Contents
Overview 1
Requirements of a Web Application 2
What is New in ASP.NET? 3
Sharing Information Between Pages 14
Securing an ASP.NET Application 24
Deployment 37
Lab 7: Creating an ASP.NET Web
Application 38
Review 39

Module 7: Creating an
ASP.NET Web
Application
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. The publications specialist replaces this example list with the list of trademarks
provided by the copy editor. Microsoft is listed first, followed by all other Microsoft trademarks
in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation
in the U.S.A. and/or other countries.

<The publications specialist inserts mention of specific, contractually obligated to, third-party
trademarks, provided by the copy editor>

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 7: Creating an ASP.NET Web Application iii

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Instructor Notes
This module describes how to enhance the functionality of a Web application
by using ASP.NET. The modules covers technologies like state maintenance,
caching, and authentication. You will also learn how to deploy an ASP.NET
application.
In the lab, students will use cookie authentication, use ASP.NET caching, and

maintain the state of an application by saving data in a database.
After completing this module, students will be able to:
!
Describe cookie-less sessions.
!
Set up cookie-less sessions in the config.web file.
!
Use event procedures in global.asax.
!
Describe page caching.
!
Describe the various methods for maintaining state.
!
Maintain session state using session variables.
!
Share information between pages.
!
Describe how authentication works.
!
Set up authentication for an application in config.web.
!
Describe deployment in ASP.NET applications.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft

®
PowerPoint
®
file 2063A_07.ppt
!
Module 7, “Creating an ASP.NET Web Application” (2063A_07.doc)
!
Lab, “Creating an ASP.NET Web Application” (2063A_L07.doc)

Preparation Tasks
To prepare for this module, you should:
!
Read all of the materials for this module.
!
Complete all the demonstrations.
!
Complete the lab.

Presentation:
120 Minutes

Lab:
30 Minutes
iv Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Module Strategy
Use the following strategy to present this module:
!

Requirements of a Web Application
Discuss the requirements of a Web application. You could also ask students
who have experience in Web development to talk about what they think are
the major requirements for a Web application.
!
What is New in ASP.NET?
This section focuses on the new features in ASP.NET as compared to ASP.
It talks about cookie-less sessions, sections in config.web, new events and
directives in global.asax, and page caching. Since these are totally new
concepts, go through it slowly, and spend time to explain the need and
advantages of each of these.
!
Maintaining State
This section talks about the various methods used for maintaining state.
ASP.NET cache and sharing information between pages are the new
concepts. There is a demonstration on sharing information between pages to
reinforce this concept.
Students will be more familiar with session and application variables, and
saving state in a database. The section also includes a demonstration on
using session variables for saving state.
!
Security
Talk about the authentication, authorization, and impersonation. Tell
students about the difference between these. Cookie-based authentication is
totally new for students. Spend a lot of time explaining the architecture and
the data flow in cookie-based authentication.
!
Deployment
This is mostly a reinforcement of what they learned in Module 04,
"Separating Code from Content" about deploying components.


Module 7: Creating an ASP.NET Web Application 1

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overview
!
Requirements of a Web Application
!
What is New in ASP.NET?
!
Sharing Information Between Pages
!
Securing an ASP.NET Application
!
Deployment


Just like ASP, ASP.NET also supports the concept of a Web application along
with application specific settings and services. An ASP.NET application is
defined as all the files, pages, handlers, modules, and executable code that can
be invoked from a virtual directory and its sub-directories on a Web application
server.
In this module, you will learn about some of files used for building Web
applications, and also about some of the features of an ASP.NET application,
such as maintaining state and authentication. You will also learn how to
configure and deploy an ASP.NET application.
After completing this module, you will be able to:
!
Describe cookie-less sessions.

!
Set up cookie-less sessions in the config.web file.
!
Use event procedures in global.asax.
!
Set up page output caching for ASP.NET pages.
!
Share information between pages of an ASP.NET application using the
ASP.NET cache, config.web, session variables, and a database.
!
Describe how authentication works.
!
Set up authentication for an application in config.web.
!
Describe deployment in ASP.NET applications.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the different aspects
of creating an ASP.NET
application.
2 Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Requirements of a Web Application

!
State maintenance
!
Security
!
Performance and scalability
!
Easy configuration
!
Easy deployment


