Monday, May 9, 2011 4.0 Core Services

ASP.NET 4 introduces a number of features that improve core ASP.NET services such as output caching and session-state storage.

Web.config File Refactoring

The Web.config file that contains the configuration for a Web application has grown considerably over the past few releases of the .NET Framework as new features have been added, such as Ajax, routing, and integration with IIS 7. This has made it harder to configure or start new Web applications without a tool like Visual Studio. In .the NET Framework 4, the major configuration elements have been moved to the machine.config file, and applications now inherit these settings. This allows the Web.config file in ASP.NET 4 applications either to be empty or to contain just the following lines, which specify for Visual Studio what version of the framework the application is targeting:

<?xml version="1.0"?>
    <compilation targetFramework="4.0" />

Extensible Output Caching

Since the time that ASP.NET 1.0 was released, output caching has enabled developers to store the generated output of pages, controls, and HTTP responses in memory. On subsequent Web requests, ASP.NET can serve content more quickly by retrieving the generated output from memory instead of regenerating the output from scratch. However, this approach has a limitation — generated content always has to be stored in memory, and on servers that are experiencing heavy traffic, the memory consumed by output caching can compete with memory demands from other portions of a Web application.
ASP.NET 4 adds an extensibility point to output caching that enables you to configure one or more custom output-cache providers. Output-cache providers can use any storage mechanism to persist HTML content. This makes it possible to create custom output-cache providers for diverse persistence mechanisms, which can include local or remote disks, cloud storage, and distributed cache engines.
You create a custom output-cache provider as a class that derives from the newSystem.Web.Caching.OutputCacheProvider type. You can then configure the provider in the Web.config file by using the new providers subsection of the outputCache element, as shown in the following example:

  <outputCache defaultProvider="AspNetInternalProvider">
      <add name="DiskCache"
          type="Test.OutputCacheEx.DiskOutputCacheProvider, DiskCacheProvider"/>


By default in ASP.NET 4, all HTTP responses, rendered pages, and controls use the in-memory output cache, as shown in the previous example, where the defaultProvider attribute is set to AspNetInternalProvider. You can change the default output-cache provider used for a Web application by specifying a different provider name fordefaultProvider.
In addition, you can select different output-cache providers per control and per request. The easiest way to choose a different output-cache provider for different Web user controls is to do so declaratively by using the new providerName attribute in a control directive, as shown in the following example:

<%@ OutputCache Duration="60" VaryByParam="None" providerName="DiskCache" %>

Specifying a different output cache provider for an HTTP request requires a little more work. Instead of declaratively specifying the provider, you override the new GetOuputCacheProviderName method in theGlobal.asax file to programmatically specify which provider to use for a specific request. The following example shows how to do this.

public override string GetOutputCacheProviderName(HttpContext context)
    if (context.Request.Path.EndsWith("Advanced.aspx"))
       return "DiskCache";
        return base.GetOutputCacheProviderName(context);

With the addition of output-cache provider extensibility to ASP.NET 4, you can now pursue more aggressive and more intelligent output-caching strategies for your Web sites. For example, it is now possible to cache the "Top 10" pages of a site in memory, while caching pages that get lower traffic on disk. Alternatively, you can cache every vary-by combination for a rendered page, but use a distributed cache so that the memory consumption is offloaded from front-end Web servers.

Auto-Start Web Applications

Some Web applications need to load large amounts of data or perform expensive initialization processing before serving the first request. In earlier versions of ASP.NET, for these situations you had to devise custom approaches to "wake up" an ASP.NET application and then run initialization code during the Application_Loadmethod in the Global.asax file.
A new scalability feature named auto-start that directly addresses this scenario is available when ASP.NET 4 runs on IIS 7.5 on Windows Server 2008 R2. The auto-start feature provides a controlled approach for starting up an application pool, initializing an ASP.NET application, and then accepting HTTP requests.
IIS Application Warm-Up Module for IIS 7.5
The IIS team has released the first beta test version of the Application Warm-Up Module for IIS 7.5. This makes warming up your applications even easier than previously described. Instead of writing custom code, you specify the URLs of resources to execute before the Web application accepts requests from the network. This warm-up occurs during startup of the IIS service (if you configured the IIS application pool as AlwaysRunning) and when an IIS worker process recycles. During recycle, the old IIS worker process continues to execute requests until the newly spawned worker process is fully warmed up, so that applications experience no interruptions or other issues due to unprimed caches. Note that this module works with any version of ASP.NET, starting with version 2.0.
For more information, see Application Warm-Up on the Web site. For a walkthrough that illustrates how to use the warm-up feature, see Getting Started with the IIS 7.5 Application Warm-Up Module on the Web site.
To use the auto-start feature, an IIS administrator sets an application pool in IIS 7.5 to be automatically started by using the following configuration in the applicationHost.config file:

  <add name="MyApplicationPool" startMode="AlwaysRunning" />

Because a single application pool can contain multiple applications, you specify individual applications to be automatically started by using the following configuration in the applicationHost.config file:

  <site name="MySite" id="1">
    <application path="/"
      serviceAutoStartProvider="PrewarmMyCache" >
      <!-- Additional content -->


<!-- Additional content -->

  <add name="PrewarmMyCache"
    type="MyNamespace.CustomInitialization, MyLibrary" />

When an IIS 7.5 server is cold-started or when an individual application pool is recycled, IIS 7.5 uses the information in the applicationHost.config file to determine which Web applications need to be automatically started. For each application that is marked for auto-start, IIS7.5 sends a request to ASP.NET 4 to start the application in a state during which the application temporarily does not accept HTTP requests. When it is in this state, ASP.NET instantiates the type defined by the serviceAutoStartProvider attribute (as shown in the previous example) and calls into its public entry point.
You create a managed auto-start type with the necessary entry point by implementing theIProcessHostPreloadClient interface, as shown in the following example:

public class CustomInitialization : System.Web.Hosting.IProcessHostPreloadClient
  public void Preload(string[] parameters)
    // Perform initialization.

After your initialization code runs in the Preload method and the method returns, the ASP.NET application is ready to process requests.
With the addition of auto-start to IIS .5 and ASP.NET 4, you now have a well-defined approach for performing expensive application initialization prior to processing the first HTTP request. For example, you can use the new auto-start feature to initialize an application and then signal a load-balancer that the application was initialized and ready to accept HTTP traffic.

Permanently Redirecting a Page

It is common practice in Web applications to move pages and other content around over time, which can lead to an accumulation of stale links in search engines. In ASP.NET, developers have traditionally handled requests to old URLs by using by using the Response.Redirect method to forward a request to the new URL. However, theRedirect method issues an HTTP 302 Found (temporary redirect) response, which results in an extra HTTP round trip when users attempt to access the old URLs.
ASP.NET 4 adds a new RedirectPermanent helper method that makes it easy to issue HTTP 301 Moved Permanently responses, as in the following example:


Search engines and other user agents that recognize permanent redirects will store the new URL that is associated with the content, which eliminates the unnecessary round trip made by the browser for temporary redirects.

Shrinking Session State

ASP.NET provides two default options for storing session state across a Web farm: a session-state provider that invokes an out-of-process session-state server, and a session-state provider that stores data in a Microsoft SQL Server database. Because both options involve storing state information outside a Web application's worker process, session state has to be serialized before it is sent to remote storage. Depending on how much information a developer saves in session state, the size of the serialized data can grow quite large.
ASP.NET 4 introduces a new compression option for both kinds of out-of-process session-state providers. When the compressionEnabled configuration option shown in the following example is set to true, ASP.NET will compress (and decompress) serialized session state by using the .NET FrameworkSystem.IO.Compression.GZipStream class.

  sqlConnectionString="data source=dbserver;Initial Catalog=aspnetstate"

With the simple addition of the new attribute to the Web.config file, applications with spare CPU cycles on Web servers can realize substantial reductions in the size of serialized session-state data.

Expanding the Range of Allowable URLs

ASP.NET 4 introduces new options for expanding the size of application URLs. Previous versions of ASP.NET constrained URL path lengths to 260 characters, based on the NTFS file-path limit. In ASP.NET 4, you have the option to increase (or decrease) this limit as appropriate for your applications, using two new httpRuntimeconfiguration attributes. The following example shows these new attributes.

