Posts

Showing posts from February, 2009

Asp.NET Session Management

Image
In Asp.net, there are 4 methods available for session management.

InProc
This is the default mode used in ASP.net. Session state will be stored on same ASP.net
process and perform best. If IIS restarts session state will lost.
Use when, Session data is not critical and Web application hosted in a single server.

StateServer
This is, Windows NT service called ASPState, used to store session state out of ASP.net process.


To enable this , Start the service, run command
net start aspnet_state 
In the web.config add or change following element

<configuration>
<system.web>
<sessionState mode="StateServer"
stateConnectionString="tcpip=servername:portno"
cookieless="false"
timeout="20"/>
</system.web>
</configuration>
By default stateConnectionString is 127.0.0.1:42424

SqlServer
Sess…

Silverlight Competition

Image

Kaspersky Web Site Hacked With SQL Injection

The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009  via a simple SQL injection attack. more ...
As I know that site was built using php & mysql.
In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.

Always, don’t believe in what user has input.If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
Following example using  SQLParamerter.
Incorrect
“SELECT cusid,cusname  FROM customer WHERE cusid= “ + userinput “
Correct
“SELECT cusid,cusname  FROM customer WHERE cusid= @userinput “
In the production version of your web application, turn off tracing and avoid <customErrors mode="Off"/> setting in web.config.
Don’t give error messages that intruder can guess information about your database.