A good Web application has the following requirements:
!
State maintenance
Web applications should be able to maintain state across pages. If state is
maintained between pages, information supplied by users can be reused and
they don't have to enter the same information several times.
!
Security
A good Web application should have security features. Most importantly, it
should be able to authenticate and authorize users who can access the
application.
!
Performance and scalability
All Web applications should be built with high-performance and scalability
in mind. Caching is an extremely important technique for building high-
performance and scalable Web server applications.
!
Easy configuration

Configuration is a very important aspect of any application. A central
requirement of any web application server is a rich and flexible
configuration system – one that enables developers to easily associate
settings with an installable application without having to embed values into
code, and enables administrators to easily adjust or customize these values
post-deployment.
!
Easy deployment
One of the biggest problems with applications has been their deployment. A
good Web application should be easy to deploy and should require
minimum effort.

Topic Objective
To describe the
requirements of a Web
application.
Lead-in
When designing a Web
application, you should keep
in mind some of the basic
requirements of a good Web
application.
Module 7: Creating an ASP.NET Web Application 3

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#

What is New in ASP.NET?
!

Cookie-less Session IDs
!
Configuration File (Config.web)
!
Setting Up Cookie-less Sessions in Config.web
!
Global Application File (global.asax)
!
Demonstration: Using Event Procedures in Global.asax
!
Page Caching


In addition to all the features provided by ASP, ASP.NET provides several
additional features to enhance the functionality of an application. This section
focuses on the additional features in ASP.NET.
Topic Objective
To describe what is new in
ASP.NET application files.
Lead-in
ASP.NET provides many
new features for Web
applications as opposed to
ASP.
4 Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Cookie-less Session IDs
!

Each active session is identified and tracked using
Session IDs
!
SessionIDs are communicated across client-server
requests using an HTTP cookie or a "Munged URL “
!
Using a cookie
$
Default mechanism for storing SessionIDs
!
Cookie-less sessions
$
Information is encoded into URLs
http://server/(h44a1e55c0breu552yrecobl)/page.aspx
http://server/(h44a1e55c0breu552yrecobl)/page.aspx


Each active session within ASP.NET is identified and tracked using a 120-bit
SessionID string containing URL-legal ASCII characters. SessionID values are
generated using an algorithm that guarantees uniqueness and randomness.
SessionIDs are communicated across client-server requests using either an
HTTP cookie or a "Munged URL".
Using Cookies
Cookies are a mechanism by which data can be maintained in a file on the
user's computer. By default, SessionIDs are stored in cookies.
However, users can turn off cookies through a setting in their browser. Thus,
there is a risk that your Web application will not work if it requires session
information and a user has turned off cookies.
Using Cookie-less Sessions
The use of cookie-less sessions is a new concept in ASP.NET.

This method uses URLs as opposed to cookies to pass the SessionID to an
ASP.NET page. It involves encoding data into a URL, which is done
automatically by the browser. This enables you to now use session state even
with browsers that have cookie support disabled.
For example, the browser would generate the following URL for a request to
the ShoppingCart.aspx page on the http://localhost/conference web site:
http://localhost/conference/(h44a1e55c0breu552yrecobl)/ShoppingCart.aspx
To enable cookie-less sessions, add the following to the config.web
configuration file:
<sessionstate cookieless="true" />

Topic Objective
To describe cookie-less
sessions.
Lead-in
In ASP, a sessions was
identified by a cookie kept
on the user's computer. In
ASP.NET, sessions can be
cookie-less.
Module 7: Creating an ASP.NET Web Application 5

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Configuration File (Config.web)
!
All configuration information for an ASP.NET
application is contained in config.web
!
Config.web can be placed in the same folder as the

application files
!
Contains sections for each major category of ASP.NET
functionality
$
<sessionstate>, <security>, <appsettings> , <trace>
<configuration>
<trace enabled="true"
requestlimit="40" pageoutput="true"/>
</configuration>
<configuration>
<trace enabled="true"
requestlimit="40" pageoutput="true"/>
</configuration>


ASP.NET configuration uses hierarchical configuration architecture. All
configuration information for an ASP.NET application is contained in
configuration files named config.web that can be placed in the same directories
as the application files. Child directories inherit the parent's settings unless
overridden by a config.web file in the child directory.
If a config.web file is present at the root directory of a Web server, for example
"Inetpub\wwwroot", the configuration settings will apply to every application in
that server.

Presence of a config.web file within a given directory or application root
is completely optional. If a config.web file is not present, then all configuration
settings for the directory are automatically inherited from the parent directory.

