Session 12—Maintaining State in ASP.NET |
121 |
How to make it happen
To implement this method all you need to do is activate the aspnet state service. To do this, shell out to a command prompt and type, net start aspnet_state. In order to activate ASP State Maintenance, open your Web.config file and modify the <system.Web> section so that the value of mode=”StateServer”. Additionally set the stateConnectionString= ”tcpip=127.0.0.1:42424”, where tcpip is the IP address of your SQL Server:Port. Finally save the Web.config file. The following example provides an example of a properly configured Web.config file to support SQL Server State Maintenance.
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<system.Web>
<sessionState
mode=”StateServer”
sqlConnectionString=”data source=127.0.0.1;user id=sa;password=” stateConnectionString=”tcpip=127.0.0.1:42424”
cookieless=”true”
timeout=”20”
/>
</system.Web>
</configuration>
Again, you can run the same series of pages that you built earlier in the session and you should see that they produce exactly the same results. And you should get the same results when you simulate a state server system crash by starting and stopping the state server service when these pages are running. As with the SQL Server method, all state is saved and recovered very nicely!
REVIEW
With the flexibility provided by the ASP.NET framework, you now have multiple options in providing flexible, scalable alternatives to the issue of state maintenance. The new framework enables you to provide a personalized experience to all users of your application, regardless of the various browser implementations that hit your site. And these features are implemented in a manner that allows you to maintain and support your existing personalization engines.
QUIZ YOURSELF
1.How does ASP.NET’s state maintenance approach assist customers implementing Web farms? (See “Out of Process State Management.”)
2.In what scenarios does it make sense to set cookies to off? (See “No More Cookies but Plenty of Milk!”)
3.What are the performance, and reliability differences between using State Server and SQL Server? (See “Out of Process State Management.”)
S E S S I O N
13
Authentication and Authorization
Session Checklist
Understanding the differences between authentication, authorization, and impersonation
Modifying Web.config to support forms and passport based authentication
Using a database to validate a user’s credentials
In this session, we will look at the approaches you can take to handle authentication and authorization in your applications. We will start out by defining the terms authentication and authorization as it relates to ASP.NET. We will also provide an overview on
how to implement authentication and authorization within an application’s Web.config file. Finally we will wrap up with how to use forms based authentication, as well as third party Web service authentication services such as Microsoft Passport.
Introducing the Key Security Mechanisms
It is important in handling security for ASP.NET applications that you understand the three key security mechanisms used to determine how a user gains access to a resource within an ASP.NET application: authentication, authorization, and impersonation.
Authentication is the process of discovering and verifying the identity of a user or service by examining the user’s credentials and validating those credentials against some authority such as an LDAP server, a database, an XML file or even a Web service such as Microsoft Passport. Several authentication mechanisms are available for use with the .NET Framework role-based security. ASP.NET natively supports Windows, Cookie, and Passport modes of authentication.
The purpose of authorization is to determine whether a user with a specific identity should be provided with a requested type of access to a given resource. This is typically handled by assigning an authenticated user to a predefined role. A role such as end user,