Category Archives: ASP.Net

How does HTTPS works?

How does HTTPS works?

  1. Client request for secure Https  page.
  2. Web server respond by sending certificate with public key.
  3. Client checks the validity of the certificate and create a symmetric session key using the public key and sends it back to Web serer.
  4. Web server decrypt the symmetric session key using it’s private key and sends page encrypted using the symmetric session key.
  5. Secure session has now been established between Client browser & Web server.

ssl-in-a-nutshell

HTTPS pages typically use one of two secure protocols to encrypt communications – SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an ‘asymmetric’ Public Key Infrastructure (PKI) system. An asymmetric system uses two ‘keys’ to encrypt communications, a ‘public’ key and a ‘private’ key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.

The ‘private’ key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.

HTTPS-workflow

 

Advertisements

Leave a comment

Filed under .Net, ASP.Net, C#, WCF

Differences Article

Response.Redirect vs Server.transfer

http://quickdotnetsolutions.blogspot.in/2011/05/difference-between-responseredirect-and.html

 

wcf service over web services.

http://quickdotnetsolutions.blogspot.in/2011/05/advantages-of-wcf-service-over-web.html?utm_source=blog&utm_medium=gadget&utm_campaign=bp_random

Leave a comment

Filed under ASP.Net, C#, WCF

How to make your ViewState secure?

ASP.Net viewstate is client side state management and is stored in hidden field with id __VIEWSTATE as shown below:

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE2MTY2ODcyMjkPFgYLl/p5/cggNdr/yAizfkifBJ20CwQ=" />

Now the string in value is is not encrypted but serialized(encoded) use Base64 en ccoding, which can be easily decoded using many tools.

Now there are mainly two approach to secure your Viewstate:
1) EnableViewStateMAC / Hash code (Hashing)

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="DataSetToViewState.aspx.cs"
EnableViewState="true" EnableViewStateMac="true" Inherits="WebWorld.DataSetToViewState" %>

Make sure viewstate data is tamper proof using Hash Code, you can do this by adding EnableViewStateMAC=true. MAC stands for Message Authentication Code. It internally added a Hash code with ViewState content and store in hidden field. During postback, the checksum data is verified again by ASP.Net and if there is mismatch, the postback will be rejected.
2) Encryption

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="DataSetToViewState.aspx.cs"
EnableViewState="true" ViewStateEncryptionMode="Always" Inherits="WebWorld.DataSetToViewState" %>

The second option ViewStateEncryptionMode=”Always”. It will encrypt the viewstate, there are three option
Always: Encrypt the viewstte always.
Auto: Encrypt if the control require for encyrption. For this to happen, the control must call the Page.RegisterRequiresViewStateEncryption() method.
Never: Never encrypt the viewtate.

We can also enable these settings for EnableViewStateMAC and ViewStateEncryptionMode in web.config:

<system.web>
<pages enableViewStateMac="true" viewStateEncryptionMode="Always"></pages>
</system.web>

Note: Try to avoid ViewState encryption if it is not necessary as it can cause performance issues.

References:
http://www.codeproject.com/Articles/150688/How-to-make-ViewState-secure-in-ASP-NET

Leave a comment

Filed under ASP.Net

Can we store DataSet into ViewState?

DataSet is a disconnected object. DataSet is a fully serializable object. It can be serialized in three different ways—to a standard .NET formatter, to an XML writer, and through the XML serializer.

//Create new dataset :
DataSet ds = new DataSet();
//Store the dataset directly into view state
ViewState["dsn"]=ds;
//retrieve the dataset where it required
GridView1.DataSource = (DataSet)ViewState["dsn"];

Leave a comment

Filed under ASP.Net

How to store object in ViewState?

We can store objects in viewstate like we store string or integer. But before storing we need to convert them into stream of bytes to keep tem in hidden field. So we need to use Serialization. And object which can’t be serialised, they will not be able to keep in viewstate.

[Serializable]
public class Student
{
public int Roll;
public string Name;
public void AddStudent(int intRoll, string strName)
{
this.Roll = intRoll;
this.Name = strName;
}
}

Now we need to store them to viewstate.

Student _objStudent = new Student();
_objStudent.AddStudent(2, "Max");
ViewState["StudentObj"] = _objStudent;

//Retrieving student
Student _objStudent;
_objStudent = (Student)ViewState["StudentObj"];

Leave a comment

Filed under ASP.Net

ASP.Net life cycle in plain English

ASP.NET Page Lifecycle is very important piece of knowledge every ASP.NET developer must know, and unfortunately some of ASP.NET developer out there don’t know and they think it’s not important to know.

Let’s dig in and let’s examine ASP.NET Lifecycle but in short list and description:

  1. PreInit():
    • In this event all Controls created and Initialized with their default values. You can create dynamic Controls here. You can set theme programmatically here
  2. OnInit():
    • In this event you can read the Controls properties the were set in Design Mode and can not read values changed by user.
  3. LoadViewState():
    • This event fires only if the page is posted back “IsPostback == true;” and here View State data where are stored in hidden form fields get de-serialized and loads all controls View State data.
  4. LoadPostBackData():
    • This event only fires when Page is posted back and Controls which implement IPostBackDataHandler interface get loaded with values from HTTP POST data.
  5. Page_Load():
    • This event is well known among ASP.NET developers and here Page gets loaded and after it all Load() events of Page Controls fired.
  6. Control Event Handlers:
    • These are basically event handlers like Button click event handler “Button1_Click()” which fires after Page_Load() event.
  7. PreRender():
    • This event is fired for each page child controls and her you can change controls values.
  8. SaveViewState():
    • In this event Controls View State saved in Page hidden fields.
  9. Render():
    • Here all Controls get rendered or every Page Controls Render method is called.
  10. Unload():
    • Here we can have Page and Controls clean up operations. This event the Page and its Controls are rendered.

Notes:

  1. ASP.NET Lifecycle will be called ever time there a request for the page.
  2. HTTP POST data has only one value per control, that’s why Control like Textbox can gets value from HTTP Post but Control like DropDownList can not gets data from HTTP Post it can gets data from View State.
  3. Init() and Unload() events are fired from outside to inside controls, fro example: user control Init() event will be fired beforePage_Init() event

1 Comment

Filed under ASP.Net

ASP.NET 4.0 Features

1) Output Cache Extensible

ASP.Net 1.0 introduced the concept of Output Caching, which enable developers to store generated output of pages/controller (MVC)/HTTP response in an in-memory cache.

So on subsequent request, ASP.Net retrieves the output from the cache instead of regenerating from scratch. This dramatically improved the performance of the application.

ASP.Net output caching is flexible enough to enable cache different version of content based on query string/form-post parameters.

Also enable to cache different version based on browser type or user-language. Like to have different versions of page for mobile.

Limitation:- From ASP.Net1.0 to 3.5 is that cache store is not extensible i.e. always have to be stored in an in-memory.

Solution:- ASP.Net 4 Output Cache Extensible.

Now enables developers to configure more custom output-cache providers like local/remote disk, database, cloud etc.

To create custom output-cache provider,

1) a class which derived from System.Web.Caching.OutputCacheProvider has to be created, whic involve overriding 4 public methods to provide implementation for adding/removing/retrieving/updating.

2) Also the output-cache provider has to be configured in web.config.

 

 

 

 

 

 

 

 

 

 

2) Session State Compressor

Leave a comment

Filed under ASP.Net