Topic Objective

To describe the config.web
file.
Lead-in
All configuration information
for ASP.NET is contained in
configuration files named
config.web.
Note
6 Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

In a config.web file, there are sections for each major category of ASP.NET
functionality, as shown in the following table.
Section name Description

<browsercaps> Responsible for controlling the settings of the browser
capabilities component.
<compilation> Responsible for all compilation settings used by ASP.NET.
<globalization> Responsible for configuring the globalization settings of an
application.
<httpmodules> Responsible for configuring Http Modules within an application.
Http Modules participate in the processing of every request into
an application, and common uses include security and logging.
<httphandlers> Responsible for mapping incoming URLs to IHttpHandler
classes. Sub-directories do not inherit these settings. Also
responsible for mapping incoming URLs to
IHttpHandlerFactory classes. Data represented in
<httphandlerfactories> sections are hierarchically inherited by
sub-directories.

<iisprocessmodel> Responsible for configuring the ASP.NET process model
settings on IIS Web Server Systems.
<security> Responsible for all security settings used by the ASP.NET
security HttpModule.
<sessionstate> Responsible for configuring the session state HttpModule.
<trace> Responsible for configuring the ASP.NET trace service.

ASP.NET configuration settings are represented within these configuration
sections. For example, as you saw in Module 5: Using Trace in ASP.NET
Pages, you can turn the trace feature on for an entire application in the <trace>
configuration section as follows:
<configuration>
<trace enabled="true"
requestlimit="40" pageoutput="true"/>
</configuration>

Module 7: Creating an ASP.NET Web Application 7

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Setting Up Cookie-less Sessions in Config.web
!
Session state is configured in the <sessionstate>
section of Config.web
!
<sessionstate> supports five settings:
$
inproc= "[true/false]"
$
cookieless= "[true/false]"

$
timeout="[true/false]"
!
Setting up Cookie-less session
<sessionstate
cookieless="true"
/>
<sessionstate
cookieless="true"
/>
$
server="[server name]"
$
port="[port number]"


Session state features can be configured via the <sessionstate> section in the
config.web file. The <sessionstate> section sets the behavior of the session
state throughout the application. It supports five settings. The following table
lists the settings and their descriptions.

Setting Description

cookieless="[true/false]" Indicates whether or not cookies should be used to store
SessionIDs. The default value is false; cookies are used.
inproc="[true/false]" Specifies whether or not the session should be stored on
the server, or whether it should be stored on a separate
state server. The default setting is true. The session is
stored on the server.
port="[port number]" Specifies the port number on the remote session state

server. It is only required if the inproc property is set to
false.
server="[server name]" Specifies the server to use to store remote session state. It
is only required if the inproc property is set to false.
timeout="[true/false]" Specifies for how long ( in minutes) should a session be
valid. The default value is 20 minutes.

Topic Objective
To learn how to set up
cookie-less sessions in
config.web.
Lead-in
As you learned in the
previous topic, config.web
has a section for major
application functionalities.
8 Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

For example, to double the default timeout of 20 minutes the following can be
added to the config.web of an application:
<sessionstate timeout="40" />

Setting Up Cookie-less Session
By default ASP.NET uses cookies to identify requests, which belong to one
session. If cookies are not available, a session can be tracked by adding a
session identifier to the URL. You can enable cookie-less sessions as follows:
<sessionstate cookieless="true" />


Module 7: Creating an ASP.NET Web Application 9

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Global Application File (global.asax)
!
Application directives
$
Import
!
Global.asax supports more than 15 events
$
As page is requested: BeginRequest,
AuthenticateRequest, AuthorizeRequest
$
As page is returned: EndRequest
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.SQL" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.SQL" %>


Similar to ASP, ASP.NET supports one global declarative file per application
for application events and state called global.asax. The global.asax file is
similar to ASP's global.asa, with the exception of application directives and
new events.

In ASP.NET, global.asax can be used as an asax file or as a component
that can be deployed in the application's /bin directory.


