Default NuGet Packages in Visual Studio ASP.NET Templates

From packages.config:

<?xml version="1.0" encoding="utf-8"?>
<packages>
<!-- The Runtime assembiles for ASP.NET MVC -->
<package id="Microsoft.AspNet.Mvc" version="5.2.3" targetFramework="net461" />
<package id="Microsoft.AspNet.Razor" version="3.2.3" targetFramework="net461" />
<package id="Microsoft.AspNet.WebPages" version="3.2.3" targetFramework="net461" />
<package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net461" />
<package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="1.0.0" targetFramework="net461" />
<package id="Microsoft.Net.Compilers" version="1.0.0" targetFramework="net461" developmentDependency="true" />

<!-- Provide minifcation, bundling and optimization for CSS, Javascript and JSON -->
<package id="WebGrease" version="1.5.2" targetFramework="net461" />
<package id="Antlr" version="3.4.1.9004" targetFramework="net461" />
<package id="Newtonsoft.Json" version="6.0.4" targetFramework="net461" />
<package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net461" />

<!-- Generates unobtrusive client side validation for MVC views.  -->
<package id="jQuery.Validation" version="1.11.1" targetFramework="net461" />
<package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.3" targetFramework="net461" />

<!-- Popular and essential web frameworks -->
<package id="jQuery" version="1.10.2" targetFramework="net461" />
  <package id="bootstrap" version="3.0.0" targetFramework="net461" />
<package id="Respond" version="1.2.0" targetFramework="net461" />
<package id="Modernizr" version="2.6.2" targetFramework="net461" />

<!-- Microsoft ORM framework -->
  <package id="EntityFramework" version="6.1.3" targetFramework="net461" />

<!-- OWIN -->
<package id="Owin" version="1.0" targetFramework="net461" />
<package id="Microsoft.Owin" version="3.0.1" targetFramework="net461" />
<package id="Microsoft.Owin.Host.SystemWeb" version="3.0.1" targetFramework="net461" />


<!-- Authentication  -->
<package id="Microsoft.Owin.Security" version="3.0.1" targetFramework="net461" />
  <package id="Microsoft.Owin.Security.Cookies" version="3.0.1" targetFramework="net461" />
  <package id="Microsoft.Owin.Security.Facebook" version="3.0.1" targetFramework="net461" />
  <package id="Microsoft.Owin.Security.Google" version="3.0.1" targetFramework="net461" />
  <package id="Microsoft.Owin.Security.MicrosoftAccount" version="3.0.1" targetFramework="net461" />
  <package id="Microsoft.Owin.Security.OAuth" version="3.0.1" targetFramework="net461" />
  <package id="Microsoft.Owin.Security.Twitter" version="3.0.1" targetFramework="net461" />


<!-- Identity -->
<package id="Microsoft.AspNet.Identity.Core" version="2.2.1" targetFramework="net461" />
<package id="Microsoft.AspNet.Identity.EntityFramework" version="2.2.1" targetFramework="net461" />
<package id="Microsoft.AspNet.Identity.Owin" version="2.2.1" targetFramework="net461" />


</packages>

Nielsen Predicted Trump Would Lose... PDFs

In 2003, famed UX Guru Jakob Nielsen, warned against use of PDF format, which here in 2016 is as popular as ever:

https://www.nngroup.com/articles/pdf-unfit-for-human-consumption/

PDF: Unfit for Human Consumption

by JAKOB NIELSEN on July 14, 2003

Topics: 

• Web Usability

Summary: Users get lost inside PDF files, which are typically big, linear text blobs that are optimized for print and unpleasant to read and navigate online. PDF is good for printing, but that's it. Don't use it for online presentation.

PDF is great for one thing and one thing only: printing documents. Paper is superior to computer screens in many ways, and users often prefer to print documents that are too long to easily read online.

For online reading, however, PDF is the monster from the Black Lagoon. It puts its clammy hands all over people with a cruel grip that doesn't let go.

