Vous êtes sur la page 1sur 31



ASP.NET is a web development platform, which provides a programming model, a
comprehensive software infrastructure and various services required to build up
robust web applications for PC, as well as mobile devices.
ASP.NET works on top of the HTTP protocol, and uses the HTTP commands and
policies to set a browser-to-server bilateral communication and cooperation.
ASP.NET is a part of Microsoft .Net platform. ASP.NET applications are compiled
codes, written using the extensible and reusable components or objects present in
.Net framework. These codes can use the entire hierarchy of classes in .Net
The ASP.NET application codes can be written in any of the following languages:
Visual Basic.Net

ASP.NET is used to produce interactive, data-driven web applications over the

internet. It consists of a large number of controls such as text boxes, buttons, and
labels for assembling, configuring, and manipulating code to create HTML pages.



ASP.NET is a set of web development technologies produced by Microsoft that is
used to build dynamic web sites, web applications, and XML-based web applications.
ASP.NET is a part of the .NET framework and allows for developers to build
applications in multiple languages, such as Visual Basic .NET, JScript .NET, and C#.


ASP.NET attempts to make the web development methodology like the GUI
development methodology by allowing developers to build pages made up of controls
similar to a GUI. Server controls in ASP.NET function similarly to GUI controls in
other environments. Buttons, text boxes, labels, and data grids have properties that
can be modified and expose events that may be processed. The ASP.NET server
controls know how to display their content in an HTML page just like GUI-based user
controls know how to display themselves in their GUI environment. An added benefit
of ASP.NET is that the properties and methods of the web server controls are similar,
and in some cases the same as the comparable controls in the Windows GUI/Windows
Forms environment.

.Net is a framework which is developed by Microsoft Corporation. The first .Net
framework version was released in late 2000. .Net framework is a platform or we can
say an environment in which window based application execute.
The .Net framework is a runtime execution environment that manages applications
that target the .Net framework. It consists of the COMMON LANGUAGE
RUNTIME (CLR), which provides memory management and other system services,
and an extensive class library, which enables programmers to take advantage of
robust, reliable code for all major areas of application development. .Net framework
runs primarily on Microsoft Windows.

Fig: 3 - Block diagram for .Net framework


What is Common Language Runtime (CLR)?

The .NET Framework provides a run-time environment called the common language
runtime, which runs the code and provides services that make the development
process easier. A process known as just-in-time compilation converts compiled code
into machine instructions which the computer's CPU then executes. The CLR
provides additional services including memory management, type safety, exception
handling, garbage collection, security and thread management. All programs written
for the .NET framework, regardless of programming language, are executed by the
CLR. The common language runtime makes it easy to design components and
applications whose objects interact across languages. Objects written in different
languages can communicate with each other, and their behaviours can be tightly
integrated. For example, you can define a class and then use a different language to
derive a class from your original class or call a method on the original class. You can
also pass an instance of a class to a method of a class written in a different language.
This cross-language integration is possible because language compilers and tools that
target the runtime use a common type system defined by the runtime, and they follow
the runtime's rules for defining new types, as well as for creating, using, persisting,
and binding to types. All versions of the .NET framework include CLR.
Benefits Provides by the CLR:

Performance improvements.

The ability to easily use components developed in other languages.

Extensible types provided by a class library.

Language features such as inheritance, interfaces, and overloading for objectoriented programming.

Support for explicit free threading that allows creation of multithreaded, scalable

Support for structured exception handling.

Support for custom attributes.

Garbage collection.


Microsoft Intermediate Language (MSIL)

When compiling to managed code, the compiler translates your source code into
Microsoft intermediate language (MSIL), which is a CPU-independent set of
instructions that can be efficiently converted to native code. MSIL includes
instructions for loading, storing, initializing, and calling methods on objects, as well
as instructions for arithmetic and logical operations, control flow, direct memory
access, exception handling, and other operations. Before code can be run, MSIL must
be converted to CPU-specific code, usually by a just-in-time (JIT) compiler. Because
the common language runtime supplies one or more JIT compilers for each computer
architecture it supports, the same set of MSIL can be JIT-compiled and run on any
supported architecture.
When a compiler produces MSIL, it also produces metadata. Metadata describes the
types in your code, including the definition of each type, the signatures of each type's
members, the members that your code references, and other data that the runtime uses
at execution time. The MSIL and metadata are contained in a portable executable (PE)
file that is based on and extends the published Microsoft PE and common object file
format (COFF) used historically for executable content. This file format, which
accommodates MSIL or native code as well as metadata, enables the operating system
to recognize common language runtime images. The presence of metadata in the file
along with the MSIL enables your code to describe itself, which means that there is no
need for type libraries or Interface Definition Language (IDL). The runtime locates
and extracts the metadata from the file as needed during execution.

