Chapter 4-Lesson 2

• Application State and Session State are the two Server-side State Management options available in ASP.NET
• Page.Application is of type HttpApplicationState.
• Request for an ASP.NET page is processed by ISAPI (Internet Server Application Programming Interface).
• ApplicationManager is an AppDomain that manages all the execution for a single ASP.NET application (including global variables).
• HostingEnvironment class allows access to resources (such as files and directories) inside a hosting environment.
• HttpContext, HttpRequest and HttpResponse are the core objects used to process any ASP.NET page request.
• Application is started by using (or re-using an existing) an Instance of HttpApplication. When this instance is created objects/modules such as SessionStateModule also get loaded.
• This Application object serves as the pipeline for all application execution.
• An Application can have one instance of Global.asax (Global Application Class)
• Application_LogRequest event is fired when a request is made to the Application.
• Since Application object can be accessed by more than one page (running on different threads) at the same time, its always a safe practice to use Application.Lock( ) before altering any Application State values.
• Application object is a collection with members of type object, therefore boxing is required.
• Session state is scoped only to current browser/user and only available to that session.
• Session object is of type HttpSessionState.
• ASP.NET_SessionId is a cookie containing a 24-byte value to keep track of session.
• Setting SessionState mode property to OFF in Web.config would improve performace.
• Values stored in Session must be serializable.
• Page directive also contains an attribute to enable/disable session state for individual pages. This can also be set to ReadOnly.
• Sessions can be configured to be Cookieless.
• ASP.NET would raise Session_End event only when state mode is set to InProc.
• InProc mode keeps session data in server memory and is the default state mode.
• StateServer hands over state data to ASP.NET State Service which preserves data between Application startups and multiple servers. This Service is present on all IIS Servers but set to manually start by default. To use it we must set its startup to Automatic.
• SQL Server also preserves session state data but on SQL Server database. It also requires connection string in web.config when configured for use.
• Profile properties are also scoped to current user.
• However, Profile properties are always persisted in SQL Server database (and not in server memory)
• Also, values stored in these profiles can be strongly typed objects.

Chapter 11-Lesson 1

• Code Access Security (CAS) may be used by .NET applications to put restriction on code regarding certain actions.
• An Application is called partially trusted when some kind of CAS is applied on it, others are called fully trusted.
• Evidence is something that proves as an identity and describes an individual as deserving a certain level of trust.
• Permissions determine which applications are trusted to what extent.
• There are 19 pre-defined Permissions in NET 2.0 (pertaining to different areas such as Web Access, Registry Access, File IO Access, etc.)
• Permission Sets combine a set of Permissions to represent particular level of security e.g. FullTrust, Internet, LocalIntranet, etc.
• Applications are brought under CAS using Code Groups which define a set of Permissions (and their respective settings/levels).
• Each Code Group requires an Evidence object. The assemblies that provide a particular Evidence become eligible to Permissions defined by the code group.
• Code Groups may be nested within one another and therefore may require more than one Evidence. (e.g My_Computer_Zone is a Code Group that requires a Zone:My Computer type of Evidence and grants FullTrust Permissions to assemblies bearing that Evidence.)
• Nesting one code group into another would result in a Union Code Group with all the Permissions set by both of them.
• There are four configurable Security Policies (Unions of Code Groups) built-in for .NET applications; Enterprise, Machine, User and Application Domain.
• However, if an Assembly falls under more than one Security Policy, the CLR uses the most restrictive one.

Chapter 8-Lesson 2

• In-depth security means we are able to prevent damage caused due to a vulnerability in a (third-party) Assembly that we are not aware of, cannot prevent and cannot fix.
• We may run Assemblies within an AppDomain with certain previliges by specifying an Evidence object to the Assembly. An Evidence is an object that behaves as an ID card displaying role/status of an entity. The authorities may then use this object to determine what kind of previliges an object (an Assembly in this case) recieves.
• The Evidence object takes an object array in its constructor. We may store anything in that array or we may use any of the predefined enumerations to define a specific type of previlige-level. The Evidence object will then be passed when ExecuteAssembly( ) method is run on an AppDomain.
• We may also pass such an Evidence object to CreateDomain( ) method to limit previliges for the entire AppDomain.
• Certain properties of an AppDomain are configurable via the AppDomainSetup class, which may be passed along with the Evidence object while creating new AppDomains.

Chapter 8-Lesson 1

• Operating System manages processes, while .NET Runtime manages Application Domains.
• If we consider an Assembly as class, then its instances could be called Application Domains.
• If an Application uses more than one assembly, it is possible to create a seperate process for each of them. The problem would be the performance hit ad resource usage caused between context shifts from one process to another. Therefore it is better to use one Assembly that acts as a host for other Assemblies. Then we may share resources (data) among Assemblies within an Application Domain. (e.g. ASP.NET Application object is an Application Domain)
• Points-to-Ponder: (See page 439)
• AppDomain class allows for creating Application Domains within .NET
• AppDomain.CreateDomain( ) static method is used to create a new Application Domain with a friendly name, and RunAssembly( ) instance-level method is used to load an Assembly within a domain.