PDF Usability Crimes

The usability problems that PDF files cause on websites or intranets are legion:

• Linear exposition. PDF files are typically converted from documents that were intended for print, so the authors wouldn't have followed the guidelines for Web writing. The result? A long text that takes up many screens and is unpleasant and boring to read.
• Jarring user experience. PDF lives in its own environment with different commands and menus. Even simple things like printing or saving documents are difficult because standard browser commands don't work.
• Crashes and software problems. While not as bad as in the past, you're still more likely to crash users' browsers or computers if you serve them a PDF file rather than an HTML page.
• Breaks flow. You have to wait for the special reader to start before you can see the content. Also, PDF files often take longer time to download because they tend to be stuffed with more fluff than plain Web pages.
• Orphaned location. Because the PDF file is not a Web page, it doesn't show your standard navigation bars. Typically, users can't even find a simple way to return to your site's homepage.
• Content blob. Most PDF files are immense content chunks with no internal navigation. They also lack a decent search, aside from the extremely primitive ability to jump to a text string's next literal match. If the user's question is answered on page 75, there's close to zero probability that he or she will locate it.
• Text fits the printed page, not a computer screen. PDF layouts are often optimized for a sheet of paper, which rarely matches the size of the user's browser window. Bye-bye smooth scrolling. Hello tiny fonts.

Users Hate PDF

In several recent usability studies, users complained woefully whenever they encountered PDF files.

Following are quotes from investors testing the investor relations area on corporate websites:

"It's a pain that I have to download each PDF. Pain in the ass… I find it to be annoying. It's slow to load. It's hard to search within it. I find HTML easier to deal with… This is all PDF instead of a chart. My dream site is to come to a site and get a bar chart for the sales within the last ten years."

"I hate Adobe Acrobat. If I bring up PDF, I can't take a section and copy it and move it to Word. There could be stuff like graphics I don't want. I prefer documents in HTML format so that it's editable."

The following user quotes are from journalists testing the PR area on corporate websites:

"They [PDF files] don't behave like Web pages. It's not the speed. It is like having a solid thing rather than a fluid thing."

"What we've got is a page of a PDF document which is great when printed out, but on the screen it is hard to read. The print is too small…"

"I am a little frustrated with Acrobat… They made every page a file. So what happens here is when you scroll, it jumps, which is really not helpful."

This quote is from an employee who was testing an intranet:

"It would have helped if the first page was an index and you could scroll to it. That must be what this side part means. But who am I to say?"

As the last quote shows, even when a PDF file has its own navigation aides, they don't typically help because they're nonstandard and based on a paper metaphor rather than hypertext navigation.

We've had similar reactions from users in many other studies, including tests of B2B websites where users complained when sites presented product specs or customer success stories in PDF instead of Web pages. Here's a quote from a customer who shunned those parts of the site that were in PDF:

"It looks like I'm going to have to go to PDF, which I'm dreading."

Next Column: Action Items

Given PDF's poor usability for online reading, what are Web designers to do? My next Alertbox will discuss PDF presentation strategies that minimize user suffering.

Earlier Studies

See my Alertbox from June 2001, Avoid PDF for On-Screen Reading, for an earlier analysis of PDF based on the studies I did a few years ago.

The difference between then and now? Not much. Fewer crashes (good), but more user hostility toward PDF because people now have more experience with its usability problems.

Newer Studies

Update 2010: Our new studies keep finding the same problems with PDF in online interfaces.

Find more information on dealing with PDF files without imposing too much of a usability burden on your customers in the full-day course Writing for the Web. 

Additionally, an in-depth eyetracking report on how users read on the web is available for download.

Failed Microsoft Brands #435: COM+

It was 1998...

https://www.microsoft.com/com/default.mspx

What is COM? Microsoft COM (Component Object Model) technology in the Microsoft Windows-family of Operating Systems enables software components to communicate. COM is used by developers to create re-usable software components, link components together to build applications, and take advantage of Windows services. COM objects can be created with a variety of programming languages. Object-oriented languages, such as C++, provide programming mechanisms that simplify the implementation of COM objects. The family of COM technologies includes COM+, Distributed COM (DCOM) and ActiveX® Controls. Microsoft provides COM interfaces for many Windows application programming interfaces such as Direct Show, Media Foundation, Packaging API, Windows Animation Manager, Windows Portable Devices, and Microsoft Active Directory (AD). COM is used in applications such as the Microsoft Office Family of products. For example COM OLE technology allows Word documents to dynamically link to data in Excel spreadsheets and COM Automation allows users to build scripts in their applications to perform repetitive tasks or control one application from another.