Fig: 3.2 - Block diagram for CLR processing


As we earlier discuss that What is .NET? and we get an overview of .Net

framework and its some important components in the process. Now we can discuss
about the ASP.NET.
ASP.NET is Microsofts next generation technology for creating server side web
applications. It is built on the Microsoft .NET framework, which is a cluster of closely
related technologies that revolutionize everything from database access to distributed
applications. ASP.NET is one of the most important components of the .NET
framework; it is the part that enables you to develop high performance web
applications. ASP was designed as a quick and dirty set of tools for inserting dynamic
content into ordinary web pages. By contrast, ASP.NET is a full-blown platform for
developing comprehensive, blisteringly fast web applications.ASP.NET is a web
development platform, which provides a programming model, a comprehensive
software infrastructure and various services required to build up robust web
applications for PC, as well as mobile devices.
ASP.NET works on top of the HTTP protocol, and uses the HTTP commands and
policies to set a browser-to-server bilateral communication and cooperation.ASP.NET
is a part of Microsoft .Net platform.
The ASP.NET application codes can be written in any of the following languages:

Visual Basic .Net

ASP.NET is used to produce interactive, data-driven web applications over the

internet. It consists of a large number of controls such as text boxes, buttons, and
labels for assembling, configuring, and manipulating code to create HTML pages.
The Pillars of ASP.NET are as follows :
1. ASP.NET is integrated with the .NET framework.
2. ASP.NET is compiled, not interpreted.
3. ASP.NET is Multilanguage.

4. It is hosted by the Common Language Runtime (CLR).

5. It is object oriented.
6. ASP.NET supports all browsers.



As we know every new version of anything comes with new features and these
features differs the old version and new version. Same as here, there are some major
differences between ASP and ASP.NET



1.) ASP is related to the process isolation 1.) The process model in ASP.Net is
unrelated to the process isolation setting
setting in IIS.
2.) Classical ASP has no mechanism of




in IIS.

non-Microsoft 2.) ASP.NET could be run on non-Microsoft

platform also. Cassini is a sample web

3.) In ASP, only two languages


available for scripting VB script and


server produced by Microsoft which,

among other projects has been used to
host ASP.Net with Apache.

4.) ASP engine executes server side code, 3.) Any fully compliant .Net language can
which is always through an interpreter

now be used with ASP.Net, including C#

(Jscript and VB Script).

and VB.NET.

5.) In ASP, it was very difficult for us to 4.) ASP.Net pages are always compiled
debug the application. ASP developers


had time to debug application due to


limited support due to the interpreted






5.) But in ASP.Net in addition to improved

performance over the interpreted model,
pages that are compiled into class can be
debugged using the same debugging
tools available to desktop applications or
component developers.



a) MVC Framework: The MVC Framework is an architectural pattern that is used
in software engineering. In programming, it is very general t split an application
into separate layers, such as presentation (UI), logic, and data access layers that
run on different computers. The presentation layer is further separated into two
parts, such as view and controller, in MVC.

b) ADO.NET Entity Framework: The ADO.NET Entity Framework enables

developers to create data access applications by programming against a conceptual
application model instead of programming directly against a relational storage
schema. The goal is to decrease the amount of code and maintenance required for
data-oriented applications. Entity Framework applications provide the following

Applications can work in terms of a more application-centric conceptual

model, including types with inheritance, complex members, and relationships.

Applications are freed from hard-coded dependencies on a particular data

engine or storage schema.

Mappings between the conceptual model and the storage-specific schema

can change without changing the application code.

Developers can work with a consistent application object model that can
be mapped to various storage schemas, possibly implemented in different
database management systems.

Multiple conceptual models can be mapped to a single storage schema.

