- InProc
This is the default mode used in ASP.net. Session state will be stored on same ASP.net
process and perform best. If IIS restarts session state will lost.
Use when, Session data is not critical and Web application hosted in a single server.
- StateServer
This is, Windows NT service called ASPState, used to store session state out of ASP.net process.
To enable this , Start the service, run command
net start aspnet_state
In the web.config add or change following element
<configuration>
<system.web>
<sessionState mode="StateServer"
stateConnectionString="tcpip=servername:portno"
cookieless="false"
timeout="20"/>
</system.web>
</configuration>
By default stateConnectionString is 127.0.0.1:42424
- SqlServer
Session state will store in SQL server so that higher level of reliability. This is best for clustered/web farm environment although performance isn’t as fast as former 2 modes.
You have to do,
On the computer SQL server running, run InstallSqlState.sql
to create necessary tables and sps to manage session state. This file can be found,by default, %SystemRoot%\Microsoft.NET\Framework\v2.x.xxxx\
Note: for .net 3.5 you have to find this file from .net 2.0 path.
In web.config,
<sessionState
mode="SQLServer"
sqlConnectionString="Integrated Security=SSPI;data source=sqlserver;"
sqlCommandTimeout="10" />
</system.web>
</configuration>
You don’t have to explicitly put Initial Catalog for sqlConnectionString attribute.
- Custom
This mode is very rarely used unless you want to store session state on custom data store. To implement custom mode you can find more information on MSDN.
Feb 23, 2009
Asp.NET Session Management
In Asp.net, there are 4 methods available for session management.
Feb 18, 2009
Feb 11, 2009
Kaspersky Web Site Hacked With SQL Injection
The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009 via a simple SQL injection attack. more ...
As I know that site was built using php & mysql.
In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.
- Always, don’t believe in what user has input.
- If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
Following example using SQLParamerter.
Incorrect
“SELECT cusid,cusname FROM customer WHERE cusid= “ + userinput “
Correct
“SELECT cusid,cusname FROM customer WHERE cusid= @userinput “ - In the production version of your web application, turn off tracing and avoid
<customErrors mode="Off"/>
setting in web.config. - Don’t give error messages that intruder can guess information about your database.
Subscribe to:
Posts (Atom)
MEC: How to Set Message Counter for EDI Message
When you sending/creating EDI messages it is necessary to include unique message interchange number. This is to ensure each message that we ...
-
In this post, I'm going to explain the step-by-step approach to configuring the popular development tool Postman to test/execute Inf...
-
You will find many posts/videos about this topic, but I intend to guide you step-by-step with more information to comprehend and also re...
-
It is a very common scenario to integrate/trigger your workflow with an external application. With the help of ION APIs, we can do this. ...