What is COM+?

COM+ is the name of the COM-based services and technologies first released in Windows 2000. COM+ brought together the technology of COM components and the application host of Microsoft Transaction Server (MTS). COM+ automatically handles programming tasks such as resource pooling, disconnected applications, event publication and subscription and distributed transactions.

I want to build a COM or COM+ application. How do I get started?

The best resource for COM developers is the Microsoft Developer Network (MSDN). The MSDN Library contains information for developers on the Microsoft platform including a programming guide for COM development and the COM API programming reference. The Windows API is documented in Win32 and COM Development. You will also find information on COM+.

Using COM from .NET and .NET from COM

The .NET Framework provides bi-directional interoperability with COM, which enables COM-based applications to use .NET components and .NET applications to use COM components. For information on how to access .NET components from COM see http://msdn.microsoft.com/library/ms973802.aspx. To learn how to use COM components from .NET see http://msdn.microsoft.com/library/ms973800.aspx.

64-bit : When Intel followed AMD's lead, or Worse is Better

Also see: Betamax versus VHS

We all know how the x86 was such a success.

x86 is 32-bit.  There was a 16-bit in the early 90s, but that was quickly moved along to 32-bit by the time the Web became a thing that made home computers REALLY popular.

So it was almost a fait acompli that we'd soon move on to 64-bit.

But that transition did not go so smoothly.

Intel had traditionally been the company that established the ISA (Instruction Set Architecture) standards which the competitors (well, AMD) then followed.

Intel tried to do that with IA-64, code named Itanium, in the late 90s.  But they made it way too complicated for the engineers that would have to implement it, and not backwards compatible with lots of 32-bit stuff.  Meanwhile, AMD made a lazy modification of the x86 instruction sets, that could use 64-bit.  It was dubbed AMD64.  This was in 1999.  By 2004, Intel was actually using AMD's ISA and putting its Itanium only on a few specialized chips.  The AMD version was used:

all later Celerons, all newer models of Xeon, all newer models of Pentium Dual-Core processors , the Atom, and all versions of the Pentium D, Pentium Extreme Edition, Core 2, Core i7, Core i5, and Core i3 processors.

AppData Local LocalLow Roaming

https://blog.codinghorror.com/was-the-windows-registry-a-good-idea/

Says how the Windows Registry was kind of a bad idea because everyone store their junk there.
Don't use the Registry, use the modern "ini file" reborn:

<quote>

There is an alternative, though. If Windows applications weren't so busy mindlessly piling all their settings on the registry garbage dump with everyone else, they could elect to follow the new, much saner Windows Vista conventions for storing application-specific data:

/Users/Jeff/AppData/Local
/Users/Jeff/AppData/LocalLow
/Users/Jeff/AppData/Roaming

Local and LocalLow are for bits of application data that are truly machine-specific. Roaming is for non-machine specific settings that will follow the user. That's where the lion's share of the application settings will be. It's all explained in the Roaming User Data Deployment Guide (Word doc). However, these are still user-specific settings, obviously, as they're under the /Users folder. I can't find any new Windows filesystem convention for system level, non-user-specific settings. I suppose that's still Ye Olde Registry by default.

It is possible to write Windows applications that don't use the registry in any way. These are some of my favorite applications. But they're also the most rare and precious of all applications in the Windows software ecosystem.

</quote>

Link to Roaming User Data Deployment Guide:

https://technet.microsoft.com/en-us/library/cc766489(v=ws.10).aspx

UX at Microsoft almost as bad as full-text search capability

This a set of browser tabs from IE 11.

Guess which ones is the ACTIVE tab.

It is the second from the left.

Transitioning from C# to Java: Inheritance

Base classes are called superclasses and accordingly referenced with the keyword super rather than C# base. When declaring derived classes, Java extends (for superclasses) and implements (for interfaces) specify the same inheritance relationships for which C# uses simple colons (:).

