appSettings values from web.config with those in the external file. If a key/value pair is present in both files, ASP.NET will use the value from the external file.
Session States:
Session in Asp .net web application is very important. As we know that HTTP is a stateless protocol and we needs session to keep the state alive. Asp .net stores the sessions in different ways. By default the session is stored in the asp .net process. You can always configure the application so that the session will be stored in one of the following ways
[1] Session State Service
There are two main advantages of using the State Service. First the state service is not running in the same process as the asp .net application. So even if the asp .net application crashes the sessions will not be destroyed. Any advantage is sharing the state information across a Web garden (Multiple processors for the same computer).
Lets see a example of the Session State Service.
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:55455" sqlConnectionString="data source=127.0.0.1;user id=sa;password='' cookieless="false" timeout="20"/>
The attributes are self explanatory but I will go over them.
mode: This can be StateServer or SqlServer. Since we are using StateServer we set the mode to StateServer.
stateConnectionString: connectionString that is used to locate the State Service.
sqlConnectionString: The connection String of the sql server database.
cookieless: Cookieless equal to false means that we will be using cookies to store the session on the client side.
[2.] SQL Server
The final choice to save the session information is using the Sql Server 2000 database. To use Sql Server for storing session state you need to do the following:
Run the InstallSqlState.sql script on the Microsoft SQL Server where you intend to store the session.
You web.config settings will look something like this:
<sessionState mode = "SqlServer" stateConnectionString="tcpip=127.0.0.1:45565" sqlConnectionString="data source="SERVERNAME;user id=sa;password='' cookiesless="false" timeout="20"/>
SQL Server lets you share session state among the processors in a Web garden or the servers in a Web farm. Apart from that you also get additional space to store the session. And after that you can take various actions on the session stored.
The downside is SQL Server is slow as compared to storing session in the state in process. And also SQL Server cost too much for a small company.
[3] InProc:
This is another Session State. This one is mostly used for development purposes. The biggest advantage of using this approach is the applications will run faster when compared to other Session state types. But the disadvantage is Sessions are not stored when there is any problem that occurs with the application, when there is a small change in the files etc., Also there could be frequent loss of session data experienced.
Error Handling:
<customErrors mode = "On">
<error statusCode = "404" redirect = "errorPage.aspx" />
</customErrors>
Security:
The most critical aspect of any application is the security. Asp.net offers many different types of security method which can be used depending upon the condition and type of security you need.
[1] No Authentication:
No Authentication means "No Authentication" :) , meaning that Asp.net will not implement any type of security.
[2] Windows Authentication:
The Windows authentication allows us to use the windows user accounts. This provider uses IIS to perform the actual authentication, and then passes the authenticated identity to your code. If you like to see that what windows user is using the Asp.net application you can use:
User.Identity.Name;
This returns the DOMAIN\UserName of the current user of the local machine.
[3] Passport Authentication:
Passport Authentication provider uses Microsoft's Passport service to authenticate users.
[4] Forms Authentication:
Forms Authentication uses HTML forms to collect the user information and than it takes required actions on those HTML collected values.
In order to use Forms Authentication you must set the Anonymous Access checkbox checked. Now we need that whenever user tries to run the application he/she will be redirected to the login page.
<authentication mode="Forms">
<forms loginUrl = "frmLogin.aspx" name="FAutho" timeout="1"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
<compilation defaultLanguage="C#" debug="true" />
Customer errors can be handled be turned off but I prefer them to be turned on as below.
<customErrors mode="Off" />
You can also do per page tracing so that you can turn off application Tracing and have trace="true" at the top of a single page.
