Chapter 4-Lesson 2

• Application State and Session State are the two Server-side State Management options available in ASP.NET
• Page.Application is of type HttpApplicationState.
• Request for an ASP.NET page is processed by ISAPI (Internet Server Application Programming Interface).
• ApplicationManager is an AppDomain that manages all the execution for a single ASP.NET application (including global variables).
• HostingEnvironment class allows access to resources (such as files and directories) inside a hosting environment.
• HttpContext, HttpRequest and HttpResponse are the core objects used to process any ASP.NET page request.
• Application is started by using (or re-using an existing) an Instance of HttpApplication. When this instance is created objects/modules such as SessionStateModule also get loaded.
• This Application object serves as the pipeline for all application execution.
• An Application can have one instance of Global.asax (Global Application Class)
• Application_LogRequest event is fired when a request is made to the Application.
• Since Application object can be accessed by more than one page (running on different threads) at the same time, its always a safe practice to use Application.Lock( ) before altering any Application State values.
• Application object is a collection with members of type object, therefore boxing is required.
• Session state is scoped only to current browser/user and only available to that session.
• Session object is of type HttpSessionState.
• ASP.NET_SessionId is a cookie containing a 24-byte value to keep track of session.
• Setting SessionState mode property to OFF in Web.config would improve performace.
• Values stored in Session must be serializable.
• Page directive also contains an attribute to enable/disable session state for individual pages. This can also be set to ReadOnly.
• Sessions can be configured to be Cookieless.
• ASP.NET would raise Session_End event only when state mode is set to InProc.
• InProc mode keeps session data in server memory and is the default state mode.
• StateServer hands over state data to ASP.NET State Service which preserves data between Application startups and multiple servers. This Service is present on all IIS Servers but set to manually start by default. To use it we must set its startup to Automatic.
• SQL Server also preserves session state data but on SQL Server database. It also requires connection string in web.config when configured for use.
• Profile properties are also scoped to current user.
• However, Profile properties are always persisted in SQL Server database (and not in server memory)
• Also, values stored in these profiles can be strongly typed objects.

Chapter 4:Lesson 1

• Server-side state is secure but not quite scalable.
• Client-side state is quite scalable but not secure.
• Persisted state means saving state information into a database. Can be utilized if database server is heavy.
• Shared state means storing copies of commonly accessed data on the server (caching) so that the server does not need to process page (or part of page) for every request.
• ViewState stores object data that is not already represented as HTML in the page response.
• Page.ViewState property is a Dictionary of type StateBag.
• Object values on a page are hashed, compressed and encoded into Unicode string and stored using one or more hidden HTML fields (depending on how Page.MaxPageStateFieldLength is set)
• ViewState includes MAC (Message Authentication Code) used by ASP.NET to check if it has been tampered with during the round trip.
• ViewState can also be made to encrypt data, both on website level and individual page level.
• For website level, we may enable viewStateEncryptionMode to Always in web.config, and for page level we set this value to Page directive of the page we want it encrypted for. (Page 189)
• EnableViewState property on every server control allows for turning on/off ViewState management for that control.
• ViewState and ControlState are handled as two different values in ASP.NET 2.0 and above. ControlState manages how a control would keep its appearance during Postbacks and therefore a control may still contribute to page size even if EnableViewState is set to false.
• ViewState does not transfer from one page to another.
• All Serializable objects can be embeded in ViewState.
• ControlState cannot be disabled for a control and is used specially in case of custom server controls. (Refer back to Page 192)
• Hidden Fields may also be used in place of ViewState, except that the Value property of a HiddenField control is not hashed, compressed or chunked nor does it support encryption.
• Furthermore, HiddenField values would be accessible on server only if page is sent via POST method (and not GET method). So they won't work if user clicks on a Hyperlink on the page.
• ASP.NET uses Cookies to maintain user sessions.
• Cookies can be temporary or permanent. To make a Cookie permanent we set its Expire property. To delete a Cookie we may set Expire to a past date.
• Like Session variables, Cookies need not necessarily be added to the Response.Cookies using Add( ) method. They may also be created using something like
  Response.Cookies["lastvisit"].Value = something;
• Path property of the HttpCookie class may be used to restrict Cookie access to pages from a specific directory. Similarly, Domain property may be used to restrict Cookie access to a specific domain.
• Typically, 20 cookies (each of max 4 KB) are allowed per site.
• A single Cookie may contain multiple Key-Value pairs, e.g.
  Response.Cookies["pref"]["color"] = Color.Blue;
  Response.Cookies["pref"]["lang"] = "en-us";
• When using QueryStrings, some browsers restrict URL size to 2083 characters which may become a problem. Moreover, QueryStrings require page submission using HTTP GET method.
• Tip: Always validate values from QueryStrings.
• QueryStrings provide advantage of maintaining state when users bookmark or email a URL. Typically URL should be limited to 70 characters to enable it to be sent via plain text email.
• Tip: Always HtmlEncode( ) values from QueryStrings and Cookies, so that client-side scripts may not get processed.
• Passing HTML code to a QueryString throws HttpRequestValidationException (if not disabled by web server administrator)