ASP.NET Essentials State management, authentication, and Web Services Daniele Pagano Arizona State University

Overview State Management Application State Application State Session State Session State Storage and Scalability Storage and Scalability Authentication and Authorization Security overview Security overview Windows-based and form-base authentication Windows-based and form-base authentication NTFS and URL-based authorization NTFS and URL-based authorization XML Web Services What are Web Services? What are Web Services? Creating Web Services Creating Web Services Using Web Services Using Web Services

State Management In most cases you will need to keep data stored across requests and track users during their visit. Application state will preserve data across users in a global area. Session state will recognize one user and allocate some data for each. HTTP is stateless, so other systems must be used, such as cookies and URL id’s. ASP.NET abstracts these from you. You just need to worry about what to store.

The Application State Any data you share among multiple users. You can easily add and remove items from your application state. Since this is a shared resource, you should lock it every time you write to it, then unlock it. Hints: Lock the application state for as little time as possible. Lock the application state for as little time as possible. Put unlock in a finally block so it’s always executed. Put unlock in a finally block so it’s always executed. Application state stores items as Object type, don’t forget to cast them back to your specific type. Application state stores items as Object type, don’t forget to cast them back to your specific type. Store data you don’t need all the time, or that you need to survive a server crash or restart, in a file or database. Store data you don’t need all the time, or that you need to survive a server crash or restart, in a file or database.

Application State code snippet // Code// Shows: if((int)Application["UserCount"] > 1)// cast your retrieved values // In the right context, toString() is called, no need to cast this.lastserve.Text = "Last access: " + Application["LastAccess"]; try{ Application.Lock();// Lock before use Application["LastAccess"] = DateTime.Now; } finally// This is ALWAYS run { Application.UnLock();// Unlock after use }

The Session State Maintains data for individual users. Uses cookies normally, but cookie-less option also available. Works like Application object, but no need to lock/unlock as it’s not shared. Use syntax Session[“MyVar”] as before. Hints: It’s enabled by default, disable it in every page in which you don’t use it (via Properties pane) to save resources. It’s enabled by default, disable it in every page in which you don’t use it (via Properties pane) to save resources. Remember that each piece of data you store in memory is allocated for each user. Remember that each piece of data you store in memory is allocated for each user. Understand and use the different methods for state storage (coming up next). Understand and use the different methods for state storage (coming up next).

Session State Storage options Choose via web.config file by updating sessionState mode property: In-Process (InProc) In-Process (InProc) Default. Session is stored in the process memory for each user. Out-of-process (StateServer) Out-of-process (StateServer) A separate server will handle storing the session data. You’ll need to start the ASP.NET State Service and update stateConnectionString. SQL Server (SQLServer) SQL Server (SQLServer) An SQL database (local or on a different server) will store the session data. You’ll need to run InstallSqlState.sql (in the.NET framework directory) against your main db and update sqlConnectionString. Cookieless Set/unset this sessionState property to use sessions without cookies.

Scalability Issues Several state management issues can compromise your speed and scalability: Misuse of Application.Lock(): make sure you use it as little as possible and always unlock. Misuse of Application.Lock(): make sure you use it as little as possible and always unlock. Use of session state: don’t leave session state enabled unless you use it. You can disable it in one page even if it’s used in others. Use of session state: don’t leave session state enabled unless you use it. You can disable it in one page even if it’s used in others. Abuse state storage: this easily eats up your memory if you store too much data, especially for session state, as it’s multiplied for each user. Abuse state storage: this easily eats up your memory if you store too much data, especially for session state, as it’s multiplied for each user. Use of non-thread-safe objects: make sure whatever you store in application or session is thread-safe or your whole application will be blocked. Use of non-thread-safe objects: make sure whatever you store in application or session is thread-safe or your whole application will be blocked. Multi-server: application and session data stored in- process will not carry over to Web farms. Use a state server or a central database instead. Multi-server: application and session data stored in- process will not carry over to Web farms. Use a state server or a central database instead.

ASP.NET Security issues Security will be covered next time, these are the main issues to keep in mind and that will be covered. Make sure you are aware of these techniques: Configure your file system for safety Configure your file system for safety Disable unnecessary services Disable unnecessary services Create security policies and templates Create security policies and templates When, where, and how to configure passwords When, where, and how to configure passwords Remove sample web applications Remove sample web applications Use validation extensively Use validation extensively Check for and install patches regularly Check for and install patches regularly Configure logging Configure logging Configure SSL Configure SSL And more… And more…

Windows-based authentication Relies on IIS Comes in basic (least secure), digest (more secure, uses domain servers), and NTLM (most secure, IE only). Enable and configure via IIS: Choose the resource to protect Choose the resource to protect Click on Properties Click on Properties Select Directory security or File security tab Select Directory security or File security tab Click Edit… button on authentication control Click Edit… button on authentication control Uncheck anonymous access and check desired authentication method(s). Uncheck anonymous access and check desired authentication method(s).

Forms-based authentication It’s mostly automated in ASP.NET Create a login page that obtains a username and password from the user. Call FormsAuthentication.Authenticate with username and password. Returns true or false. Configure web.config to use forms authentication. Create user credentials with hashed passwords.

Web.Config snippet for Forms authentication You’ll need to modify web.config so that it know what’s the login page and who are the users. You’ll need to modify web.config so that it know what’s the login page and who are the users. </forms></authentication><authorization> </authorization> Make sure you set the right password format and generate the hash with some program (available on the web too).

Authentication code snippet Since ? (anonymous) users are denied, the page specified in the web.config (like login.aspx) will be displayed. There you’ll collect user information and login. To login, use the automatic authentication and then redirect the user to the page the were denied access to. Using System.Web.Security.... private void Login_Click(object sender, System.EventArgs e) { if(FormsAuthentication.Authenticate(user.Text, pass.Text)) { FormsAuthentication.RedirectFromLoginPage(user.Text, false); }} To logout use FormsAuthentication.SignOut();

Authorization If you’re using Windows authentication, just set up file permission for the user that has logged in. Add to your web.config. You can also use the authorization section of the web.config to allow or deny users and roles from a web page. This applies to the root and all sub- directories without conflicting web.config settings.

Authorizing a specific URL To authorize certain users to specific URL’s, you can add this to your web.config outside the main system.web element: <system.web><authorization> …allows and denies… </authorization></system.web></location>

XML Web Services Web Services allow you to invoke any code across the web. They make great middle-tier material. They use XML and SOAP to work across platforms and transmitting text across firewalls (using port 80). Can be implemented in any language, but.NET makes it very easy. Can be searched, located and linked to using UDDI servers.

Creating a Web Service In Visual Studio.NET, create a new Web Service project in your favorite language. Write your code normally (as in a library) in.asmx file Add [WebMethod] before any method you’d like to publish. Build your solution. That’s it!

Using a Web Service In Visual Studio.NET Solution Explorer, right-click on References, and select Add Web Reference. Paste the URL of the.asmx file or locate one with the options provided. Click Add Reference. Now the classed and methods exported by the web service are available to your transparently, enjoy!

What we have learned How to create more customized and dynamic web applications using Application and Session management. Some ways to make sure our web applications are scalable. What are the main security issues to keep in mind. Simple ways to authenticate and authorize users on our website. How to use web services.

Q&A