Language-integrated query (LINQ) support provides compile-time syntax

validation for queries against a conceptual model.

c) ADO.NET Data Services Framework: WCF Data Services (formerly known as

"ADO.NET Data Services") is a component of the .NET Framework that
enables you to create services that use the Open Data Protocol (OData) to expose
and consume data over the Web or intranet by using the semantics
of representational state transfer (REST). OData exposes data as resources that
are addressable by URIs. Data is accessed and changed by using standard HTTP
verbs of GET, PUT, POST, and DELETE. OData uses the entity-relationship
conventions of the Entity Data Model to expose resources as sets of entities that
are related by associations.

WCF Data Services uses the OData protocol for addressing and updating
resources. In this way, you can access these services from any client that supports
OData. OData enables you to request and write data to resources by using wellknown transfer formats: Atom, a set of standards for exchanging and updating
data as XML, and JavaScript Object Notation (JSON), a text-based data exchange
format used extensively in AJAX application.

WCF Data Services can expose data that originates from various sources as
OData feeds. Visual Studio tools make it easier for you to create an OData-based
service by using an ADO.NET Entity Framework data model. You can also create
OData feeds based on common language runtime (CLR) classes and even latebound or un-typed data.

d) The Silverlight Technology: Microsoft Silverlight is a cross-browser, crossplatform implementation of the .NET Framework for building and delivering the
next generation of media experiences and rich interactive applications (RIA) for
the Web. You can also create Silverlight applications that run outside of the
browser on your desktop. Finally, you use the Silverlight framework to create

applications for Windows Phone. Silverlight uses the Extensible Application

Markup Language (XAML) to ease UI development (e.g. controls, animations,
graphics, layout, etc.) while using managed code or dynamic languages for
application logic.

e) Dynamic Data Framework: ASP.NET dynamic data is a framework that allows

you to easily build data-driven web applications based on the foundation of the
entity framework data model. The purpose of a data model is to represent the
information about the items present in a database,. It also depicts the relation
between different items of the database.



.NET uses a "visited composites" rendering technique. During compilation, the template
(.aspx) file is compiled into initialization code which builds a control tree (the composite)
representing the original template. Literal text goes into instances of the Literal control class,
and server controls are represented by instances of a specific control class. The initialization
code is combined with user-written code (usually by the assembly of multiple partial classes)
and results in a class specific for the page. The page doubles as the root of the control tree.
Actual requests for the page are processed through a number of steps. First, during the
initialization steps, an instance of the page class is created and the initialization code is
executed. This produces the initial control tree which is now typically manipulated by the
methods of the page in the following steps. As each node in the tree is a control represented
as an instance of a class, the code may change the tree structure as well as manipulate the
properties/methods of the individual nodes. Finally, during the rendering step a visitor is used
to visit every node in the tree, asking each node to render itself using the methods of the
visitor. The resulting HTML output is sent to the client.

After the request has been processed, the instance of the page class is discarded and with it
the entire control tree. This is a source of confusion among novice ASP.NET programmers
who rely on the class instance members that are lost with every page request/response cycle.


Rendering refers to the process of creating a visual representation on a display surface. In the
case of Web requests, the actual rendering is performed by a client's Web browser or other
viewing device.
The task of the ASP.NET page framework is to send HTML (or text in another markup
language such as XML or WML) in response to a Web request.
The task of a page (and its child controls) is to write the markup content to an output stream.
For this purpose, the base class System.Web.UI.Control provides the Render method.


Rendering Methods in WebControl:

In addition to the rendering methods provided by the base class Control,

the System.Web.UI.WebControls.WebControl class provides several other methods
to facilitate rendering.

The AddAttributesToRender method





from WebControl to specify additional HTML attributes and cascading style-sheet

styles to be rendered. Note the call to base.AddAttributestoRender, which ensures
that the attributes rendered by the base class are preserved.



Web server controls are a second set of control designed with a different emphasis. They do
not necessary map one-to-one to HTML server control. Instead, they are defined as abstract
controls in which the actual markup rendered by the control by the control can be quite
different from the model that you program against. For example, a RadioButtonList web
server control might be rendered in a table or as inline text with other markup.

Web server controls include traditional from controls such as buttons and text boxes a well as
complex control such as tables. They also include control that provide commonly used from
functionality such as displaying data in a grid, choosing dates, displaying menus, and so on.
Web server controls offer all of the features described above for HTML server controls
(except one-to-one mapping to elements) and these additional features:

A rich object model that provides type-safe programming capabilities.

