Feb 23, 2009

Asp.NET Session Management

In Asp.net, there are 4 methods available for session management.

  1. InProc
    This is the default mode used in ASP.net. Session state will be stored on same ASP.net
    process and perform best. If IIS restarts session state will lost.
    Use when, Session data is not critical and Web application hosted in a single server.

  2. StateServer
    This is, Windows NT service called ASPState, used to store session state out of ASP.net process.


    To enable this , Start the service, run command
    net start aspnet_state 

    In the web.config add or change following element

    <configuration>
    <system.web>
    <sessionState mode="StateServer"
    stateConnectionString="tcpip=servername:portno"
    cookieless="false"
    timeout="20"/>
    </system.web>
    </configuration>

    By default stateConnectionString is 127.0.0.1:42424

  3. SqlServer
    Session state will store in SQL server so that higher level of reliability. This is best for clustered/web farm environment although performance isn’t as fast as former 2 modes.
    You have to do,
    On the computer SQL server running, run InstallSqlState.sql
    to create necessary tables and sps to manage session state. This file can be found,by default, %SystemRoot%\Microsoft.NET\Framework\v2.x.xxxx\
    Note: for .net 3.5 you have to find this file from .net 2.0 path.

    In web.config,
    <sessionState
    mode="SQLServer"
    sqlConnectionString="Integrated Security=SSPI;data source=sqlserver;"
    sqlCommandTimeout="10" />
    </system.web>
    </configuration>

    You don’t have to explicitly put Initial Catalog for sqlConnectionString attribute.

  4. Custom
    This mode is very rarely used unless you want to store session state on custom data store. To implement custom mode you can find more information on MSDN.

Feb 11, 2009

Kaspersky Web Site Hacked With SQL Injection

The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009  via a simple SQL injection attack. more ...

As I know that site was built using php & mysql.

In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.

  1. Always, don’t believe in what user has input.
  2. If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
    Following example using  SQLParamerter.
    Incorrect
    “SELECT cusid,cusname  FROM customer WHERE cusid= “ + userinput “
    Correct
    “SELECT cusid,cusname  FROM customer WHERE cusid= @userinput “

  3. In the production version of your web application, turn off tracing and avoid <customErrors mode="Off"/> setting in web.config.
  4. Don’t give error messages that intruder can guess information about your database.