EnableViewStateMac="false" why is it even an option? - asp.net

After a lot of reading about EnableViewStateMac and the possibility it will be removed in future .NET Frameworks I still wonder why this is an option to set to false.
I understand you should NEVER set it to false, but who decided it to create the option? And if someone really thought about it, why would one set it to false at all?
Why would you have an option to enable insecurity?

This switch was created long before I joined the ASP.NET team, but I was curious about this myself and spent some time spelunking through the old bug database. As far as I can tell, there are two main reasons it was introduced.
The switch was seen as potentially offering a performance benefit. In an early preview of the .NET Framework (1.0 alpha, really), computing the MAC was indeed slow. This was fixed before 1.0 reached RTM so that the performance difference was negligible. However, the damage was done: the seed was planted in the early developers' minds that there might be some cases where for performance sake the MAC needs to be disabled. This also led to a bunch of MSDN articles which suggested that disabling the MAC improves performance, and I'm still (in 2014!) finding and removing these articles.
In a web farm environment, the <machineKey> needs to be synced. Unfortunately we don't make it easy to generate machine keys securely. So, in the early days of ASP.NET testing, the switch existed to allow testers to do the simple thing for farm deployments rather than the right thing for farm deployments. We're still battling this today, too: most developers use online machine key generators, which are insecure. I'm working with the Visual Studio team to make generating and securing machine keys easier.
At the time, it was believed that the worst possible thing that could happen if the MAC was disabled is that you could XSS the site. This turned out to be an incorrect assessment.
Finally, its removal is no longer just a possibility. It has already been removed in our local source repositories. The next .NET Framework update that we blast out onto the world will have this payload in it, but I don't have timelines for when that might be. We're just sitting on the trigger waiting for the go-ahead. :)

Initially during times of asp the HTML page used to be posted to asp pages which was totally different. This similar coding method is now termed as cross page posting. ViewState is specific to a page so if you try posting an asp.net page to another asp.net page the viewstate would be different. Now in such a situation if you have EnableViewStateMac (which means you want to verify the integrity of viewstate) set the validation would fail and cause an error. So people would disable the viewstatemac so that they can continue to program the old way, and Microsoft continued to provide this feature to have support for the legacy code.
But as you already mentioned this is a huge security risk, opening your application for all kinds of attacks.

Related

Steps for profiling performance of a website running on azure

I am quite new to running websites in general. I am familiar with statistical profilers for desktop applications, but unsure how to even begin profiling a website as there are a lot of additional potential bottlenecks and I'm not sure what profilers are available for websites.
I have looked around and seen useful suggestions in other questions, but I am not sure they are a very complete solution. The main suggestions are azure performance counters and suggestions from this answer.
Summarizing they are:
Use firebug to determine rendering time and loading time seperately so one can tell whether one has a rendering issue or a server issue.
If server side:
Test a small static page like a page with a single gif. If that is slow one has a CPU issue. Otherwise one is probably IO bound or has problems with database performance.
One can use performance counters to check server aspects such as:
memory
garbage collection
tcp/ip issues
bytes sent / recieved
requests requested, queued, rejected
request wait time, processing time
From my naive standpoint some things that seem to be missing from this list are the sort of profiling one has for a traditional desktop application, i.e. what the stack looked like what percentage of the time (i.e. what functions were we spending time in, and in what context). Another missing item is profiling the database performance, which seems like it may be different on azure than in a local environment especially if one starts dealing with scaling. Another is time spent on requests to third party services, though maybe that can be done with azure performance counters(?).
I apologize for the naive nature of this question. What tools and aspects am I missing here to profile an azure MVC asp.net website and what changes would you make to the above list?
There's a lot of aspects to profiling a site, in terms of database calls, business logic, rendering a view, and even client side performance (any jQuery that might run, for example).
StackOverflow's MiniProfiler is one of the easiest things to get going, just install a NuGet package, add some Javascript includes, and wrap whatever you want to test inside a using() block, and you'll see execution times (including LINQ-to-SQL and EF). You can even create steps if you want finer grained timings of individual calls.
The nice thing about MiniProfiler is you can enable/disable based on the environment, which makes it suitable for running inside Azure (as opposed to say, the Visual Studio Profiler).
You can also look at Azure Performance Counters, which will give you an idea of system resources, but isn't profiling in the sense that MiniProfiler is. It will however give you an idea of network latency and CPU and memory utilization.
Once you're satisfied there, you can use Chrome's Developer Tools to profile your application on the client side. It'll give you an idea of how well your Javascript is doing, including CSS selectors and rendering.
Also worth noting, Visual Studio has a really good Profiler in some higher editions that can give you deep insights into your code. Time spent in methods, call counts, etc.
Between these four methods, you should be able to find most bottlenecks, especially for a first pass.

increase the performance of web site?