Automatic browser detection. The controls can detect browser capabilities and render
appropriate markup.

For some controls, the ability to define you own layout for the control using

For some controls, the ability to specify whether a controls event causes immediate
posting to the server or is instead cached and raised when the page is submitted.

Support for themes, which enables you to define a consistent look for controls
throughout your site for details, see ASP.NET Themes and Skins.

Ability to pass events from a nested control (such as a button in a table) to the
container control.

ASP.NET server controls are identified within a page using declarative tags that contain a








runat=server>server controls and customizes the text and style properties of each one


ASP.NET - HTML Server Controls

HTML server controls are HTML tags understood by the server.HTML elements in
ASP.NET files are, by default, treated as text. To make these elements programmable,
add a runat="server" attribute to the HTML element. This attribute indicates that the
element should be treated as a server control. The id attribute is added to identify the
server control. The id reference can be used to manipulate the server control at run
Note: All HTML server controls must be within a <form> tag with the runat="server"
attribute. The runat="server" attribute indicates that the form should be processed on
the server. It also indicates that the enclosed controls can be accessed by server


ASP.NET - Web Server Controls

Web server controls are special ASP.NET tags understood by the server.Like HTML
server controls, Web server controls are also created on the server and they require a
runat="server" attribute to work. However, Web server controls do not necessarily
map to any existing HTML elements and they may represent more complex elements.

The syntax for creating a Web server control is:

<asp:control_name id="some_id" runat="server" />


ASP.NET - Validation Server Controls

Validation server controls are used to validate user-input. If the user-input does not
pass validation, it will display an error message to the user.
Each validation control performs a specific type of validation
By default, page validation is performed when a Button, ImageButton, or LinkButton
control is clicked. You can prevent validation when a button control is clicked by
setting the CausesValidation property to false.
The syntax for creating a Validation server control is:
<asp:control_name id="some_id" runat="server" />



A new instance of the Web page class is created each time the page is posted to the server. In
traditional Web programming, this would typically mean that all information associated with
the page and the controls on the page would be lost with each round trip. For example, if a
user enters information into a text box, that information would be lost in the round trip from
the browser or client device to the server.

To overcome this inherent limitation of traditional Web programming, ASP.NET includes

several options that help you preserve data on both a per-page basis and an application-wide
basis. These features are as follows:

View state

Control state

Hidden fields



Query strings

Application state

Session state

Profile Properties

Fig: 7 - Types of State Management in ASP.NET

The following sections describe options for state management that involve storing
information either in the page or on the client computer. For these options, no
information is maintained on the server between round trips.

7.1.1 View State


The ViewState property provides a dictionary object for retaining values

between multiple requests for the same page. This is the default method that the
page uses to preserve page and control property values between round trips.

When the page is processed, the current state of the page and controls is hashed
into a string and saved in the page as a hidden field, or multiple hidden fields if
the amount of data stored in the ViewState property exceeds the specified value
in the MaxPageStateFieldLength property. When the page is posted back to
the server, the page parses the view-state string at page initialization and
restores property information in the page.

7.1.2 Control State

Sometimes you need to store control-state data in order for a control to work
properly. For example, if you have written a custom control that has different
tabs that show different information, in order for that control to work as
expected, the control needs to know which tab is selected between round trips.
The ViewState property can be used for this purpose, but view state can be
turned off at a page level by developers, effectively breaking your control. To
solve this, the ASP.NET page framework exposes a feature in ASP.NET called
control state.

The ControlState property allows you to persist property information that is

specific to a control and cannot be turned off like the ViewStateproperty.

7.1.3 Hidden Fields


ASP.NET allows you to store information in a HiddenField control, which

renders as a standard HTML hidden field. A hidden field does not render visibly
in the browser, but you can set its properties just as you can with a standard
control. When a page is submitted to the server, the content of a hidden field is
sent in the HTTP form collection along with the values of other controls. A
hidden field acts as a repository for any page-specific information that you want
to store directly in the page.

A HiddenField control stores a single variable in its Value property and must be
explicitly added to the page.