<httpRuntime maxRequestPathLength="260" maxQueryStringLength="2048" />

To allow longer or shorter paths (the portion of the URL that does not include protocol, server name, and query string), modify the maxRequestPathLength attribute. To allow longer or shorter query strings, modify the value of the maxQueryStringLength attribute.
ASP.NET 4 also enables you to configure the characters that are used by the URL character check. When ASP.NET finds an invalid character in the path portion of a URL, it rejects the request and issues an HTTP 400 error. In previous versions of ASP.NET, the URL character checks were limited to a fixed set of characters. In ASP.NET 4, you can customize the set of valid characters using the new requestPathInvalidChars attribute of thehttpRuntime configuration element, as shown in the following example:

<httpRuntime requestPathInvalidChars="<,>,*,%,&,:,\,?"  />

By default, the requestPathInvalidChars attribute defines eight characters as invalid. (In the string that is assigned to requestPathInvalidChars by defaultthe less than (<), greater than (>), and ampersand (&) characters are encoded, because the Web.config file is an XML file.) You can customize the set of invalid characters as needed.
Note ASP.NET 4 always rejects URL paths that contain characters in the ASCII range of 0x00 to 0x1F, because those are invalid URL characters as defined in RFC 2396 of the IETF ( On versions of Windows Server that run IIS 6 or higher, the http.sys protocol device driver automatically rejects URLs with these characters.

Extensible Request Validation

ASP.NET request validation searches incoming HTTP request data for strings that are commonly used in cross-site scripting (XSS) attacks. If potential XSS strings are found, request validation flags the suspect string and returns an error. The built-in request validation returns an error only when it finds the most common strings used in XSS attacks. Previous attempts to make the XSS validation more aggressive resulted in too many false positives. However, customers might want request validation that is more aggressive, or conversely might want to intentionally relax XSS checks for specific pages or for specific types of requests.
In ASP.NET 4, the request validation feature has been made extensible so that you can use custom request-validation logic. To extend request validation, you create a class that derives from the newSystem.Web.Util.RequestValidator type, and you configure the application (in the httpRuntime section of theWeb.config file) to use the custom type. The following example shows how to configure a custom request-validation class:

<httpRuntime requestValidationType="Samples.MyValidator, Samples" />

The new requestValidationType attribute requires a standard .NET Framework type identifier string that specifies the class that provides custom request validation. For each request, ASP.NET invokes the custom type to process each piece of incoming HTTP request data. The incoming URL, all the HTTP headers (both cookies and custom headers), and the entity body are all available for inspection by a custom request validation class like that shown in the following example:
public class CustomRequestValidation : RequestValidator
  protected override bool IsValidRequestString(
      HttpContext context, string value, 
      RequestValidationSource requestValidationSource, 
      string collectionKey, 
      out int validationFailureIndex) 
For cases where you do not want to inspect a piece of incoming HTTP data, the request-validation class can fall back to let the ASP.NET default request validation run by simply calling base.IsValidRequestString.

Object Caching and Object Caching Extensibility

Since its first release, ASP.NET has included a powerful in-memory object cache (System.Web.Caching.Cache). The cache implementation has been so popular that it has been used in non-Web applications. However, it is awkward for a Windows Forms or WPF application to include a reference to System.Web.dll just to be able to use the ASP.NET object cache.
To make caching available for all applications, the .NET Framework 4 introduces a new assembly, a new namespace, some base types, and a concrete caching implementation. The new System.Runtime.Caching.dllassembly contains a new caching API in the System.Runtime.Caching namespace. The namespace contains two core sets of classes:
  • Abstract types that provide the foundation for building any type of custom cache implementation.
  • A concrete in-memory object cache implementation (the System.Runtime.Caching.MemoryCache class).
The new MemoryCache class is modeled closely on the ASP.NET cache, and it shares much of the internal cache engine logic with ASP.NET. Although the public caching APIs in System.Runtime.Caching have been updated to support development of custom caches, if you have used the ASP.NET Cache object, you will find familiar concepts in the new APIs.
An in-depth discussion of the new MemoryCache class and supporting base APIs would require an entire document. However, the following example gives you an idea of how the new cache API works. The example was written for a Windows Forms application, without any dependency on System.Web.dll.
private void btnGet_Click(object sender, EventArgs e) 
  //Obtain a reference to the default MemoryCache instance. 
  //Note that you can create multiple MemoryCache(s) inside 
  //of a single application. 
  ObjectCache cache = MemoryCache.Default; 
  //In this example the cache is storing the contents of a file string 
  fileContents = cache["filecontents"] as string;
  //If the file contents are not currently in the cache, then 
  //the contents are read from disk and placed in the cache. 
  if (fileContents == null) 
    //A CacheItemPolicy object holds all the pieces of cache 
    //dependency and cache expiration metadata related to a single 
    //cache entry. 
    CacheItemPolicy policy = new CacheItemPolicy(); 
    //Build up the information necessary to create a file dependency. 
    //In this case we just need the file path of the file on disk. 
    List filePaths = new List(); 
    //In the new cache API, dependencies are called "change monitors". 
    //For this example we want the cache entry to be automatically expired 
    //if the contents on disk change. A HostFileChangeMonitor provides 
    //this functionality. 
    policy.ChangeMonitors.Add(new HostFileChangeMonitor(filePaths)); 
    //Fetch the file's contents 
    fileContents = File.ReadAllText("c:\\data.txt"); 
    //And then store the file's contents in the cache 
    cache.Set("filecontents", fileContents, policy); 

