Is it necessary to lock application state before accessing it? Only if you’re performing a multistep update and want the update to be treated as an atomic operation. Here’s an example: Application.Lock (); Application[“ItemsSold”] = (int) Application[“ItemsSold”] + 1; Application[“ItemsLeft”] = (int) Application[“ItemsLeft”] – 1; Application.UnLock (); By locking application state before updating it and unlocking it afterwards, you ensure that another request being processed on another thread doesn’t read application state at exactly the wrong time and see an inconsistent view of it. If I update session state, should I lock it, too? Are concurrent accesses by multiple requests executing on multiple threads a concern with session state? Concurrent accesses aren’t an issue with session state, for two reasons. One, it’s unlikely that two requests from the same user will overlap. Two, if they do overlap, ASP.NET locks down session state during request processing so that two threads can’t touch it at once. Session state is locked down when the HttpApplication instance that’s processing the request fires an AcquireRequestState event and unlocked when it fires a ReleaseRequestState event. Do ASP.NET forms authentication cookies provide any protection against replay attacks? Do they, for example, include the client’s IP address or anything else that would distinguish the real client from an attacker? No. If an authentication cookie is stolen, it can be used by an attacker. It’s up to you to prevent this from happening by using an encrypted communications channel (HTTPS). Authentication cookies issued as session cookies, do, however,include a time-out valid that limits their lifetime. So a stolen session cookie can only be used in replay attacks as long as the ticket inside the cookie is valid. The default time-out interval is 30 minutes.You can change that by modifying the timeout attribute accompanying the <forms> element in Machine.config or a local Web.config file. Persistent authentication cookies do not time-out and therefore are a more serious security threat if stolen.
How do I send e-mail from an ASP.NET application? MailMessage message = new MailMessage (); message.From = <email>; message.To = <email>; message.Subject = “Scheduled Power Outage”; message.Body = “Our servers will be down tonight.”; SmtpMail.SmtpServer = “localhost”; SmtpMail.Send (message); MailMessage and SmtpMail are classes defined in the .NET Framework Class Library’s System.Web.Mail namespace. Due to a security change made to ASP.NET just before it shipped, you need to set SmtpMail’s SmtpServer property to “localhost” even though “localhost” is the default. In addition, you must use the IIS configuration applet to enable localhost (127.0.0.1) to relay messages through the local SMTP service.
What are VSDISCO files? VSDISCO files are DISCO files that support dynamic discovery of Web services. If you place the following VSDISCO file in a directory on your Web server, for example, it returns references to all ASMX and DISCO files in the host directory and any subdirectories not noted in <exclude> elements: <?xml version=”1.0″ ?> <dynamicDiscovery xmlns=”urn:schemas-dynamicdiscovery:disco.2000-03-17″> <exclude path=”_vti_cnf” /> <exclude path=”_vti_pvt” /> <exclude path=”_vti_log” /> <exclude path=”_vti_script” /> <exclude path=”_vti_txt” /> </dynamicDiscovery>
How does dynamic discovery work? ASP.NET maps the file name extension VSDISCO to an HTTP handler that scans the host directory and subdirectories for ASMX and DISCO files and returns a dynamically generated DISCO document. A client who requests a VSDISCO file gets back what appears to be a static DISCO document. Note that VSDISCO files are disabled in the release version of ASP.NET. You can reenable them by uncommenting the line in the <httpHandlers> section of Machine.config that maps *.vsdisco to System.Web.Services.Discovery.DiscoveryRequestHandler and granting the ASPNET user account permission to read the IIS metabase. However, Microsoft is actively discouraging the use of VSDISCO files because they could represent a threat to Web server security.
Is it possible to prevent a browser from caching an ASPX page? Just call SetNoStore on the HttpCachePolicy object exposed through the Response object’s Cache property, as demonstrated here: <%@ Page Language=”C#” %> <html> <body> <% Response.Cache.SetNoStore (); Response.Write (DateTime.Now.ToLongTimeString ()); %> </body> </html> SetNoStore works by returning a Cache-Control: private, no-store header in the HTTP response. In this example, it prevents caching of a Web page that shows the current time.
