IEEE KUET SPAC presentation

AHSAN MURSHEDSOFTWARE ENGINEER

How to improve security and performance in ASP.net

Presentation overview

ASP.net runtime architecture

Improve security Front end (asp.net/c#/vb.net) Back end (database,web services etc.)

Improve performance Front end (asp.net/c#/vb.net) Back end (database,web services etc.)

ASP.net architecture

When a request is received by ASP.NET, the request is handled by the HttpRuntime object

The HttpRuntime is responsible for application creation and initialization, managing the request queue and thread pool, and dispatching the incoming requests to the correct application

The pipeline is a staged, event-based execution framework consisting of multiple HttpModule objects and a single HttpHandler object

ASP.net runtime infrastructure

Security Considerations

Security and performance are often at the center of design tradeoffs.

From an application point of view, security is mostly a matter of authenticating users and authorizing actions on the system’s resources.

ASP.NET provides a range of authentication and authorization mechanisms implemented in conjunction with IIS, the .NET Framework, and the underlying security services of the operating system.


When a client issues a Web request, the following sequence of authentication and authorization events occurs. IIS authentication IIS first ensures that the request comes from a trusted

IP address.

A second preliminary check is then made to determine whether the requested resource is available for reading or browsing.

IIS attempts to authenticate the caller using the Integrated, Digest, or Basic authentication method.


ASP.NET authentication

ASP.NET supports three types of authentication methods: Windows, Forms, and Passport.

ASP.NET is configured for Windows authentication, no additional steps are needed and ASP.NET just accepts any security token it receives from IIS.

ASP.NET is configured for Forms authentication, the user is prompted for credentials using an HTML form.

ASP.NET is configured for Passport authentication, the user is redirected to a Passport Web site and authenticated by the Passport service.


ASP.NET authorizationAuthentication means only that the user is known and proven to

be who he or she claimed to be. The next task is to make sure the user has enough rights to access the requested resource.

ASP.NET verifies that the caller is authorized to access the requested resource to execute the operation.

The authorization rules consist of two distinct blocks of information regarding what is allowed and what is denied. Under the <authorization> element, the child tag <allow> defines users, roles, and actions allowed; conversely, the child tag <deny> indicates which users, roles, or actions are not permitted.


Role base security A role is a name—just a short descriptive string—that

identifies a set of functions, user interface elements, and permissions that the page grants to each user who plays that role.

Run Applications with Least PrivilegesDo not run your application with the identity of a system user

(administrator).

Run the application in the context of a user with the minimum practical privileges.

Set permissions (Access Control Lists or ACLs) on all the resources required for your application. Use the least permissive setting. For example, if practical in your application, set files to be read-only.


Keep Sensitive Information Safely If your application transmits sensitive information between the browser

and the server, consider using the Secure Sockets Layer (SSL). Use protected configuration to secure sensitive information in

configuration files such as the Web.config or Machine.config files.

Guard Against Denial-of-Service Threats The malicious user can keep the application too busy to service other

users, or if can simply cause the application to crash. Follow these guidelines:

Use error handling use finally block ( try-catch) in which you release resources in case of failure.

Test size limits of user input before using or storing it. Put a size limit on file uploads, if those are part of your application

Use Cookies Securely Do not store any critical information in cookies. Ex: do not store a

user's password in a cookie, even temporarily. Set expiration dates on cookies to the shortest practical time you can.

Avoid permanent cookies if possible.


Access Databases Securely An important aspect of a secure Web application is

designing a way for the application to access the database securely.

Use the inherent security of your database to limit who can access database resources

Do not create SQL statements by concatenating strings that involve user input. Instead, create a parameterized query, use user input to set parameter values.

If you must store a user name and password somewhere to use as the database login credentials, store them in the Web.config file and secure the file with protected configuration.

Improve performance

Turn off Session State, if not required Disable Session State if you’re not going to use it. By default it’s on. You can actually turn this off for specific pages, instead of for every page.

Disable View State of a Page if possiblePages that do not have any server postback events can have the view state turned off.

Turn off Tracing unless until requiredEnabling tracing adds performance overhead and might expose private information, so it should be enabled only while an application is being actively analyzed.

Use Finally Method to kill resourcesAlways use the finally block to kill resources like closing database connection, closing files and other.

Improve performance

Use Client Side Scripts for validations Client site validation can help reduce round trips that are required to process user's request.

Avoid unnecessary round trips to the server Keep round trips to an absolute minimum. Implement Ajax UI whenever possible. The idea is to avoid full page refresh.

Use HTTPServerUtility.Transfer instead of Response.RedirectRedirect’s are also very chatty. They should only be used when you are transferring people to another physical web server. You will save a lot of needless HTTP requests.

Use Paging Take advantage of paging's simplicity in .net. Only show small subsets of data at a time, allowing the page to load faster. Just be careful when you mix in caching. Don't cache all the data in the grid.

Improve performance

Store your content by using caching ASP.NET allows you to cache entire pages, fragment of pages or controls. You can cache also variable data by specifying the parameters that the data depends. By using caching you help ASP.NET engine to return data for repeated request for the same page much faster.

Output BufferingReduce roundtrips when possible by buffering your output. This approach batches work on the server and avoids chatty communication with the client then run a Response.Flush method to output the data.

Take advantage of HttpResponse.IsClientConnected before performing a large operation and performing expensive server-side operations.

Use Foreach loop instead of For loop for String Iteration Foreach is far more readable, and in the future it will become as fast as a For loop for special cases like strings.

Improve performance

Make JavaScript and CSS External Using external files generally produces faster pages because the JavaScript and CSS files are cached by the browser. Inline JavaScript and CSS increases the HTML document size but reduces the number of HTTP requests. With cached external files, the size of the HTML is kept small without increasing the number of HTTP requests thus improving the performance.

Return Multiple Resultsets Return multiple resultsets in a single database request, so that you can cut the total time spent communicating with the database

Connection Pooling and Object Pooling Connection pooling is a useful way to reuse connections for multiple requests, rather than paying the overhead of opening and closing a connection for each request. It's done implicitly, but you get one pool per unique connection string. When pooling is enabled, calling Close or Dispose returns the connection to the pool instead of closing the underlying database connection.

Improve performance

Use SqlDataReader Instead of Dataset wherever it is possible If you are reading a table sequentially you should use the DataReader rather than DataSet. DataReader object creates a read only stream of data that will increase your application performance because only one row is in memory at a time.

Keep Your Datasets Lean Remember that the dataset stores all of its data in memory, and that the more data you request, the longer it will take to transmit across the wire. Avoid Inefficient queries

Too much data in your results is usually the result of inefficient queries. The SELECT * query often causes this problem. You do not usually need to return all the columns in a row. Also, analyze the WHERE clause in your queries to ensure that you are not returning too many rows.

Use Stored Procedures Whenever Possible >Stored procedures are highly optimized tools that result in excellent performance when used effectively. >Stored procedures do not have to be interpreted, compiled or even transmitted from the client, and cut down on both network traffic and server overhead.

THANK YOU

Questions??

Technology

IEEE KUET SPAC presentation