Extensible HTML, URL, and HTTP Header Encoding

In ASP.NET 4, you can create custom encoding routines for the following common text-encoding tasks:
  • HTML encoding.
  • URL encoding.
  • HTML attribute encoding.
  • Encoding outbound HTTP headers.
You can create a custom encoder by deriving from the new System.Web.Util.HttpEncoder type and then configuring ASP.NET to use the custom type in the httpRuntime section of the Web.config file, as shown in the following example:

<httpRuntime encoderType="Samples.MyCustomEncoder, Samples" /> 

After a custom encoder has been configured, ASP.NET automatically calls the custom encoding implementation whenever public encoding methods of the System.Web.HttpUtility or System.Web.HttpServerUtility classes are called. This lets one part of a Web development team create a custom encoder that implements aggressive character encoding, while the rest of the Web development team continues to use the public ASP.NET encoding APIs. By centrally configuring a custom encoder in the httpRuntime element, you are guaranteed that all text-encoding calls from the public ASP.NET encoding APIs are routed through the custom encoder.

Performance Monitoring for Individual Applications in a Single Worker Process

In order to increase the number of Web sites that can be hosted on a single server, many hosters run multiple ASP.NET applications in a single worker process. However, if multiple applications use a single shared worker process, it is difficult for server administrators to identify an individual application that is experiencing problems.
ASP.NET 4 leverages new resource-monitoring functionality introduced by the CLR. To enable this functionality, you can add the following XML configuration snippet to the aspnet.config configuration file.

<?xml version="1.0" encoding="UTF-8" ?>
    <appDomainResourceMonitoring enabled="true"/>


Note The aspnet.config file is in the directory where the .NET Framework is installed. It is not theWeb.config file.
When the appDomainResourceMonitoring feature has been enabled, two new performance counters are available in the "ASP.NET Applications" performance category: % Managed Processor Time and Managed Memory Used. Both of these performance counters use the new CLR application-domain resource management feature to track estimated CPU time and managed memory utilization of individual ASP.NET applications. As a result, with ASP.NET 4, administrators now have a more granular view into the resource consumption of individual applications running in a single worker process.


You can create an application that targets a specific version of the .NET Framework. In ASP.NET 4, a new attribute in the compilation element of the Web.config file lets you target the .NET Framework 4 and later. If you explicitly target the .NET Framework 4, and if you include optional elements in the Web.config file such as the entries for system.codedom, these elements must be correct for the .NET Framework 4. (If you do not explicitly target the .NET Framework 4, the target framework is inferred from the lack of an entry in theWeb.config file.)
The following example shows the use of the targetFramework attribute in the compilation element of theWeb.config file.

<compilation targetFramework="4.0"/> 

Note the following about targeting a specific version of the .NET Framework:
  • In a .NET Framework 4 application pool, the ASP.NET build system assumes the .NET Framework 4 as a target if the Web.config file does not include the targetFramework attribute or if the Web.config file is missing. (You might have to make coding changes to your application to make it run under the .NET Framework 4.)
  • If you do include the targetFramework attribute, and if the system.codeDom element is defined in theWeb.config file, this file must contain the correct entries for the .NET Framework 4.
  • If you are using the aspnet_compiler command to precompile your application (such as in a build environment), you must use the correct version of the aspnet_compiler command for the target framework. Use the compiler that shipped with the .NET Framework 2.0 (%WINDIR%\Microsoft.NET\Framework\v2.0.50727) to compile for the .NET Framework 3.5 and earlier versions. Use the compiler that ships with the .NET Framework 4 to compile applications created using that framework or using later versions.
  • At run time, the compiler uses the latest framework assemblies that are installed on the computer (and therefore in the GAC). If an update is made later to the framework (for example, a hypothetical version 4.1 is installed), you will be able to use features in the newer version of the framework even though thetargetFramework attribute targets a lower version (such as 4.0). (However, at design time in Visual Studio 2010 or when you use the aspnet_compiler command, using newer features of the framework will cause compiler errors).