Summary This article delivers key insights on hidden settings, tweaks and concepts on ASP.net.

Key areas covered include security, configuration, ASPX pages and web controls .NET Classes used : Introduction A Do en Asp.net Tips ! Tricks that i have learnt the hard way , for the benefit of co""unity. These #uestions are intended for "ediu" to high level progra""ers of asp.net, basic asp.net #uestions are li"ited if not present altogether here. 1) Can two different programming languages be mixed in a single S!" file# $o. ASP.$%T uses parsers to strip the code fro" ASPX files and copy it to te"porary files containing derived Page classes, and a given parser understands only one language. $) Is it possible to see t%e code t%at S!.NET generates from an S!" file# &es. %nable debugging by including a '() Page Debug*+true+ (, directive in the ASPX file or a 'co"pilation debug*+true+, state"ent in -eb.config. Then look for the generated .S or /0 file in a subdirectory underneath 1 (Syste"2oot(13icrosoft.$%T14ra"ework1v5.5.nnnn1Te"porary ASP.$%T 4iles. &) Is it possible to protect 'iew state from tampering w%en it(s passed o'er an unencrypted c%annel# &es. Si"ply include an ) Page directive with an Enable)iewState*ac+,true, attribute in each ASPX file you wish to protect, or include the following state"ent in -eb.config6 <pages enableViewStateMac="true" /> This configuration directive appends a hash 7officially called the "essage authentication code, or 3A.8 to view state values round9tripped to the client and enables ASP.$%T to detect altered view state. :f ASP.$%T deter"ines that view state has been altered when a page posts back to the server, it throws an e;ception. The hash is generated by appending a secret key 7the validationKey value attached to the '"achineKey, ele"ent in 3achine.config8 to the view state and hashing the result. An attacker can<t "odify view state and fi; up the hash without knowing the secret key, too. -) Can a user browsing my .eb site read my .eb.config or /lobal.asax files# $o. The 'http=andlers, section of 3achine.config, which holds the "aster configuration settings for ASP.$%T, contains entries that "ap ASAX files, .>$4:? files, and selected other file types to an =TTP handler na"ed =ttp4orbidden=andler, which fails atte"pts to retrieve the associated file. 0) .%at(s t%e difference between !age.1egisterClientScript2loc3 and !age.1egisterStartupScript# 2egister.lientScript0lock is for returning blocks of client9side script containing functions. 2egisterStartupScript is for returning blocks of client9script not packaged in functions9in other words, code that<s to e;ecute when the page is loaded. The latter positions script blocks near the end of the docu"ent so ele"ents on the page that the script interacts are loaded before the script runs. 4) .%at does spCompat+,true, mean and w%en s%ould I use it# Asp.o"pat is an aid in "igrating ASP pages to ASPX pages. :t defaults to false but should be set to true in any ASPX file that creates apart"ent9threaded .>3 ob@ects99that is, .>3 ob@ects registered Threading3odel*Apart"ent. That includes all .>3 ob@ects written with /isual 0asic A.B. Asp.o"pat should also be set to true 7regardless of threading "odel8 if the page creates .>3 ob@ects that access intrinsic ASP ob@ects such

as 2e#uest and 2esponse. The following directive sets Asp.o"pat to true6 <%@ Page AspCompat="true" %> Setting Asp.o"pat to true does two things. 4irst, it "akes intrinsic ASP ob@ects available to the .>3 co"ponents by placing un"anaged wrappers around the e#uivalent ASP.$%T ob@ects. Second, it i"proves the perfor"ance of calls that the page places to apart"ent9threaded .>3 ob@ects by ensuring that the page 7actually, the thread that processes the re#uest for the page8 and the .>3 ob@ects it creates share an apart"ent. Asp.o"pat*+true+ forces ASP.$%T re#uest threads into single9threaded apart"ents 7STAs8. :f those threads create .>3 ob@ects "arked Threading3odel*Apart"ent, then the ob@ects are created in the sa"e STAs as the threads that created the". -ithout Asp.o"pat*+true,+ re#uest threads run in a "ultithreaded apart"ent 73TA8 and each call to an STA9based .>3 ob@ect incurs a perfor"ance hit when it<s "arshaled across apart"ent boundaries. 5) Is it possible to call 6ill on a 7ata dapter and fill two 7ataTables in a 7ataSet wit% a single call# &es. =ere<s a sa"ple that de"onstrates how by perfor"ing a double #uery and binding each of the resulting DataTables to a different Data?rid. Sql ataA!apter a!apter = new Sql ataA!apter " "select # $rom titles% select # $rom aut&ors"' "ser(er=local&ost%!atabase=pubs%ui!=sa" )% ataSet !s = new ataSet ")% a!apter*+ill "!s)% ata,ri!-* ataSource = !s*.ables/01% ata,ri!-* ata2in! ")% ata,ri!3* ataSource = !s*.ables/-1% ata,ri!3* ata2in! ")% 4 8) I(m dynamically adding columns to a 7ata/rid at run9time: but am finding t%at t%e 7ata/rid(s e'ents don(t fire properly. Interestingly: if I define t%e columns statically: t%e e'ents wor3 ;ust fine. .%at may be wrong# &ou<re probably adding the colu"ns to the Data?rid in PageCDoad. Add the" in PageC:nit instead and the events will fire @ust fine. :n general, PageC:nit is the ideal place to "odify the page and its controls, while PageCDoad is the place to "odify control state. Keep this si"ple dictu" in "ind and you<ll save yourself a lot of headaches down the road. <) =ow does S!.NET generate session I7s# re t%ey random# !redictable session I7s increase t%e ris3 of session %i;ac3ing.# ASP.$%T uses rando", non9se#uential session :Ds. Specifically, it uses the 4.D<s Syste".Security..ryptography.2$?.ryptoServiceProvider class to generate highly rando" 5EB9bit session :Ds. Sessions can still be hi@acked by stealing session cookies or, if cookieless session state is being used, by reading session :Ds fro" the browser<s address bar. 0ut ASP.$%T<s use of rando" session :Ds should preclude the possibility of hi@acking sessions by guessing session :Ds. 1>) .%en I call 7ata dapter.6ill to fill a 7ataTable: t%e data comes bac3 ;ust fine: but any constraints placed on t%at data in t%e database do not. 6or example: if t%e table I ?uery contains a uni?ue 3ey constraint: t%e resulting 7ataTable does not. If I modify t%e 7ataTable and 'iolate a constraint: I don(t learn about my mista3e until I call 7ata dapter.@pdate. Is t%ere a reasonable way to read constraints from a database and apply t%em to a