C# virtual is missing entirely because all Java methods are virtual unless explicitly declared final. 

ADO.NET Example: Parameterized Query

string color = Request.Form["color"];
string SQLquery = "select * from Animals where color='" + @color + "'";
con = new System.Data.SqlClient.SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["mycon"].ToString());
                con.Open();
                System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(SQLquery, con);
                cmd.CommandType = System.Data.CommandType.Text;
                cmd.Parameters.Add(new System.Data.SqlClient.SqlParameter("@color", color));

                System.Data.SqlClient.SqlDataReader rdr = null;
                rdr = cmd.ExecuteReader();
                while (rdr.Read())
                {
                    school.Url = (string)rdr["Url"];
                }
                return school;

Temp Tables

Remember, you don't have to create structure of temp table....


select deptName, deptId, count(*) as TotalEmp
into #TempEmpCount
from tblEmp join tblDept on tblEmp.DeptId = tblDept.DeptId
group by DeptName, DeptId


select DeptName, TotEmp
from #TempEmpCount
where TotalEmp >= 2

Drop Table #TempEmpCount

=====
Dropping is a "good practice"

Temp tables are stored in TempDB.
SCOPE: local only for current session, can be shared b/w nested sp calls.  Global are visible to other sessions and are destroyed when last connection referencing the table is closed.


=====

If you want to have a specific structure, use TABLE VARIABLE:

Declare @tblEmpCount table(DeptName nvarchar(20), DeptId int, TotalEmp int)

Insert @tblEmpCount
select DeptName, DeptId, Count(*) as TotalEmp from tblEmp......

Select DeptName, TotalEmp
from @tblEmpCount

====
NOTE: You don't have to drop table variables. And you can pass table variables as parameters between procedures.
===========

DERIVED TABLES:

select DeptName, TotEmp
from (
Select DeptName, DeptId, COUNT(*) as TotEmp
from tblEmp
join tblDept......
)  as EmpCount
where TotalEmp >= 2


==========
New in SQL SERVER 2005: CTE (Common Table Expressions)
Similar to derived table....

With EmpCount(DeptName, DeptId, TotEmp)
as (
Select DeptName, DeptId, COUNT(*) as TotEmp
from tblEmp
join tblDept...
)
Select DeptName, TotEmp
from EmpCount
where TotEmp >=2

Transitioning to Java from C#: static

Java lacks C# static classes. To create a class that only contains static utility methods, use the old-fashioned approach of defining a private default constructor. Java does have a static class modifier, but it means something completely different, and is for nested classes.

Transitioning to Java from C#

In C#, using String.Equals() and "==" are interchangeable (C# "special cases" the "=="), whereas in Java, there IS a big difference.

In Java, "==" is for pointer references, that is, it compares whether the actual INSTANCES are the same, whereas, to simply compare two VALUES, you have to use String.equals().

Agile cheatsheet

One way to accomplish Agile goals is via the use of Scrum.... the Scrum PROCESS or method.

Scrum process has:
2-4 week SPRINTS
DAILY STAND-UPS
product BACKLOG, User Stories.

RETROSPECTIVES.



Another way to accomplish Agile goals is via XP (Extreme Programming).


Good user stories have VERTICAL SLICES through the product.


Kanban (Japanese for billboard)(taskboard in XP)

yellow stickes showing status of each backlog item (Currently working on, Currently in QA, Done)

Burndown Chart: shows how the sprint is progressing, actual vs. plan.  Quantitative to Kanban's qualitative.

Pigs and Chickens.

Sprint Planning
Planning Poker (read user stories, give time estimates ....write down secretly, then share....)


XP:
Continuous integration
Coding standards,
Pair Programming,

HTML5 tables and borders

Since a few years ago, if you put in a table without ANY css, you are going to get a borderless table. Worse, if you put borders="1"  you will get the ugly, nasty  way old-school HTML double borders.  Worse STILL, even if you put the css for 1px solid black , you will STILL get the ugly double borders!!

The secret is to set the borders-collapse: to collapse.  (the default value is SEPARATE).




<style>
table {
    border-collapse: collapse;
}

table, td, th {
    border: 1px solid black;
}
</style>

Microsoft Fail

(should be 6 and 4)
And no, there are NO comments correcting this below.

