This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
While developing a web application the developers have to deal with many different aspects. Designing the pages, managing the page-flow and constructing the database are only some of them. This report will - focused on Asp.NET - examine some of the technical aspects of web application development. Application configuration, performance optimization and security will be described and suggestions will be made how to use these techniques and features.
One of the most important part of the web application are the configuration files. These files define rules and settings to enabled, disable and use functionalities the server offers. Changes in the configuration can have impacts in performance, security and even the usability of the server itself. Therefore in the beginning of the development progress these files should be configured to satisfy the requirements.
In Asp these files are written in XML and divided into a machine.config and one to several web.config files. Structured hierarchically first the machine.config is parsed. Following the main web.config and the subfolder configurations are parsed. Due to the fact that these configuration files are cached after parsing it is possible to edit the files on runtime (Meyne & Davis, 2002).
By implementing this hierarchical structure it is possible to have a file with general settings and on each hierarchical layer these settings can be extended for special purposes. In this architecture system-based configuration is managed in the machine.config, dealing mostly with machine specific values. These settings are applied to all applications on the server. Therefore the file should not be changed if not needed, to guarantee a functioning server for every running application. Further on application- and security settings are adjusted in the web.configs. These files are managing the application and subfolder specific settings (Stiefel & Oberg, 2002).
Managing the application by web.config files enables the developer to easily configure the used features and test changes on runtime. Also the application can easily be transferred to another server due to the fact, that the configuration is stored inside of the project. Despite this advantages it should not be neglected that that a security breach on these files can crash the whole application.
In the following sections topics are discussed which need optimized web.configs to function as considered.
Performance is an important feature to guarantee the user's satisfaction. An always available and fast application wins the user's confidence.
Therefore the mentioned possibility to improve application performance via the web.config should be used. Caching, Session-states and view-states and other features are managed in these files. Also not to neglect are the possible performance improvements due to well-structured code and hardware improvements.
Sessions are used to retain data for each user. This feature generates a cookie to identify the user with a key and afterwards the corresponding data can be reused until the session is expired or the session state is disposed. Doing so, the user does not need to reenter his data, but the application checks on every request for cookies and possible session states. This is a performance overhead if the session state is not required (Microsoft MSDN, 2004).
If no session state is needed, the web.config offers a setting to deactivate the feature. Else, the session state mode is manageable in-process, by a service or on a SQL-Server. Although it is the fastest method to maintain the state in-process because no serialization or marshaling is needed, it should be beard in mind that this method can cause the application to run out of memory. This risk should be evaluated before a decision about the session-state is made (Microsoft MSDN, 2004).
Another possibility of changing data caused by user activities is the view state. Programmatic changes are saved in hidden fields to enable on post back to load the changed data. Managing view states on a post back increases the CPU utilization and the page size. It also can impact the garbage collection because of the possible high size of the view state.
Before disabling the view state in the web.config it should be analyzed if the resources saving and faster answer time outweighs the loss of automatic generated programmatic change savings. For some applications this is not the case. Anyway the maximum size and the number of objects in the view state should be administered (Microsoft MSDN, 2004).
After dealing with these two optional changes one of the most important performance improvements will be covered in the following paragraph.
Caching is a technique to store frequently requested data in a swiftly reachable location. As a result, during the next request, the data can be fetched from the cache rather than being rebuilt by the application. This technique reduces request times and processor hits at the expense of storage. To minimize this storage overhead different caching methods were developed. The tree most important caching methods supported by Asp.NET are output-, fragment- and data caching (Liberty & Hurwitz, 2002).
Output caching is the most storage costing and most performance enhancing attempt of caching. After the server has generated a page based on a request, the whole page is stored on the server as html file. For a defined duration this html file is send to every following requester. The duration is based on the thought that the page will not change during a specified span. Hence, it is an issue that a content change is possible while a request is answered with the cached page.
Fragment caching is an attempt to store only parts of a page. In comparison to output caching it is a bit slower, because the not cached parts of the page needed to be rebuilt on request. Nevertheless, this method prevents sending incorrect data to the user - the data with possible changes are rebuilt on every request.
The method used for pages with highly frequent content changes is data caching. It is possible to cache single objects in a dictionary-type format in the server memory. This format has as example a property to bind the objects' dispose events on conditions. Although establishing a dynamic data cache cost resources to evaluate the live time of dictionary objects it is still cost reducing in comparison to a full rebuild of a page. But this is only the fact as long as not too much objects are stored - the server memory is a limited and needed resource.
Due to the fact that all tree methods need storage resources it is important to adjust the used caching techniques to the available resources and manage on which pages each kind of caching is most useful (Peterson). The more dynamic pages are, the more useful it becomes to use fragmental or even data caching. To do so, the features have to be enabled in the web.config and implemented in the code.