In order for hidden-field values to be available during page processing, you

must submit the page using an HTTP POST command. If you use hidden fields
and a page is processed in response to a link or an HTTP GET command, the
hidden fields will not be available.

7.1.4 Cookies

A cookie is a small amount of data that is stored either in a text file on the client
file system or in-memory in the client browser session. It contains site-specific
information that the server sends to the client along with page output. Cookies
can be temporary (with specific expiration times and dates) or persistent.

You can use cookies to store information about a particular client, session, or
application. The cookies are saved on the client device, and when the browser
requests a page, the client sends the information in the cookie along with the
request information. The server can read the cookie and extract its value. A


typical use is to store a token (perhaps encrypted) indicating that the user has
already been authenticated in your application.

7.1.5 Query Strings

A query string is information that is appended to the end of a page URL. A

typical query string might look like the following example:


In the URL path above, the query string starts with a question mark (?) and
includes two attribute/value pairs, one called "category" and the other called

Query strings provide a simple but limited way to maintain state information.
For example, they are an easy way to pass information from one page to
another, such as passing a product number from one page to another page where
it will be processed. However, some browsers and client devices impose a 2083character limit on the length of the URL.

In order for query string values to be available during page processing, you
must submit the page using an HTTP GET command. That is, you cannot take
advantage of a query string if a page is processed in response to an HTTP POST




ASP.NET offers you a variety of ways to maintain state information on the server,
rather than persisting information on the client. With server-based state management,
you can decrease the amount of information sent to the client in order to preserve
state, however it can use costly resources on the server. The following sections
describe three server-based state management features: application state, session state,
and profile properties.

7.2.1 Application State

ASP.NET allows you to save values using application state which is an

instance of the HttpApplicationState class for each active Web application.
Application state is a global storage mechanism that is accessible from all pages
in the Web application. Thus, application state is useful for storing information
that needs to be maintained between server round trips and between requests for
pages. For more information, see ASP.NET Application State Overview.

Application state is stored in a key/value dictionary that is created during each

request to a specific URL. You can add your application-specific information to
this structure to store it between page requests. Once you add your applicationspecific information to application state, the server manages it

7.2.2 Session State


ASP.NET allows you to save values by using session state which is an

instance of the HttpSessionStateclass for each active Web-application

Session state is similar to application state, except that it is scoped to the current
browser session. If different users are using your application, each user session
will have a different session state. In addition, if a user leaves your application
and then returns later, the second user session will have a different session state
from the first.

7.2.3 Profile Properties

ASP.NET provides a feature called profile properties, which allows you to store
user-specific data. This feature is similar to session state, except that the profile
data is not lost when a user's session expires. The profile-properties feature uses
an ASP.NET profile, which is stored in a persistent format and associated with
an individual user. The ASP.NET profile allows you to easily manage user
information without requiring you to create and maintain your own database. In
addition, the profile makes the user information available using a strongly typed
API that you can access from anywhere in your application. You can store
objects of any type in the profile..

To use profile properties, you must configure a profile provider. ASP.NET

includes a SqlProfileProvider class that allows you to store profile data in a
SQL database, but you can also create your own profile provider class that
stores profile data in a custom format and to a custom storage mechanism such
as an XML file, or even to a web service.


Because data that is placed in profile properties is not stored in application

memory, it is preserved through Internet Information Services (IIS) restarts and
worker-process restarts without losing data. Additionally, profile properties can
be persisted across multiple processes such as in a Web farm or a Web garden.


The application life cycle has the following stages:

User makes a request for accessing application resource, a page. Browser sends this

request to the web server.

A unified pipeline receives the first request and the following events take place:
o An object of the class ApplicationManager is created.


o An object of the class HostingEnvironment is created to provide

information regarding the resources.

o Top level items in the application are complied.
Response object are created. The application objects such as HttpContext, HttpRequest

and HttpResponse are created and initialized.

An instance of the HttpApplication object is created and assigned to the request.
The request is processed by the HttpApplication class. Different events are raised by this
class for processing the request.