<trace enabled="true" requestLimit="10" pageOutput="true" traceMode="SortByTime" localOnly="true"/>
ASP.NET provides a configuration system we can use to keep our applications flexible at runtime. In this article we will examine some tips and best practices for using the configuration system for the best results.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="ConnectionInfo" value="server=(local);database=Northwind;Integrated Security=SSPI" />
</appSettings>
</configuration>
Multiple File Configuration
The appSettings element may contain a file attribute that points to an external file. Let’s change our web.config to look like the following
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings file="dbsettings.config"/>
</configuration>
Next, we can create the external file ‘dbsettings.config’ and add an appSettings section with our connection information.
<appSettings>
<add key="ConnectionInfo" value="server=(local);database=Northwind;Integrated Security=SSPI" />
</appSettings>
If the external file is present, ASP.NET will combine the appSettings values from web.config with those in the external file. If a key/value pair is present in both files, ASP.NET will use the value from the external file.
Session States:
Session in Asp .net web application is very important. As we know that HTTP is a stateless protocol and we needs session to keep the state alive. Asp .net stores the sessions in different ways. By default the session is stored in the asp .net process. You can always configure the application so that the session will be stored in one of the following ways
[1] Session State Service
There are two main advantages of using the State Service. First the state service is not running in the same process as the asp .net application. So even if the asp .net application crashes the sessions will not be destroyed. Any advantage is sharing the state information across a Web garden (Multiple processors for the same computer).
Lets see a example of the Session State Service.
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:55455" sqlConnectionString="data source=127.0.0.1;user id=sa;password='' cookieless="false" timeout="20"/>
The attributes are self explanatory but I will go over them.
mode: This can be StateServer or SqlServer. Since we are using StateServer we set the mode to StateServer.
stateConnectionString: connectionString that is used to locate the State Service.
sqlConnectionString: The connection String of the sql server database.
cookieless: Cookieless equal to false means that we will be using cookies to store the session on the client side.
[2.] SQL Server
The final choice to save the session information is using the Sql Server 2000 database. To use Sql Server for storing session state you need to do the following:
Run the InstallSqlState.sql script on the Microsoft SQL Server where you intend to store the session.
You web.config settings will look something like this:
<sessionState mode = "SqlServer" stateConnectionString="tcpip=127.0.0.1:45565" sqlConnectionString="data source="SERVERNAME;user id=sa;password='' cookiesless="false" timeout="20"/>
SQL Server lets you share session state among the processors in a Web garden or the servers in a Web farm. Apart from that you also get additional space to store the session. And after that you can take various actions on the session stored.
The downside is SQL Server is slow as compared to storing session in the state in process. And also SQL Server cost too much for a small company.
[3] InProc:
This is another Session State. This one is mostly used for development purposes. The biggest advantage of using this approach is the applications will run faster when compared to other Session state types. But the disadvantage is Sessions are not stored when there is any problem that occurs with the application, when there is a small change in the files etc., Also there could be frequent loss of session data experienced.
Error Handling:
<customErrors mode = "On">
<error statusCode = "404" redirect = "errorPage.aspx" />
</customErrors>
Security:
The most critical aspect of any application is the security. Asp.net offers many different types of security method which can be used depending upon the condition and type of security you need.
[1] No Authentication:
No Authentication means "No Authentication" :) , meaning that Asp.net will not implement any type of security.
[2] Windows Authentication:
The Windows authentication allows us to use the windows user accounts. This provider uses IIS to perform the actual authentication, and then passes the authenticated identity to your code. If you like to see that what windows user is using the Asp.net application you can use:
User.Identity.Name;
This returns the DOMAIN\UserName of the current user of the local machine.
[3] Passport Authentication:
Passport Authentication provider uses Microsoft's Passport service to authenticate users.
[4] Forms Authentication:
Forms Authentication uses HTML forms to collect the user information and than it takes required actions on those HTML collected values.
In order to use Forms Authentication you must set the Anonymous Access checkbox checked. Now we need that whenever user tries to run the application he/she will be redirected to the login page.
<authentication mode="Forms">
<forms loginUrl = "frmLogin.aspx" name="FAutho" timeout="1"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