After configuring the web.config and the pages for the mentioned and other possible performance improvements, it is likely to design the code as performance effective as possible. To do so, one major measure is the exception management. Exceptions are an expensive performance hit, so their management should be well-structured.
First of all it should be administered how exceptions are managed, because it is not possible to guarantee a completely exception free system. A global exception handler should be implemented to guarantee that all unhandled errors are caught. Details about every caused exception should be saved in a log file to monitor errors and be enabled to trace their origin.
After implementing this handler it is a common attempt to prevent known exception at all. This can be done as example by an object check. If the object is null or not in the needed state an else-clause instead of the intended code is performed. Doing so no error is thrown and the code behind can directly - by a predefined procedure - informs the user about what happened. Also it would be possible to use other resources to accomplish the expected outcome.
Another category of exception is a timeout, caused by a not reacting requested resource. The default timeout for pages is set to 90 seconds. Due to this long wait time a timeout can cause a browser or Asp.NET to stop responding, while incoming requests are queued until the IIS queue limit is reached and all new requests are rejected. Therefore the timeout limit should be reduced to 30 seconds or less, which is a common setting (Microsoft MSDN, 2004).
These attempts of exception management reduce the number of exceptions and system crashes; furthermore it enables the developer to trace the origin of exception by the minimal cost of resource checks and code expansions. Since the advantages are superior to the disadvantages these management should be fully implemented in every application.
Having configured the application and managed the performance are just some of the important parts of web application development. They would even be useless without security. Since a web application is accessible from all over the world, all kind of possible security vulnerabilities have to be taken into account - any security breach could lead to the forfeit of integrity, confidentiality and availability. Due to the huge range of possible features to secure the application focus will be laid on some important ones: table adapters, validation and authentication.
Authentication is a practice to validate that a user is who it claims to be. Using this feature enables the application developer to design pages with individual content for each user and to restrict users from special pages of the application and thus the functions on these pages. The general usage of authentication and the restricted of pages are managed in the web.config files.
Generally tree attempts of authentication are available for web applications (Walther, 2006):
This authentication mode is used in conjunction with ISS, a web server application developed by Microsoft. The standard windows authentication of the server's operation system is used to authenticate the user. This method is normally only used in intranets, because of the incompatibility with different operation system.
This is the most common authentication method for web applications. In a form entered user data are directly managed by the server and compared to stored data, either in a database or in the web.config. Normally these stored data are encrypted to secure the user data even more. By logon the user gets a cookie, to enable the server to recognize the user on every request and enable the requested application parts, as long as the user is authorized to access them.
The Microsoft service Microsoft Passport provides a across websites logon. This service completely manages the authentication for the developer, but as disadvantage licenses have to be bought.
Comparing these mechanisms it is obvious why form authentication is the most common authentication method. It offers the most flexible usage by lowest cost.
Furthermore not only authentication is an important security feature; also input validation is very important. This feature enables not only to prevent security breaches or simply wrong data input, it also is possible to improve the performance in some points, because validation can be performed client-side. So if the input is incorrect the server is not stressed. Also, the subsequent handling of an invalid input is manageable on client-side (Microsoft MSDN, 2002).
Client-side validation uses Java Script to handle the validation. But only using client-side validation for performance reasons is not common. The disadvantages of this technic are that the validation can only be used on systems with running script and it can be bypassed by attackers. Therefore every client-side validation should be also implemented as server-side validation. This validation is performed on the server and cannot be bypassed (Burnett, 2004). Under this measure correct inputs are tested two times, but the security is improved. This minimal performance hit can be left untended because the validation prevents errors, which would cause a bigger performance hit.
Validation therefore is an important measure for security and in parts also performance.
By discussing the use of validation also table adapters should be at least mentioned. The most validated inputs initiate the use of a database and to secure these usages table adapters can be used. They are parsing the inputs in parameterized queries, which prevents that inputs can execute SQL-commands, because just a predefined data-type is allowed as input (ScottGu, 2006). Also the data-layer is due to table adapters strictly separated from the business-logic-layer (Microsoft MSDN, 2011).
Table adapter should always be used because of these advantages and a further advantage is that some databases are optimized for parameterized queries and therefore perform even faster.
By examine these topics it becomes obvious that a web application developer has to plan and bear in mind a lot of things. As seen in the preceding paragraphs most of them are connected in different ways and as a result it is needed to not only handle each development section for its on, but to evaluate the effects on other parts of the application. These links make it even more complicated to develop a web application. It also should not be forgotten, that this report only mentioned some of the many issues.
This leads to the conclusion that a web application nowadays should be well planned, good structured and professionally designed to meet the customers' needs.