ASP
.NET - Security and Performance
Host: Santo Xin & Elan Zhou - Sr. Support Engineers, MS Global
Technical Engg. Center - Shanghai, China
April
4, 2002
KunalS_[MS]: Good Afternoon to all of you.
KunalS_[MS]: Welcome to MSDN India Online Developer Forums - Expert
Chat Session. Today's Topic is - ASP .NET - Security and Performance.
KunalS_[MS]: And our hosts are - Santo Xin & Elan Zhou - Sr. Support
Engineers, MS Global Technical Engineering Center, Shanghai, China.
Elan_[MS]: Hi, all. Glad to meet you here!
KunalS_[MS]: You may ask Santo and Elan, all your queries
Santo_[MS]: hi all, nice to meet you
Saurabh: hi Santo and Elan ..
uday: Hello there
KunalS_[MS]: Concerning ASP.NET Performance and Security issues
uday: i have a question regarding session state
Adit: hello everybody
Santo_[MS]: go ahead, uday
uday: in my config.web file i have put the following lines
uday:
uday: but it says "Unrecognized configuration section 'sessionstate'
"
dhruva: hi
Santo_[MS]: try sessionState instead of sessionstate
uday: Okay
Santo_[MS]: you are recommended to let VS.NET to generate
the configuration for you
Saurabh: I have a question
uday: Okay
uday: Thanks Santo !!!
Saurabh: if you configure the ASP.NET runtime to handel addtional
file extensions like *.html etc .. so that I can protecte from the
web.config file .. will there be any performance hit ?
Santo_[MS]: of course
Santo_[MS]: but should not be too much
Elan_[MS]: There will be only very small performance
hit.
Saurabh: any performance chart documentation on this ??
Saurabh: is there any *managed* way of protecting resources other
than that are configured with the ASP.NET runtime ??
Santo_[MS]: We will search to see whether there is existing
benchmark chart, we can discuss this problem offline
Saurabh: sure ... let me know your e-mail .. mine is saurabh@mastercsharp.com
Saurabh: also due you have a chart of performance hit, while using
various different Session modes like inproc, Sql Server etc ...
Santo_[MS]: I will send email to you, Saurabh
Saurabh: thanks
Santo_[MS]: Saurabh , I remember we have such chart,
but need sometime to find it out dhruva: In my Asp.net application,
I write some files on some specified directory on the web server.
However, this does not work unless i make settings in process model
Saurabh: while designing a ASP.NET application .. what are the different
layers you suggest ?? Since IBUYSPY uses 2 layers Business Layer and
User Interface .. while some other Microsoft Samples use 3 layers
dhruva: to make user=SYSTEM
dhruva: any other safe way to acheive the above
dhruva: ?
dhruva: in machine.config file
Santo_[MS]: dhruva, to make user=system is not suggested
Elan_[MS]: you can give the ASPNET account permission
to the specified directory, I think
Santo_[MS]: Yes, you can grant the NTFS permission for
your specified folder to the ASPNET account
dhruva: ok...
dhruva: but I have one another related question..
dhruva: Before I write out some files, I do a new of some com object
dhruva: this also does not work
dhruva: unless the account is with user=systme
dhruva: How would we solve this problem?
Santo_[MS]: Saurabh, in Microsoft DNA, we recommend n
layers.
Santo_[MS]: But it depends on your business requirement,
there is not a simple answer for it
Santo_[MS]:
Saurabh: yeha ... I have gone through the DNA .... but then I have
heard comments from people (MS) saying the IBUYSPY way of 2 layers
was the best approach in .NET ... thats why I ask
Saurabh: also as we know when any configuration change is made to
the web.config file the ASP.NET web application, is forced to recompile
now the next batch of users hitting the page for the first time will
get a slow response since the pages are re-compiling,
Saurabh: is there any way we can make all the ASP.NET pages compile(runtime
compile) in one shot ??
dhruva: also, wrt to your earlier answer, what if the filesystem the
web server is on as fat32 as opposed to ntfs
Elan_[MS]: dhruva, for your call COM question, you need
to determine what is the exact error you see
Elan_[MS]: and what is the error in the Event log
dhruva: "Cannot create Object"
Santo_[MS]: dhruva, the required permission of calling
some COM objects might depend on the code implementation
dhruva: Actually I do a new of an Excel Object
dhruva: not my com code at least
Santo_[MS]: dhruva , that is, you are trying to create
an Excel object in IIS servier side, aren't you?
dhruva: yes
dhruva: and it fails Deepak not recommended!
Elan_[MS]: Actually, the Excel object is not recommend
to be used in the server side programming
Elan_[MS]: it may involve some complex problems.
dhruva: I see... any general reasons(at a very top level) why this
should not be done?
Elan_[MS]: here is an article which explains the reasons
Santo_[MS]: Saurabh, I think you can use VSNET IDE to
compile the DLLs if needed
Saurabh: Santo .. I am talking about runtime compilation .. as you
know even though VS.NEt compiles the DLL at runtime all the pages
are re-compiled by the asp.net runtime
dhruva: also, wrt to your earlier answer, what if the filesystem the
web server is on as fat32 as opposed to ntfs
dhruva: how would be set directory permissions
Deepak: You'll need NTFS for file-permissions/ACL to work, FAT32 is
not a recommended FS for internet facing web-servers
Elan_[MS]: For FAT32, there is no permission protection
to it.
dhruva: ok
Elan_[MS]: For a secure environment, we do recommend
that you put important resources on the NTFS file system to gain fine
contol over permission.