What does AspCompat=”true” mean and when should I use it? AspCompat is an aid in migrating ASP pages to ASPX pages. It defaults to false but should be set to true in any ASPX file that creates apartment-threaded COM objects–that is, COM objects registered ThreadingModel=Apartment. That includes all COM objects written with Visual Basic 6.0. AspCompat should also be set to true (regardless of threading model) if the page creates COM objects that access intrinsic ASP objects such as Request and Response. The following directive sets AspCompat to true: <%@ Page AspCompat=”true” %> Setting AspCompat to true does two things. First, it makes intrinsic ASP objects available to the COM components by placing unmanaged wrappers around the equivalent ASP.NET objects. Second, it improves the performance of calls that the page places to apartment- threaded COM objects by ensuring that the page (actually, the thread that processes the request for the page) and the COM objects it creates share an apartment. AspCompat=”true” forces ASP.NET request threads into single-threaded apartments (STAs). If those threads create COM objects marked ThreadingModel=Apartment, then the objects are created in the same STAs as the threads that created them. Without AspCompat=”true,” request threads run in a multithreaded apartment (MTA) and each call to an STA-based COM object incurs a performance hit when it’s marshaled across apartment boundaries. Do not set AspCompat to true if your page uses no COM objects or if it uses COM objects that don’t access ASP intrinsic objects and that are registered ThreadingModel=Free or ThreadingModel=Both.
What type of code (server or client) is found in a Code-Behind class? C# Should validation (did the user enter a real date) occur server-side or client-side? Why? Client-side validation because there is no need to request a server side date when you could obtain a date from the client machine.
What are ASP.NET Web Forms? How is this technology different than what is available though ASP? Web Forms are the heart and soul of ASP.NET. Web Forms are the User Interface (UI) elements that give your Web applications their look and feel. Web Forms are similar to Windows Forms in that they provide properties, methods, and events for the controls that are placed onto them. However, these UI elements render themselves in the appropriate markup language required by the request, e.g. HTML. If you use Microsoft Visual Studio .NET, you will also get the familiar drag-and-drop interface used to create your UI for your Web application.
What is the difference between Server.Transfer and Response.Redirect? Why would I choose one over the other? In earlier versions of IIS, if we wanted to send a user to a new Web page, the only option we had was Response.Redirect. While this method does accomplish our goal, it has several important drawbacks. The biggest problem is that this method causes each page to be treated as a separate transaction. Besides making it difficult to maintain your transactional integrity, Response.Redirect introduces some additional headaches. First, it prevents good encapsulation of code. Second, you lose access to all of the properties in the Request object. Sure, there are workarounds, but they’re difficult. Finally, Response.Redirect necessitates a round trip to the client, which, on high-volume sites, causes scalability problems. As you might suspect, Server.Transfer fixes all of these problems. It does this by performing the transfer on the server without requiring a roundtrip to the client.
How can you provide an alternating color scheme in a Repeater control? AlternatingItemTemplate Like the ItemTemplate element, but rendered for every other row (alternating items) in the Repeater control. You can specify a different appearance for the AlternatingItemTemplate element by setting its style properties.
Which template must you provide, in order to display data in a Repeater control? ItemTemplate
What event handlers can I include in Global.asax? Application_Start,Application_End, Application_AcquireRequestState, Application_AuthenticateRequest, Application_AuthorizeRequest, Application_BeginRequest, Application_Disposed, Application_EndRequest, Application_Error, Application_PostRequestHandlerExecute, Application_PreRequestHandlerExecute, Application_PreSendRequestContent, Application_PreSendRequestHeaders, Application_ReleaseRequestState, Application_ResolveRequestCache, Application_UpdateRequestCache, Session_Start,Session_End You can optionally include “On” in any of method names. For example, you can name a BeginRequest event handler.Application_BeginRequest or Application_OnBeginRequest.You can also include event handlers in Global.asax for events fired by custom HTTP modules.Note that not all of the event handlers make sense for Web Services (they’re designed for ASP.NET applications in general, whereas .NET XML Web Services are specialized instances of an ASP.NET app). For example, the Application_AuthenticateRequest and Application_AuthorizeRequest events are designed to be used with ASP.NET Forms authentication