This is the default mode used in ASP.net. Session state will be stored on same ASP.net
process and perform best. If IIS restarts session state will lost.
Use when, Session data is not critical and Web application hosted in a single server.
This is, Windows NT service called ASPState, used to store session state out of ASP.net process.
To enable this , Start the service, run command
net start aspnet_state
In the web.config add or change following element
By default stateConnectionString is 127.0.0.1:42424
Session state will store in SQL server so that higher level of reliability. This is best for clustered/web farm environment although performance isn’t as fast as former 2 modes.
You have to do,
On the computer SQL server running, run InstallSqlState.sql
to create necessary tables and sps to manage session state. This file can be found,by default, %SystemRoot%\Microsoft.NET\Framework\v2.x.xxxx\
Note: for .net 3.5 you have to find this file from .net 2.0 path.
sqlConnectionString="Integrated Security=SSPI;data source=sqlserver;"
You don’t have to explicitly put Initial Catalog for sqlConnectionString attribute.
This mode is very rarely used unless you want to store session state on custom data store. To implement custom mode you can find more information on MSDN.
Feb 23, 2009
In Asp.net, there are 4 methods available for session management.
Feb 11, 2009
The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009 via a simple SQL injection attack. more ...
As I know that site was built using php & mysql.
In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.
- Always, don’t believe in what user has input.
- If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
Following example using SQLParamerter.
“SELECT cusid,cusname FROM customer WHERE cusid= “ + userinput “
“SELECT cusid,cusname FROM customer WHERE cusid= @userinput “
- In the production version of your web application, turn off tracing and avoid
<customErrors mode="Off"/>setting in web.config.
- Don’t give error messages that intruder can guess information about your database.