Clustered Index

a CLUSTERED index determines the PHYSICAL location (order) of data in a table. That's why you can only have ONE clustered index per table.


A Primary Key constraints will automatically create a CLUSTERED INDEX on that column.

-can have multiple columns (a COMPOSITE index)


Execute sp_helpindex tblEmployee
to view indexes.


You can change clustered index.  First:

Drop Index tblEmployee.PK_tblEmplo_3FD45DG   (or might have to use Object Explorer to Delete)

Create Clustered Index tblEmployee_Gender_Salary on tblEmployee (Gender DESC, Salary ASC)


CLUSTERED includes Data: think PHONEBOOK
NON-CLUSTERED is separate from data: think index to a BOOK

Since the index is stored separately, you CAN have MORE THAN ONE non-clustered indexes per table.

CLUSTERED INDEX is faster because it involves a single lookup, whereas NON-CLUSTERED has to do a second step to access the data location.  Also, NON-CLUSTERED requires EXTRA STORAGE SPACE for itself.

----
set statistics io on

(then write your select query)

After running, view Messages.

----

For viewing execution plan,
TABLE SCAN is when there isn't an index.
An INDEX SEEK would be more efficient.


----

Downside of Indexing is when you have lots of writes/updates (transactions) to a table.

-----
Naming conventions:
IX prefix means Index.
UIX means UNIQUE index.

See if someone changed table in SQL Server

SELECT

[name]

,create_date

,modify_date

FROM

sys.tables 

Encryption

SQL Server version 12 has lots of new encryption options.
(to tell version of SQL Server, use: Select @@version    )



Transparent
Column-level
use .NET
use File System
BitLocker

Page that describes options: http://sqlmag.com/database-security/sql-server-encryption-options
UPDATE: Apparently that site fell victim to the Goths and Vandals. Reprinted below.

SQL Server Encryption Options

May 17, 2013Michael Otey

One of the most difficult-to-understand options in SQL Server 2012 is the ability to encrypt data. This is mainly because of all of the different encryption capabilities offered.

Data encryption can be performed by the OS, by SQL Server, or by the application. I’ll help guide you through the different SQL Server encryption options.

Related: SQL Server Encryption

1. Transparent Data Encryption

Transparent Data Encryption (TDE) is the primary SQL Server encryption option. It was first available in SQL Server 2008, and as with the SQL Server 2012 release, it's available only in the SQL Server Enterprise edition, not in the Business Intelligence, Standard, or Express editions. TDE enables you to encrypt an entire database. Backups for databases that use TDE are also encrypted. TDE protects the data at rest, which means that the database’s data and log files are encrypted using the AES and 3DES encryption algorithms. TDE is completely transparent to the application and requires no coding changes to implement. For more information on TDE, check out "Transparent Data Encryption," on MSDN and my SQL Server Pro article "Using Transparent Data Encryption."

Related: Transparent Data Encryption FAQs

2. Column-level Encryption

Column-level encryption (aka cell-level encryption) was introduced in SQL Server 2005 and is available in all editions of SQL Server, including the free SQL Server Express edition. To use cell-level encryption, the schema must be changed to varbinary, then reconverted to the desired data type. This means the application must be changed to support the encryption-decryption operation; in addition, it can affect performance. Encryption of the database occurs at the page level, but when those pages are read to buffer pool, they're decrypted. Data can be encrypted using a passphrase, an asymmetric key, a symmetric key, or a certificate.  The supported algorithms for column-level encryption are AES with 128,196,256 bit keys and 3DES. To learn more about column-level encryption, see the MSDN article "Encrypt a Column of Data."

Related: Protecting the Database With Encryption

3. Encrypting and Decrypting Data with the .NET Framework

Another option for encrypting data stored in SQL Server is to perform the encryption and decryption from within the application. All editions of SQL Server support this style of data encryption. However, unlike TDE, encrypting data within the application requires that you specifically code the application to perform the encryption by calling the encryption and decryption methods. The .NET Framework supports encryption using the System.Security.Cryptography namespace to perform symmetric or asymmetric encryption. You can learn more about .NET-based encryption at "Encrypting and Decrypting Data." Application-level encryption can also be performed by other development frameworks such as Java.