When designing a ASP.net WebForm application what are some important steps to take (or hacks if you like to use the term) to ensure the best possible performance (in terms of speed, stability, and scalability)?
Avoid round trips to server
Wherever possible user AJAX calls.
Implement Caching.
Avoid using Viewstate wherever possible
For further more read these links.
Improve Web Application Performance
ASP.NET Web Site Performance Improvement
Since so many things can affect performance, it's difficult to provide such a list. We may make assumptions about your code that aren't correct, and may focus on the wrong areas while you suffer poor performance from something we would otherwise take for granted.
Having said that, in general you might keep an eye on:
Don't over-use ViewState. (I'd argue not to use it at all, but that's another issue entirely.)
Keep page resources small (minified text, good image encoding, etc.).
Ensure page resources are properly cached once downloaded.
Try to move most UX logic client-side. (Avoid post-backs for things you can otherwise do in JavaScript, fetch data asynchronously where possible in small chunks, etc.)
The list can go on and on, and that's just with the web tier of the application. You could easily encounter site performance problems resulting from slow server-side code or server-side resource dependencies (database, etc.) that can't be debugged in the browser.
So the main point is to learn your debugging tools. Through combinations of browser tools (FireBug, Chrome Developer tools, etc.), Visual Studio debugging (or whatever else you may use for your .NET code), good logging, and even profiling tools you can identify your bottlenecks and tweak your system accordingly.
Check your website in google page speed :click
It will give your problem . for unwanted style.images and etc.......
If you care so much for speed, stability and scalability you might first question whether ASP itself is a good compromise
when it comes to performance of the web application we need to consider many things this article will help you understand what performance is where to start.
In web application 80 percent of the time it is front end which requires performance optimization, what needed to be optimized is a big question and really hard to answer
this article i found will help you understand the web performance optimization
Web Performance Optimization

Checklist for ASP.NET / Database performance

Recently our customers started to complain about poor performance on one of our servers.
This contains multiple large CMS implementations and alot small websites using Sitefinity.
Our Hosting team is now trying to find the bottlenecks in our environments, since there are some major issues with loadtimes. I've been given the task to specify one big list of things to look out for, devided into different the parts (IIS, ASP.NET, Web specific).
I think it'd be good to find out how many instances of the Sitecore CMS we can run on one server according to the Sitecore documentation e.d. We want to be able to monitor and find out where our bottleneck is at this point. Some of our websites load terribly slow, other websites load very fast. Most of our Sitecore implementations that run on this server have poor back-end performance, and have terrible load times after a compilation.
Our Sitecore solutions run on a Win 2008 64 server with Microsoft SQL Server 2008 for db's.
I understand that it might be handy to specify more detailed information about our setup, but I'm hoping we'd be able to get some usefull basic information regarding how to monitor and find bottlenecks e.d.
What tools / hints / tips & tricks do you have?
do NOT use too many different asp.net pools, called and as dedicate pool in plesk. Place more sites on the same pool.
More memory, or stop non used programs/services on the server
Check if you have memory limits on the application pool that make the pool continues auto-restarts.
On the database, set Recovery Mode to simple.
Shrink database files, and reindex database, from inside the program
after all that Defrag your disks
Check the memory with process explorer.
To check whats starts with your server use the autoruns but be careful not to stop any critical service and the computer never starts again. Do not stop services from autoruns, use the service manager to change the type to manual. Also many sql serve services they not need to run if you never used them.
Some other tips
Move the temporary files / and maybe asp.net build directory to a different disk
Delete all files from temporary dir ( cd %temp% )
Be sure that the free physical memory is not zero, using the process exporer. If its near zero, then your server needs memory, or needs to stop non using programs from running.
To place many sites under the same pool, you need to change the permissions of the sites under the new share pool. Its not difficult, just take some time and organize to know what site runs under what pool. Now let say that you have 10 sites, its better to use 2 diferent pools, and spread the sites on this pools base on the load of each site.
There are no immediate answer to Sitecore performance tuning. But here are some vital tips:
1) CACHING
Caching is everything. The default Sitecore cache parameters are rarely correct for any application. If you have lots of memory, you should increase the cache sizes:
http://learnsitecore.cmsuniverse.net/en/Developers/Articles/2009/07/CachingOverview.aspx
http://sitecorebasics.wordpress.com/2011/03/05/sitecore-caching/
http://blog.wojciech.org/?p=9
Unfortunately this is something the developer should be aware of when deploying an installation, not something the system admin should care about...
2) DATABASE
The database is the last bottleneck to check. I rarely touch the database. However, the DB performance can be increased with the proper settings:
Database properties that improves performance:
http://www.theclientview.net/?p=162
This article on index fragmentation is very helpful:
http://www.theclientview.net/?p=40
Can't speak for Sitefinity, but will come with some tips for Sitecore.
Use Sitecores caching whenever possible, esp. on XSLTs (as they tend to be simpler than layouts & sublayouts and therefore Sitecore caching doesn't break them, as Sitecore caching does to asp.net postbacks), this ofc will only help if rederings & sublayouts etc are accessed a lot. use /sitecore/admin/stats.aspx?site=website to check stuff that isn't cached
Use Sitecores profiler, open up an item in the profiler and see which sublayouts etc are taking time
Only use XSLTs for the simplest content, if it get anymore complicated than and I'd go for sublayouts (asp.net controls), this is a bit biased as I'm not fond of XSLT, but experience indicates that .ascx's are faster
Use IIS' content expiration on the static files (prob all of /sitecore and if you have some images, javascript & CSS files) this is for IIS 6: msdn link
Check database access times with Sitecore Databasetest.aspx (the one for Sitecore 6 is a lot better than the simple one that works on Sitecore 5 & 6) Sitecore SDN link
And that's what I can think of from the top of my head.
Sitecore has a major flaw, its uses GUIDs for primary keys (amongst other poorly chosen data types), this fragments the table from the first insert and if you have a heavily utilised Sitecore database the fragmentation can be greater than 90% within an hour. These is not a well-designed database and recommend looking at other products until they fix this, it is causing us a major performance headache (time and money).
We are at a stand still we cannot add anymore RAM cannot rebuild the indexes more often
Also, set your IIS to recycle the app_pool ONLY once a day at a specific time. I usually set mine for 3am. This way the application never goes to sleep, recycle or etc. Best to reduce spin up times.
Additionally configure IIS to 'always running' instead of 'on starup'. This way, when the application restarts, it recompiles immediately and again, is ready to roar.
Sitefinity is really a fantastic piece of software (hopefully my tips above get the thumbs up, and not my endorsement of the product). haha