KunalS_[MS]: Dear members, how come nobody is interested in the Performance
features on ASP.NET?
dhruva: I went through the link...It will be useful to us
Santo_[MS]: after modifying the web.config, not all the
DLLs need to be recompiled
KunalS_[MS]: Elan and Santo, please also take some time to explain
to us how the Performance difference between ASP and ASP.NET
Santo_[MS]: In ASP.NET, the code is compiled
Elan_[MS]: The following documentation in MSDN lists
some advantage of ASP.NET over ASP
Elan_[MS]: actually, ASP.NET provides more control over
caching
Santo_[MS]: cache in asp.net includes several aspects
Saurabh: Elan - any *performance* improvements between ASP and ASP.NEt
... I understand the programming model differences
Santo_[MS]: OutputCache and code cache
Saurabh: I meant *performance* improvements with respect to caching
Aligator: hi
Elan_[MS]: In ASP.NET, you can cache the page or portion
of the page.
Santo_[MS]: Saurabh, what "cache" do you mean?
Saurabh: Santo - I mean that ASP also had caching .. right ?? So how
does the performance of Caching in ASP.NEt improve from ASP ?? is
that clear ??
Elan_[MS]: In asp, caching usually refers to "caching
data" on the server. However, in ASP.NET, we can cache page/portion
of the page as well as the data.
Saurabh: ok
Elan_[MS]: And ASP.NET has granular control over the
caching options.
Saurabh: right
Santo_[MS]: just as Elan said, you can cache the whole
page
Santo_[MS]: That means when the second user request the
same page with the same param, he can get the html stream right now.No
code in your page need execution
Saurabh: ok ...
Elan_[MS]: Generally speaking, ASP.NET provides us with
many abilities to improve performance. However, the ultimate effect
would depend on how we use them.
Elan_[MS]: Here is some "Best Practice" for it which
may be useful for you all:
KunalS_[MS]: Please hurry with any important questions you may have
for Santo and Elan
explorer: i had a few doubts about web services
explorer: the web services as a business
Manish: yeah deepak, some cool stuff to download form that site
KunalS_[MS]: Explorer please go ahead
explorer: take for example i have a web service that provides stock
quotes
explorer: i have subscribed to feeds from a local stock feed provider
explorer: now if I make my web service public and charge an amount
substantially less than what other provide ... isnt it a punch in
the stomach of the feeds provider
explorer: in short .. i now act as a sub-feed provider .. without
the parent feed providers knowledge ...
explorer: though this may be illegal ... i can give my clients a more
structured way of access feeds coupled with a lot more of compiled
data
KunalS_[MS]: Well explorer, this all depends on your agreement with
the provider...
KunalS_[MS]: It is similar to the menace of software piracy...
KunalS_[MS]: where people pirate software and it is a punch in the
stomach of software companies and developers
Deepak_[MS]: Its same thing as today - Web-sites procure their stock
quotes data from reuters (typically).. and they have explicity contracts
that allow them to use it for distribution over internet
explorer: software piracy probably differs in certain ways.. but here
we are pirating the services
explorer: not the software
KunalS_[MS]: i agree
KunalS_[MS]: but what exactly is your concern?
KunalS_[MS]: are you for the technology of web services or against
it?
Deepak_[MS]: so explorer - you'll need to check with your feed-provider
to see if they allow re-distribution
explorer: no concern .. i just wanted to have some views on this
Deepak_[MS] technically if you make your
Santo_[MS]: if the service provider allow the re-distribution,
i think you can do this , i , i
explorer: im for the technology .. but just weighing the pros and
cos
explorer: cons
explorer: anyway.. i guess this is a limitation.. and people would
probably make merry on this
Deepak_[MS]: remember it could happen to you - people could take your
web-service and provide it to others at even lesser costs!
Deepak_[MS]: from technical aspects - for a commercial web-service
you'll need some kind of lock/key mecahnism
explorer: yes.. they can unless i have some basic authentication in
place to simply access the service
KunalS_[MS]: Explorer this is a very interesting debate and would
request you to post this to the forums newsgroup for further debate....
KunalS_[MS]: Sadly there is a time constraint
Saurabh: sure
explorer: im still to read a lot on web services and dot net..
KunalS_[MS]: and i need to wrap up this session
explorer: cos its a huge ocean of knowledge out there
explorer: yeah sure...
KunalS_[MS]: our hosts have been kind to give us some time
explorer: kunal.. 2 mins .. something other than web services .. though
related to microsoft
KunalS_[MS]: Santo and Elan, thank you very much for your time and
efforts
Saurabh: thanks Santo and Elan for you time and information
Deepak_[MS]: yup.. big cheers to Santo and Elan!
dhruva: Thanks...it has been very useful
Elan_[MS]: my pleasure
Santo_[MS]: my pleasure ,all
KunalS_[MS]: Next weeks chat is on - Orchestrating XML Web Services
and Using the Microsoft .NET Framework with Microsoft BizTalk Server
KunalS_[MS]: and the expert host is - Sanjay Pherwani - .NET Evangelist,
Microsoft India
KunalS_[MS]: Thursday, 11th April, 2002, 3:30pm - 4:30pm IST
Saurabh: kool
KunalS_[MS]: Thank you all for taking time out and joining in the
MSDN India Online Developer Forums - Expert Chat Session
Saurabh: Thanks to you too Kunal for these sessions