7ataTable# There is6 it<s called 4illSche"a. The page below de"onstrates its use. The record added to the DataTable violates a uni#ueness constraint because the +titleCid+ of the Pubs database<s +titles+ table is a pri"ary key and it already contains a record with a +titleCid+ value of T.FFFF. Thanks to 4illSche"a, the call to 2ows.Add throws an e;ception. Sql ataA!apter a!apter = new Sql ataA!apter " "select # $rom titles"' "ser(er=local&ost%!atabase=pubs%ui!=sa" )% ataSet !s = new ataSet ")% a!apter*+ill "!s' ".itles")% ata.able table = !s*.ables/".itles"1% a!apter*+illSc&ema "table' Sc&ema.5pe*Mappe!)% ata6ow row = table*7ew6ow ")% row/"title8i!"1 = ".C9999"% row/"title"1 = "Programming Microso$t *7:."% row/"price"1 = ";<*<<"% row/"5t!8sales"1 = "-000000"% row/"t5pe"1 = "business"% row/"pub!ate"1 = "Ma5 3003"% table*6ows*A!! "row)% // ,et rea!5 $or an e=ception>

As an aside, you generally want to call 4illSche"a after DataAdapter.4ill, not before. Placing constraints on a DataTable before filling it slows down the #uery. 11) .%y do uploads fail w%en I use an S!.NET file upload control to upload large files# ASP.$%T li"its the si e of re#uests 7and therefore file uploads8 as a precaution against denial9of9service attacks. 0y default, ASP.$%T won<t accept re#uests whose si e e;ceeds G 30. &ou can change that by "odifying the "a;2e#uestDength attribute of 3achine.config<s 'http2unti"e, ele"ent. The following "a;2e#uestDength attribute e;pands the per"issible re#uest si e to H 30 7H5IEK86 <&ttp6untime *** ma=6equest?engt&="@-<3" *** /> 1$) Can a calendar control be customiAed so t%at it limits users to selecting certain days of t%e wee3: and only dates t%at fall on or after today(s date# &es, The secret is at >nDay2ender %vent <aspACalen!ar Bn a56en!er="Bn a56en!er" 6unAt="ser(er" /> * * * (oi! Bn a56en!er "BbCect sen!er' a56en!er:(entArgs e) D e* a5*EsSelectable = "e* a5* ate* a5B$FeeG == a5B$FeeG*+ri!a5 HH e* a5* ate* a5B$FeeG == a5B$FeeG*Satur!a5) II e* a5* ate >= ate.ime*7ow%

4 The Day2ender%ventArgs passed to a Day2ender event handler has a property na"ed Day that identifies the day being rendered. This e;a"ple sets Day<s :sSelectable property to true or false depending on whether the day currently being rendered represents a legiti"ate selection. Setting :sSelectable to false prevents the control fro" placing a hyperlink in the corresponding cell, effectively "aking that cell unselectable. Summary Asp.net is fabulous, with the "anaged and "ore "atured AP: and 3S4T co"peting with industry stalwarts to "aintain its lead on application progra""ing "arket, : anticipate "ore e;citing ti"es ahead with whidbey release. S5stem*Feb S5stem*Feb*Cac&ing S5stem*Feb*Securit5 S5stem*Feb*SessionState S5stem*Feb*JE S5stem*Feb*JE*KtmlControls S5stem*Feb*JE*FebControls