다음을 통해 공유

ASP.NET Security and Performance

  • 아티클

Posted March 14, 2002

Chat Date: March 7, 2002

Chat Participants:

  • Rob Howard, Program Manager
  • Shawn Nandi, Product Manager
  • Erik Olson, Program Manager
  • John Perry, Forum Manager
  • Susan Warren, Program Manager

JPerry_MSFM
Welcome to today's MDSN Chat on ASP .NET. I will ask the hosts to introduce themselves.

RobertHoward
Hi, my name is Rob Howard. I'm a Program Manager on the ASP.NET team.

Erik_MS
Hi, I'm Erik Olson, a program manager on Microsoft's .NET Framework team.

Shawn_MS
Hi I'm Shawn Nandi, I'm a Product Manager on the .NET Developer Platform focusing on ASP.NET

JPerry_MSFM
And...I am John Perry, Program Manger for the Microsoft Online Communities. Glad you all could make it today!

JPerry_MSFM
Unfortunately, Scott Guthrie was unable to attend due to illness.

JPerry_MSFM
The host(s) will make an effort to answer as many questions as they can. There are times where a question may be asked that the host does not have an answer for. We will encourage you to post any of these questions in our newsgroups.

JPerry_MSFM
Let's get started! Fire away with your questions for our hosts.

RobertHoward
Q: How exactly is code in an ASPX file compiled and run? All in one class? When does it all run? Just Page_Load?

RobertHoward
A: When the first request comes in we pick up the .aspx file off the disk, parse it, convert all non-code statements to what we call literal controls and then compile it.

RobertHoward
A: We then store the compiled version on disk so we don't have to parse/compile on each request. At the end of the day it's a class.

RobertHoward
A: ...of course that's a bit generalized :)

Erik_MS
Q: If we don't have much code in an ASPX file, what exactly does the web.config debug compilation option do?

Erik_MS
A: Debug generates PDBs to facilitate debugging and uses debug compiler switches. If your .aspx files really don't have any code or controls in them

Erik_MS
A: you won't notice much difference. (done)

JPerry_MSFM
Great questions, keep them coming...answers are on their way!

RobertHoward
Q: I'm using bother Sessions and Forms Authentication in a web application. Sometimes it seems that forms will timeout without the Session_onEnd firing. Is there any reason for this? Any way to sync them up better?

RobertHoward
A: You'll need to configure the Session timeout value to be equal to or slightly less than the timeout for Forms.

Swarren
Q: To answer Michael's question: How is code executed in a page (in what order)?

Swarren
A: Unlike classic ASP, all code execution in ASP.NET happens in event handlers (which of course

Swarren
A: handle standard page events like Load, Render, etc). Typically the code acts against controls in

Swarren
A: a tree of controls that represent the entire page. Only when the Render event fires is the

Swarren
A: Response to the browser generated. (end)

Erik_MS
Q: Some trouble Why <identity impersonate="true" /> tag in web.config kill localization sample?

Erik_MS
A: This is tricky. It's because code is loaded and shadow copied while impersonating and the impersonated identity may

Erik_MS
A: not be able to write to the codegen directory. The workarounds are limited: revert around the code that loads the

Erik_MS
A: localized assembly or broaden the ACLs on the codegen A: directory (it's per application) to allow the

Erik_MS
A: set of users you're impersonating. (done)

RobertHoward
Q: The timeouts are set to the same, and when they logout it kills the session, but sometimes the session_onend

RobertHoward
A: Are you using out of process session state?

Swarren
Q: So all the code in the tags get run in Page_Load?

Swarren
A: no, it executes in Page_Render

Erik_MS
Q: So if we compile the codebehinds with debug on, and get that PDB, but the pages with debug off, we should still get enough information, right?

Erik_MS
A: Right, if the codebehinds are compiled for debugging and you don't need to debug what's in the

Erik_MS
A: page, you should be fine. (done)

Swarren
Q: How do I set the default button? This is the only one on the page

Swarren
A: Unfortunately, we don't provide a mechanism in v1 of ASP.NET to help you do this. For IE, it's the one

Swarren
A: button on the form... it works differently for other browsers, however. This is something we'd love

Swarren
A: to tackle in a future release of ASP.NET.

RobertHoward
Q: We had a question about Session_OnEnd firing. With ASP, if there was a code error in the session_onend event, then the event would appear to not fire. Is this still true?

RobertHoward
A: The code will execute in ASP.NET, but you should definitely wrap the code in a try/catch an handle the error.

Erik_MS
Q: What are the chances of getting a tool that could read the ACLs and help configure ASP.NET security.

Erik_MS
A: There's not one on the immediate horizon, unfortunately :-( This is something that we're taking hard look at.

Erik_MS
A: Don't go over to the dark side (System) unless you really need to, though. There are legitimate reasons

Erik_MS
A: to use System. My advice would be to first factor privileged code into separate ServicedComponent's

Erik_MS
A: and run them in Enterprise Services (COM+) as a server app with a privileged identity. It's more work

Erik_MS
A: but you reduce your overall risk to just the pieces of code that need more privilege.(done)

Erik_MS
Q: So, what's the best way to persist ConnectionString data (UID/PWD/Servername etc.)? Consider security and performance

Erik_MS
A: I don't know if there's a single best way, but here are some choices with tradeoffs:

Erik_MS
A: config files: easy but less security (better if you use integrated auth)

Erik_MS
A: registry keys: ACL for only the identities that need them and consider using CryptProtectData to create a machine specific encryption on the data.