Fig: 8 - Page-Lifecycle comparison in ASP.NET


Security is an important aspect of any application that spans physical, technological, and
policy decisions and requires a high degree of planning and domain knowledge. This tutorial
series is not intended as a guide for developing secure web applications. Rather, it focuses
specifically on forms authentication, authorization, user accounts, and roles. While some
security concepts revolving around these issues are discussed in this series, others are left


Sites that offer user accounts must provide a number of services. At a minimum, new visitors
need to be able to create an account and returning visitors must be able to log in. Such web
applications can make decisions based on the logged in user: some pages or actions might be
restricted to only logged in users, or to a certain subset of users; other pages might show
information specific to the logged in user, or might show more or less information, depending
on what user is viewing the page.
There are two types of main security provided by the ASP.NET:


An important part of any web applications is the ability to identify users and control
access to resources. The act of determining the identity of the requesting entity is
known as the authentication.
When a user enters a URL into their browser's address window or clicks on a link, the
browser makes a Hypertext Transfer Protocol (HTTP) request to the web server for
the specified content, be it an ASP.NET page, an image, a JavaScript file, or any other
type of content. The web server is tasked with returning the requested content. In
doing so, it must determine a number of things about the request, including who made
the request and whether the identity is authorized to retrieve the requested content.

By default, browsers send HTTP requests that lack any sort of identification
information. But if the browser does include authentication information then the web
server starts the authentication workflow, which attempts to identify the client making
the request. The steps of the authentication workflow depend on the type of
authentication being used by the web application. ASP.NET supports three types of
authentication: Windows, Passport, and forms.


9.1.1 Authentication via Windows Authentication

The Windows authentication workflow uses one of the following authentication

Basic authentication

Digest authentication

Windows Integrated Authentication

All three techniques work in roughly the same way: when an unauthorized,
anonymous request arrives, the web server sends back an HTTP response that
indicates that authorization is required to continue. The browser then displays a modal
dialog box that prompts the user for their username and password (see Figure 1). This
information is then sent back to the web server via an HTTP header.

Fig: 9.1.1-Windows Authentication in ASP.NET

The supplied credentials are validated against the web server's Windows User Store.
This means that each authenticated user in your web application must have a
Windows account in your organization. This is commonplace in intranet scenarios. In
fact, when using Windows Integrated Authentication in an intranet setting, the
browser automatically provides the web server with the credentials used to log on to
the network, thereby suppressing the dialog box shown in Figure 13.1.


9.1.2 Authentication via Forms Authentication

Forms authentication, on the other hand, is ideal for Internet web applications. Recall
that forms authentication identifies the user by prompting them to enter their
credentials through a web form. Consequently, when a user attempts to access an
unauthorized resource, they are automatically redirected to the login page where they
can enter their credentials. The submitted credentials are then validated against a
custom user store - usually a database.
After verifying the submitted credentials, a forms authentication ticket is created for
the user. This ticket indicates that the user has been authenticated and includes
identifying information, such as the username. The forms authentication ticket is
(typically) stored as a cookie on the client computer. Therefore, subsequent visits to
the website include the forms authentication ticket in the HTTP request, thereby
enabling the web application to identify the user once they have logged in.

Notice how the authentication and authorization pieces in ASP.NET act as two
separate entities. The forms authentication system identifies the user (or reports that
they are anonymous). The authorization system is what determines whether the user
has access to the requested resource. If the user is unauthorized (as they are in Figure
2 when attempting to anonymously visit ProtectedPage.aspx), the authorization
system reports that the user is denied, causing the forms authentication system to
automatically redirect the user to the login page.
Once the user has successfully logged in, subsequent HTTP requests include the
forms authentication ticket. The forms authentication system merely identifies the
user - it is the authorization system that determines whether the user can access the
requested resource.


Fig: 9.1.2- Forms Authentication and Authorization process between User and
Asp.Net Page

Authorization is the process of allowing authenticated users to access the resources by
checking whether the user has access rights to the system. Authorization helps you to
control access rights by granting or denying specific permissions to an authenticated

9.2.1 File authorization

File authorization is performed by the FileAuthorizationModule. It checks the

access control list (ACL) of the .aspx or .asmx handler file to determine whether a
user should have access to the file. ACL permissions are verified for the user's
Windows identity (if Windows authentication is enabled) or for the Windows
identity of the ASP.NET process.

9.2.2 URL authorization

URL authorization is performed by the UrlAuthorizationModule, which maps
users and roles to URLs in ASP.NET applications. This module can be used to
selectively allow or deny access to arbitrary parts of an application (typically
directories) for specific users or roles.