Tools and methods for live-monitoring ASP.NET web applications?

I think many developers know that uncomfortable feeling when users tell them that "The application is slow (again)."
In a complex web application there can be many possible reasons for a degradation in (perceived) performance: slow database response, bandwidth issues, bad caching etc. There certainly are issues which will never occur in a development or staging environment.
Now my question:
Is there a set of tools and/or methods which would provide a comprehensive "live" state on a IIS/ASP.NET/SQL Server production system in a visually way (not just performance counters):
Current HTTP requests (say the last n minutes)
Exceptions / timeouts
Bandwidth data
Number of open database connections / database calls
...
The primary goal is to see at a glance (or after looking closer) what problem is causing the performance problems.
I think the category of software you're looking for is ".net profiler" or ".net tracer". One such tool that you might consider is JetBrains' dotTrace. It gives you runtime stack traces and an array of counters that indicate possible bottlenecks.
Previously mentioned tools will certainly work. At our shop we needed finer information and built our own solution (long story: it was easier to code than to argue about tools and retrievable data).
I used LogParser to flip through the IIS logs and create output reports of those logs (e.g. result code breakdowns etc).
I used a combination of performance counters and WMI values to get the rest - you can read these using some pretty straightforward C# - this gives you full control that you can then dump to .csv etc for viewing/processing in excel or if you are updating a page as a control center.
I would probably also look at IIS.net as a great resource for IIS tools including debugging, security etc.
I followed urig's advice and found this software called SmartInspect.
Does anybody know this logging/monitoring tool? It seems to be a combination of real time console and developer library.
CLR 4.5 will have some new capabilities that will help you monitor ASP.NET performance live - without restarting your app. Basically you can re-JIT your code to include some monitoring-hooks in it, and then inspect time spent in classes/methods etc.
I'm sure dotTrace and other profiling tools will leverage this automatically, but it's worth checking out: C9 - Inside Re-JIT with David Broman

Is no FileIOPermission on paid webhosting normal?

I'm currently buying webhosting on a shared server with uses IIS6 and ASP.NET2.0 (They advertise 3.5 but investigation on my part has proven this to be false).
I did some legwork to make my 3.5-sensitive ASP.NET apps compile on my hosting then discovered another problem: My apps are failing at 'File.Open()' calls due to no FileIOPermissions.
I've called Technical Support and they've advised me this permission is only available if I configure IIS6 to use .NET 1.1 only. Am I out of line by thinking this is just not good enough?
This is something that should have been nutted out before starting to pay them, unless this disk access is a new requirement.
I can see it from their point of view. Every extra bit of power your apps have gives you more ability to shoot yourself (and more importantly, them) in the foot.
But I don't know why they'd allow it for an earlier .NET version, that seems bizarre.
I would make it clear that this is a deal-breaker. They might recapitulate, or you may have to move elsewhere. Either way, your problem will be solved.

Resources