Erik_MS
A: Requires code but decent security and perf.

Erik_MS
A: Construct strings: Use a ServicedComponent derived class and configure the construct string. This is easy and

Erik_MS
A: the strings are easily configurable by admins.

Erik_MS
A: Custom config sections: Implement IConfigurationSectionHandler and encrypt the configuration data. This requires code

Erik_MS
A: and you still must have a secret somewhere (consider a CAPI key container) (done)

Erik_MS
Q: Without interop, (normal .NET calling other .NET objects), we won't see a decrease in performance when using "chatty" objects instead of "chunky" calls?

Erik_MS
A: Not much of one without remoting or interop. Any sort of call has a cost (stack pushing, popping, etc.) but in most cases I don't think you'll notice it.

Erik_MS
A: However, if you're remoting objects or using interop, chunky is better. (done)

Erik_MS
Q: With cookieless auth, it is easy to hijack the session of a user with the URL right? How do you pretect from that?

Erik_MS
A: My two cents: with or without cookies, if you can sniff a forms auth session, it's subject to replay while the ticket is valid.

Erik_MS
A: Using SSL anywhere you send the authentication token is the best mitigation strategy, IMHO.(done)

Erik_MS
Q: EriK, is it possible to just encrypt the cookie, and not take the SSL hit for everything?

Erik_MS
A: The cookie is encrypted and has a MAC. It can't be tampered with, but it can be replayed within its windows of validity.

Erik_MS
A: SSL helps stop line sniffing so it's harder to ever intercept the request and steal the authentication token(done)

Erik_MS
Q: Does SSl encrypt query string params too?

Erik_MS
A: Yes, it's the entire conversation. Headers, entity body, and all. (done)

Swarren
Q: Is it a good idea to use a custom subclass of Page to provide all our pages with some common elements?

Swarren
A: For common UI elements, it's quite a bit easier to manage user controls than trying to create these in

Swarren
A: the base page. But this is an awesome strategy for setting common application properties, like datasources.

Swarren
A: You may wish to check out the IbuySpy portal, which uses base classes for user controls in this way. (eom)

Erik_MS
Q: Is there anyway to access the machine key that is used to do encryption for ASP.NET?

Erik_MS
A: If you use the default value of "autogenerate", then no. It's stored as an LSA secret.

Erik_MS
A: If you have an explicit value, then you can read it using your favorite XML strategy or

Erik_MS
A: the configuration support in System.Management.(done)

Erik_MS
Q: Right, I meant is it possible to make the cookie go over SSL (no sniffing) but not take a full SSL hit?

Erik_MS
A: You can scope the use of SSL on the site but I'm not aware of any way just to encrypt headers and not the rest\

Erik_MS
A: of the channel when you're using it (done)

Erik_MS
Q: Does Microsoft plan to use biometric (i.e. fingerprint) to authenticate a user with Passport?

Erik_MS
A: Unfortunately, we don't have any Passport folks here today. You might want to try that on the newsgroups. Sorry! (done)

Swarren
Q: Why does C++ is not supported within ASP.NET?

Swarren
A: There are about 25 languages that support ASP.NET and C++ is one of them :)

Swarren
**A:**We weren't able to get VS.NET design-time support for C++ done for the just-released

Swarren
A: version, but it's definitely something we hope to do in the future!

Erik_MS
Q: How can I access the FormsAuthentication timeout variable? I only saw a private field, and I need it because I'm doing my own cookie (to set the UserData).

Erik_MS
A: Unfortunately, we don't expose this configuration property currently. You could try reading it using System.Management. You can retrieve the value

Erik_MS
A: you set by casting User.Identity to an instance of FormsIdentity and accessing the fields on that object.(done)

Swarren
Q: How can I catch a viewstate corrupt exception?

Swarren
A: You can catch this in Application_OnError.

Swarren
A: Or log it at least :)

Erik_MS
Q: Anybody working on an authenticated way of connecting to a remote SQL server (using Windows authentication)? Is Kerberos auth the only way?

Erik_MS
A: You can use integrated windows auth (NTLM or Kerberos) but I suppose you mean via delegation. There is actually a cool feature in Windows.NET

Erik_MS
A: You can do it today with delegatable

Erik_MS
A: authentication mechanisms (Basic, Kerberos) or by using a single identity to go to the backend (if your app does access control another way).(done)

Erik_MS
Q: Is impersonation not performed in Application_Start method in Global.asax.cs ?

Erik_MS
A: You're right, it's the process identity (the local ASPNET account). Generally, that account

Erik_MS
A: can read the registry but not write it.(done)

Swarren
Q: If I have a String Variable named "DateC" in WebForm1 and I want to get the display the value of the variable in WebForm2 in Label1.text how do I go about getting the value for DateC that is in WebForm1

Swarren
A: You'll need to pass the value along some how from webform1 to webform2, since only Webform2 is alive

Swarren
A: and executing at the time you want the value. So you could pass it as a query string value, or store it

Swarren
A: in Session state, etc.

Erik_MS
A: BTW, a great way to tell the thread identity is to evalute WindowsIdentity.GetCurrent().Name

Erik_MS
A: for the account name of the token on the thread.(done)

JPerry_MSFM
The transcript from today's chat will be posted on https://msdn.microsoft.com/chats/ later next week.

JPerry_MSFM
newsgroups:https://communities2.microsoft.com/home/default.aspx?lid=28001275

JPerry_MSFM
Thanks all, Great questions...

Top of PageTop of Page