From Scott Hanselman’s Blog February 07, 2014 at 09:54PM
About a year ago we thought it would be a good idea to do a talk on "What not to do in ASP.NET?" – basically an anti-patterns talks. We kept seeing folks falling into the same traps and wanted to be prescriptive as there’s aspects to ASP.NET that are 10 years old and don’t apply to today’s internet, but there are also new aspects to ASP.NET that are only a year old, and perhaps haven’t soaked into the zeitgeist quite yet.
Damian Edwards gave his version of this talk at NDC 2013 and you can watch the video here if you like, it’s very entertaining.
We took the information we gathered from people like Damian, Levi Broderick and others, and Tom FitzMacken put together a whitepaper on the topic. It’s not complete, but it covers some of the most common "gotchas" folks run into.
Here are the areas we call out in the whitepaper so far, with highlights below from me.
- Standards Compliance
- Control Adapters – Control adapters were a good idea in .NET 2, but it’s best to use solid adaptive CSS and HTML techniques today.
- Style Properties on Controls – Set CSS classes yourself, don’t use inline styles.
- Browser Capability Detection – Check for features, not for browsers whenever possible.
- Request Validation – While Request Validation is useful, it’s not focused and it doesn’t know exactly what you app is doing. Be smart and validate inputs with the full knowledge of what your app is trying to accomplish. Don’t trust user input.
- Cookieless Forms Authentication and Session – Don’t pass anything auth related in the query string. Cookieless auth will never be secure. Don’t do it.
- EnableViewStateMac – This should never be false. Ever.
- Medium Trust – Medium trust isn’t a security boundary you should count on. Put apps in separate app pools.
- <appSettings> – Don’t disable security patches with appSettings.
- UrlPathEncode – This doesn’t do what you think it does. Use UrlEncode. This method was very specific, poorly named, and is now totally obsolete.
- Reliability and Performance
- PreSendRequestHeaders and PreSendRequestContext – Leave these alone making managed modules. These can be used with native modules, but not IHttpModules.
- Asynchronous Page Events with Web Forms – Use Page.RegisterAsyncTask instead.
- Fire-and-Forget Work – Avoid using ThreadPool.QueueUserWorkItem as your app pool could disappear at any time. Move this work outside or use WebBackgrounder if you must.
- Request Entity Body – Stay out of Request.Form and Request.InputStream before your handler’s execute event. It may not be ready to go.
- Response.Redirect and Response.End – Be conscious of Thread.Aborts that will happen when you redirect.
- EnableViewState and ViewStateMode – There’s no need to hate on ViewState. Turn it off everywhere, then turn it on only for the individual controls that need it.
- SqlMembershipProvider – Consider using ASP.NET User Providers, or better yet, the new ASP.NET Identity system.
- Long Running Requests (>110 seconds) – ASP.NET isn’t meant to handle long running requests that are a minute (or two) long. Use WebSockets or SignalR for connected clients, and use asynchronous I/O operations.
I hope this helps someone out!
Sponsor: Big Thanks to Aspose for sponsoring the blog this week! Aspose.Total for .NET has all the APIs you need to create, manipulate and convert Microsoft Office documents and a host of other file formats in your applications. Curious? Start a free trial today.
© 2014 Scott Hanselman. All rights reserved.