Chapter 4:Lesson 1

• Server-side state is secure but not quite scalable.
• Client-side state is quite scalable but not secure.
• Persisted state means saving state information into a database. Can be utilized if database server is heavy.
• Shared state means storing copies of commonly accessed data on the server (caching) so that the server does not need to process page (or part of page) for every request.
• ViewState stores object data that is not already represented as HTML in the page response.
• Page.ViewState property is a Dictionary of type StateBag.
• Object values on a page are hashed, compressed and encoded into Unicode string and stored using one or more hidden HTML fields (depending on how Page.MaxPageStateFieldLength is set)
• ViewState includes MAC (Message Authentication Code) used by ASP.NET to check if it has been tampered with during the round trip.
• ViewState can also be made to encrypt data, both on website level and individual page level.
• For website level, we may enable viewStateEncryptionMode to Always in web.config, and for page level we set this value to Page directive of the page we want it encrypted for. (Page 189)
• EnableViewState property on every server control allows for turning on/off ViewState management for that control.
• ViewState and ControlState are handled as two different values in ASP.NET 2.0 and above. ControlState manages how a control would keep its appearance during Postbacks and therefore a control may still contribute to page size even if EnableViewState is set to false.
• ViewState does not transfer from one page to another.
• All Serializable objects can be embeded in ViewState.
• ControlState cannot be disabled for a control and is used specially in case of custom server controls. (Refer back to Page 192)
• Hidden Fields may also be used in place of ViewState, except that the Value property of a HiddenField control is not hashed, compressed or chunked nor does it support encryption.
• Furthermore, HiddenField values would be accessible on server only if page is sent via POST method (and not GET method). So they won't work if user clicks on a Hyperlink on the page.
• ASP.NET uses Cookies to maintain user sessions.
• Cookies can be temporary or permanent. To make a Cookie permanent we set its Expire property. To delete a Cookie we may set Expire to a past date.
• Like Session variables, Cookies need not necessarily be added to the Response.Cookies using Add( ) method. They may also be created using something like
  Response.Cookies["lastvisit"].Value = something;
• Path property of the HttpCookie class may be used to restrict Cookie access to pages from a specific directory. Similarly, Domain property may be used to restrict Cookie access to a specific domain.
• Typically, 20 cookies (each of max 4 KB) are allowed per site.
• A single Cookie may contain multiple Key-Value pairs, e.g.
  Response.Cookies["pref"]["color"] = Color.Blue;
  Response.Cookies["pref"]["lang"] = "en-us";
• When using QueryStrings, some browsers restrict URL size to 2083 characters which may become a problem. Moreover, QueryStrings require page submission using HTTP GET method.
• Tip: Always validate values from QueryStrings.
• QueryStrings provide advantage of maintaining state when users bookmark or email a URL. Typically URL should be limited to 70 characters to enable it to be sent via plain text email.
• Tip: Always HtmlEncode( ) values from QueryStrings and Cookies, so that client-side scripts may not get processed.
• Passing HTML code to a QueryString throws HttpRequestValidationException (if not disabled by web server administrator)