Application Directives
Application directives specify optional settings used by the compiler when
processing files. Application directives are located at the top of the global.asax
file.
<%@ directive attribute=value [attribute=value … ]%>

Like ASP, ASP.NET supports the use of application directives in the
global.asax file. However, ASP.NET includes additional application directives.
Import
The Import directive explicitly imports a namespace into an application,
making all classes and interfaces of the imported namespace available to the
application.
<%@ Import namespace="value" %>

You must use a single @ Import directive for each namespace you want to
import.
Topic Objective
To describe the global.asax
file.
Lead-in
Global.asax is very similar
to the Global.asa file in
ASP, with the exception of
directives and new events.
Note
10 Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

The following code uses @ Import directives to import the System.Data and

System.Data.SQL namespaces for use throughout an application.
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.SQL" %>

Events
The event model provided by ASP.NET supports more than fifteen events. This
is different from global.asa, which only had Application and Session OnStart
and OnEnd events.
For example, in ASP, if you wanted some code to run at the beginning of every
page, you would have to use an include file at the top of every ASP page. Using
the ASP.NET global.asax file, you can simply declare the code in the
Application_BeginRequest event procedure, which is called at the beginning of
every request for the application.
Sub Application_BeginRequest(s As Object, e As EventArgs)
...
End Sub

ASP.NET still supports the Application and Session Start and End event
procedures, but Global.asax also includes events that are fired when a client
requests a page. The following table lists events that can be used when a page is
requested.
Event Name Description

Application_Error The Error event is fired when an unhandled
error occurs within an application.
Application_BeginRequest It is fired whenever a new request is
received.
Application_AuthenticateRequest This event indicates that the rquest is ready
to be authenticated.
Application_AuthorizeRequest The event signals that the request is ready

to be authorized.
Application_ResolveRequestCache This event is used by the output cache
module to short-circuit the processing of
requests that have been cached.
Application_AcquireRequestState This event signals that per-request state
should be obtained.
Application_PreRequestHandlerExecute This event signals that the request handler
is about to execute.

Example
Module 7: Creating an ASP.NET Web Application 11

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Global.asax also includes events that are fired when the requested page is sent
back to the client.
Event name Description

Application_PostRequestHandlerExecute This event is first available after the
handler such as ASP.NET page or Web
service has completed its work.
Application_ReleaseRequestState This event is called when the request state
should be stored, since the application is
finished with it.
Application_UpdateRequestCache Signals that code processing is complete
and the file is ready to be added to the
ASP.NET cache.
Application_EndRequest This event is the last event called when
the application ends.
Application_PreRequestHeaderSent Provides the opportunity to add remove or

update headers and the response body.

12 Module 7: Creating an ASP.NET Web Application

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Demonstration: Using Event Procedures in Global.asax
Global.asax


In this demonstration, you will see how to display events fired in the
global.asax file.
Topic Objective
To demonstrate how using
event procedure
Lead-in
In this demonstration, you
will see how to display
events fired in the
global.asax file.
Delivery Tip
1. Copy the file <install
folder>\democode\Mod07\gl
obal.asax to the <install
folder> folder. (this is the
root of the 2063 virtual
directory)
2. Open the file global.asax
and show the
Response.Write statements

in the event procedures.
3. View
/2063/Mod07/GlobalEvent.a
spx in Internet Explorer and
explain the order of the
events.
4. Delete the global.asax file
from the root of the 2063
virtual directory.
Module 7: Creating an ASP.NET Web Application 13

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Page Caching
!
Output caching
$
Caches content generated from dynamic pages
$
Page is compiled into IL and native code
$
Native code is cached as Page class and is available to
serve for the next request
$
Page class is updatedwhen the source ASP.NET file is
changed or cache timeout happens
!
Setting the cache timeout
<%@ OutputCache Duration= "900" %>
<%@ OutputCache Duration= "900" %>



Page caching allows you to cache dynamic content. When an ASP.NET page is
accessed for the first time, the page is compiled into Intermediate Language
(IL) and to native code. This native code is cached as Page class and is
available to serve for the next request. This cached Page class is updated/rebuilt
when the source ASP.NET file is changed or the cache timeout is reached.
The cache timeout value can be specified via the output cache page directive.
For example, in order to cache an ASP.NET page for 15 minutes, add the
following @OutputCache directive to the .aspx page:
<%@OutputCache Duration="900" %>

This cache option is very useful for pages that don’t change often or for a given
time period.
Topic Objective
To describe page caching.
Lead-in
One of the problems with
dynamic pages is that they
are less scalable and
require many server
resources. One of the
solutions adopted in order to
solve the problem has been
to batch process files.
ASP.NET provides the
output cache feature to
solve the problem of
scalability.
Setting the cache

timeout