4. Encrypting File Systems

Encrypting File Systems (EFS) is a file-encryption feature introduced in Windows 2000. Windows Server supports EFS for encrypting data at the file and folder level. EFS uses industry-standard encryption algorithms including AES, SHA, ECC, and smart card–based encryption.  Installing a SQL Server database in EFS isn't usually a recommended practice because of the added overhead. EFS isn't optimized for performance, and all I/O is synchronous. If you use EFS, the database files are encrypted under the identity of the account running SQL Server. If you change the account that runs the SQL Server service, you must first decrypt the files using the old account, then re-encrypt them using the new account. You can learn about the performance implications of running SQL Server and EFS at the Microsoft Support web page.

5. BitLocker

BitLocker Drive Encryption is a data protection feature available in Windows Server 2012, Windows 8, Windows 7, and Windows Server 2008 R2. BitLocker works at the volume level, and it protects data when it's at rest by using the AES algorithm. BitLocker doesn't have the same performance concerns associated with EFS. You can learn more about BitLocker at the Microsoft article, "BitLocker Driver Encryption Overview."

Cluster vs. Farm

"Farm was generally used in load balancing scenarios and Clusters are generally used in high available(resilant) solutions.  In the web applications, a Farm is also a cluster because putting a switch infront of more than one machine and the DNS record for the web site is nothing but the IP address of the switch.  The switch depending on how  busy a server is routes the traffic to different machines.

Cluster, is usually a two machine node where one machine is active and other is passive (or active/active in true cluster environment).  But the processing is handled by only one machine and the other one is dormant.  When the active machine goes down, the other node takes over.

Farm is mainly used in web applications (stateless apps) where as clusters are used in database, server (windows service) type applications."

.NET Session State

https://msdn.microsoft.com/en-us/library/ms178586(v=vs.100).aspx
UPDATE: newer version of all this at: https://docs.microsoft.com/en-us/iis/application-frameworks/scenario-build-an-aspnet-website-on-iis/planning-step-2-plan-asp-net-settings

and
https://docs.microsoft.com/en-us/iis/application-frameworks/scenario-build-an-aspnet-website-on-iis/configuring-step-2-configure-asp-net-settings

Session-State Modes

.NET Framework 4

Other Versions

ASP.NET session state supports several different storage options for session data. Each option is identified by a value in theSessionStateMode enumeration. The following list describes the available session state modes:

• InProc mode, which stores session state in memory on the Web server. This is the default.
• StateServer mode, which stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
• SQLServer mode stores session state in a SQL Server database. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
• Custom mode, which enables you to specify a custom storage provider.
• Off mode, which disables session state.

You can specify which mode you want ASP.NET session state to use by assigning a SessionStateMode enumeration values to the modeattribute of the sessionState element in your application's Web.config file. Modes other than InProc and Off require additional parameters, such as connection-string values as discussed later in this topic. You can view the currently selected session state by accessing the value of the HttpSessionState.Mode property.

In-Process Mode

In-process mode is the default session state mode and is specified using the InProc SessionStateMode enumeration value. In-process mode stores session state values and variables in memory on the local Web server. It is the only mode that supports theSession_OnEnd event. For more information about the Session_OnEnd event, see Session-State Events.

Caution:
If you enable Web-garden mode by setting the webGarden attribute to true in the processModel element of the application's Web.config file, do not use InProc session state mode. If you do, data loss can occur if different requests for the same session are served by different worker processes.

State Server Mode

StateServer mode stores session state in a process, referred to as the ASP.NET state service, that is separate from the ASP.NET worker process or IIS application pool. Using this mode ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.

To use StateServer mode, you must first be sure the ASP.NET state service is running on the server used for the session store. The ASP.NET state service is installed as a service when ASP.NET and the .NET Framework are installed. The ASP.Net state service is installed at the following location:

systemroot\Microsoft.NET\Framework\versionNumber\aspnet_state.exe

To configure an ASP.NET application to use StateServer mode, in the application's Web.config file do the following:

• Set the mode attribute of the sessionState element to StateServer.
• Set the stateConnectionString attribute to tcpip=serverName:42424.

