Delivering solid user friendly software solutions since the dawn of time.

ASP.Net Don't do that, do this!

Categories: .Net

By Damian Edwards

  • Avoid control adapters use css media queries instead
  • Avoid style properties on controls use css stylesheets
  • Avoid page & control callbacks use updatepanel, ajax, webapi, ...
  • Avoid capability detection use client-side feature detection such as Modernizr
  • Avoid request validation use :
    Validate well-formedness of data on the way in (is this submitted value using the correct scheme)
    Encode data on the way out (@foo, <%:foo%>, JavaScriptStringEncode, UrlEncode, ...)
    Do not us <%=, <%# and us @foo.HtmlString() when needed
  • Avoid cookieless forms auth & session use require cookies and secure ssl cookies
  • Make sure EnableViewStateMac = true (must be always on even when not using viewstate)
  • Do not use Medium Trust or any other trust level as a security boundry, place untrusted applications into their own application pools, run each application pool under its own unique identity. http://support.microsoft.com/kb/2698981
  • Do not use <appSettings> to disable our security (only on webfarm roll out) http://msdn.microsoft.com/en-us/library/hh975440.aspx
  • Do not use UrlPathEncode use UrlEncode and sanitize urls with System.Uri
  • Use native IIS modules if you need to hook into PreSendRequestHeaders & PreSendRequestContent, do not use them from within managed IHttpModule instances
  • Do not use async void for page lifecycle events, use Page.RegisterAsyncTask() and set <httpRuntime targetFramework="4.5" /> if using Task
  • Avoid timers, ThreadPool.QUWI as we might tear the AppDomain out from under you.
    Moving to a Windows Service or Worker Role for maximum reliability.
    Using WebBackgrounder if the work needs to be done in-proc: http://nuget.org/packages/WebBackgrounder
  • Avoid reading Request.Form/InputStream before the HandlerExecute event, instead deffer to HandlerExecute.
    Use Request.GetBufferlessInputStream(), Request.Form and InputStream unavailable
    Use GetBufferedInputStream() to get a copy, Request.Form and InputStream available
  • Response.Redirect(string) calls Response.End(), which aborts the current thread in synchronous requests and halts code execution. For asynchronous handlers, Response.End() does not abort the current thread, so code execution continues. If you need to redirect the response, use the method appropriate for the framework you're using. For example, in MVC return a RedirectResult instead of calling Response.Redirect.
  • Do not use EnableViewState but set ViewStateMode="Disabled" at the page directive level and set ViewStateMode="Enabled" only on controls that require state
  • Do not use SqlMembershipProvider, use UniversalProviders which work with all databases that Entity Framework supports including SQL, Azure SQL, SQL Compact, MySQL and more...
  • Avoid long-running requests because asp.net will forcibly release the session object lock at a potentially inopportune time. If needed use WebSockets as it has much lower per-request memory overhead.