  Note:
  To improve the security of your application when using StateServer mode, it is recommended that you protect yourstateConnectionString value by encrypting the sessionState section of your configuration file. For details, see Encrypting Configuration Information Using Protected Configuration.

The following example shows a configuration setting for StateServer mode where session state is stored on a remote computer named SampleStateServer:

<configuration>
  <system.web>
    <sessionState mode="StateServer"
      stateConnectionString="tcpip=SampleStateServer:42424"
      cookieless="false"
      timeout="20"/>
  </system.web>
</configuration>

Note:
Objects stored in session state must be serializable if the mode is set to StateServer. For information on serializable objects, see the SerializableAttribute class.

To use StateServer mode in a Web farm, you must have the same encryption keys specified in the machineKey element of your Web configuration for all applications that are part of the Web farm. For information on how to create machine keys, see article 313091, "How to create keys by using Visual Basic .NET for use in Forms authentication," in the Microsoft Knowledge Base at http://support.microsoft.com.

SQL Server Mode

SQLServer mode stores session state in a SQL Server database. Using this mode ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.

Note:
Objects stored in session state must be serializable if the mode is SQL Server. For information on serializable objects, see theSerializableAttribute class.

To use SQLServer mode, you must first be sure the ASP.NET session state database is installed on SQL Server. You can install the ASP.NET session state database using the Aspnet_regsql.exe tool, as described later in this topic.

To configure an ASP.NET application to use SQLServer mode, do the following in the application's Web.config file:

• Set the mode attribute of the sessionState element to SQLServer.
• Set the sqlConnectionString attribute to a connection string for your SQL Server database.

  Note:
  to improve the security of your application when using SQLServer mode, it is recommended that you protect yoursqlConnectionString value by encrypting the sessionState section of your configuration file. For details, see Encrypting Configuration Information Using Protected Configuration.

The following example shows a configuration setting for SQLServer mode where session state is stored on a SQL Server named "SampleSqlServer":

<configuration>
  <system.web>
    <sessionState mode="SQLServer"
      sqlConnectionString="Integrated Security=SSPI;data 
        source=SampleSqlServer;" />
  </system.web>
</configuration>

Note:

If you specify a trusted connection to your SQL Server in the configuration file using the sessionState element'ssqlConnectionString attribute, the SessionStateModule will connect to SQL Server using SQL Server integrated security. The connection will be made using the ASP.NET process identity or the user credentials supplied for the identity configuration element, if they exist. You can specify that the IIS impersonated identity be used instead by specifying <identity impersonate="true" /> and setting the useHostingIdentity attribute of the sessionState configuration element to false. For more information on the ASP.NET process identity, see Configuring ASP.NET Process Identity and ASP.NET Impersonation.

To configure SQLServer mode for a Web farm, in the configuration file for each Web server, set the sessionState element'ssqlConnectionString attribute to point to the same SQL Server database. The path for the ASP.NET application in the IIS metabase must be identical on all Web servers that share session state in the SQL Server database. For information on steps to resolve the issue when application paths differ between servers, see article 325056, "PRB: Session State Is Lost in Web Farm If You Use SqlServer or StateServer Session Mode," in the Microsoft Knowledge Base at http://support.microsoft.com.

Installing the Session State Database Using the Aspnet_regsql.exe Tool

To install the session state database on SQL Server, run the Aspnet_regsql.exe tool located in thesystemroot\Microsoft.NET\Framework\versionNumber folder on your Web server. Supply the following information with the command:

• Thename of the SQL Server instance, using the -S option.
• The logon credentials for an account that has permission to create a database on SQL Server. Use the -E option to use the currently logged-on user, or use the -U option to specify a user ID along with the -P option to specify a password.
• The -ssadd command-line option to add the session state database.
  By default, you cannot use the Aspnet_regsql.exe tool to install the session state database on SQL Server Express Edition. In order to run the Aspnet_regsql.exe tool to install a SQL Server Express Edition database, you must first enable the Agent XPsSQL Server option using Transact-SQL commands like the following:
  EXECUTE sp_configure 'show advanced options', 1
  RECONFIGURE WITH OVERRIDE
  GO
  
  EXECUTE sp_configure 'Agent XPs', 1
  RECONFIGURE WITH OVERRIDE
  GO
  
  EXECUTE sp_configure 'show advanced options', 0
  RECONFIGURE WITH OVERRIDE
  GO
  

  You must run these Transact-SQL commands for any instance of SQL Server Express Edition where the Agent XPs option is disabled.

By default, the Aspnet_regsql.exe tool will create a database named ASPState containing stored procedures that support SQLServermode. Session data itself is stored in the tempdb database by default. You can optionally use the -sstype option to change the storage location of session data. The following table specifies the possible values for the -sstype option:

Option	Description
t	Stores session data in the SQL Server tempdb database. This is the default. If you store session data in the tempdb database, the session data is lost if SQL Server is restarted.
p	Stores session data in the ASPState database instead of in the tempdb database.
c	Stores session data in a custom database. If you specify the c option, you must also include the name of the custom database using the -d option.

For example, the following command creates a database named ASPState on a SQL Server instance named "SampleSqlServer" and specifies that session data is also stored in the ASPState database:

aspnet_regsql.exe -S SampleSqlServer -E -ssadd -sstype p

Note:

If you are running ASP.NET 1.0 or ASP.NET 1.1, you cannot use the Aspnet_regsql.exe tool to configure ASP.NET to store session state in a persistent SQL Server database. However, you can obtain scripts to store session state in a persistent database. For details, see article 311209, "HOW TO: Configure ASP.NET for Persistent SQL Server Session State Management" in the Microsoft Knowledge Base at http://support.microsoft.com. As an alternative, Web servers running ASP.NET 1.0 or ASP.NET 1.1 can direct persistent session state to a SQL Server that has the ASP.NET 2.0 session state schema installed.

In SQLServer mode, you can configure several computers running SQL Server to work as a failover cluster, which is two or more identical computers running SQL Server that store data for a single database. If one computer running SQL Server fails, another server in the cluster can take over and serve requests without session-data loss. To configure SQL Server mode for a failover cluster, you must specify -sstype p when you execute the Aspnet_regsql.exe tool so that session state data is stored in the ASPState database instead of the tempdb database. Storing session state in the tempdb database is not supported for a SQL Server cluster. For more information about setting up SQL Server mode for a failover cluster, see article 323262, "How to use ASP.NET session state SQL Server Mode in a failover cluster" in the Microsoft Knowledge Base at http://support.microsoft.com.

Custom Mode

Custom mode specifies that you want to store session state data using a custom session state store provider. When you configure your ASP.NET application with a Mode of Custom, you must specify the type of the session state store provider using the providerssub-element of the sessionState configuration element. You specify the provider type using an add sub-element and include both atype attribute that specifies the provider's type name and a name attribute that specifies the provider instance name. The name of the provider instance is then supplied to the customProvider attribute of the sessionState element to configure ASP.NET session state to use that provider instance for storing and retrieving session data.

The following example shows elements from a Web.config file that specify that ASP.NET session state use a custom session state store provider:

<configuration>
  <connectionStrings>
    <add name="OdbcSessionServices" 
      connectionString="DSN=SessionState;" />
  </connectionStrings>

  <system.web>
    <sessionState 
      mode="Custom"
      customProvider="OdbcSessionProvider">
      <providers>
        <add name="OdbcSessionProvider"
          type="Samples.AspNet.Session.OdbcSessionStateStore"
          connectionStringName="OdbcSessionServices" 
          writeExceptionsToEventLog="false" />
      </providers>
    </sessionState>
  </system.web>
</configuration>

For more information on custom session state store providers, see Implementing a Session-State Store Provider.

Note:

A custom session state store provider will access any secured resource, such as SQL Server, using the ASP.NET process identity or the user credentials supplied to the identity configuration element, if they exist. You can specify that the IIS impersonated identity be used instead by specifying <identity impersonate="true" /> and setting the useHostingIdentity attribute of thesessionState configuration element to false. For more information on the ASP.NET process identity, see Configuring ASP.NET Process Identity and ASP.NET Impersonation.