How to set up browser client cache for asp.net 1. Expiration time: Expiration time
This means that the browser cache fails after the specified time. It should be noted that the expiration time here must be a date and time in HTTP format, the rest will be interpreted as "before" the current time. The cache will expire immediately and the date and time in the HTTP must be Greenwich Mean Time (GMT) and not local time. Example:
Using Expires for expiration must require the server's time to be correct, otherwise the two or more tunnels sent will be connected end to end in sequence, with no bifurcation in the middle of the ventilation network.
A network in which multiple wind paths are connected in sequence.
Seriesventilationnet is a ventilation network in which two or more lanes are connected end to end in sequence with no branches in the middle. The total wind resistance of the series ventilation network is large, the grade holes are small, and ventilation is difficult; the air volume in each tunnel in the network cannot be adjusted, and the gun smoke and mineral dust generated from the front working surface can directly affect the rear working surface, making it difficult for a fire to occur. control. The use of series ventilation networks should be avoided as much as possible, otherwise corresponding measures should be taken
What are the characteristics and differences of the four languages ??ASP, ASP.NET, PHP and JSP?
ASP, the full name is ActiveServerPages
ASP is a background scripting language developed by Microsoft. Its syntax is similar to VisualBASIC, and it can integrate background scripts like SSI (ServerSideInclude). The script code is embedded into the HTML page. Although ASP is simple and easy to use, it has many flaws, the most important of which is security issues. ASP.net, currently newly launched in Microsoft's .net strategy, draws on the advantages of Java technology and uses CSharp (C#) language as the recommended language for ASP.net. It also improves the shortcomings of previous ASP such as poor security. However, there are still certain limitations in using ASP/ASP.net, because from a certain perspective they can only run well on Microsoft's WindowsNT/2000/XP+IIS server platform (although ChilliSoft provides services on UNIX/ There is a solution for running ASP on Linux, but the current application of ASP on UNIX/Linux can be said to be almost zero). Therefore, the limitations of the platform and the security of ASP itself limit the wide application of ASP.
When ASP is executed, IIS calls the program engine to interpret and execute the ASP code embedded in HTML, and finally sends the result to the client together with the original HTML.
PHP, the full name is PHP:HypertextPreprocessor
The full name of PHP is very interesting, it is a nested abbreviation name - "PHP:HypertextPreprocessor", open the abbreviation or abbreviation. PHP is an HTML embedded language (just like ASP mentioned above). PHP's unique syntax mixes C, Java, Perl and PHP-style new syntax. It can execute dynamic web pages faster than CGI or Perl.
PHP's source code is completely open to the public. Today, with the rise of OpenSource awareness, it is the mainstay in this regard. New function libraries are constantly added and updated, allowing PHP to have more new functions on both UNIX and Win32 platforms. It provides rich functions, making it a better resource for programming. The latest version of PHP is 4.1.1, which can work well on almost all platforms such as Win32 and UNIX/Linux. PHP uses the new Zend engine after version 4.0. Its efficiency after optimization is better than traditional CGI or ASP and other technologies.
Platform independence is the biggest advantage of PHP, but behind the advantages, there are still some small disadvantages.
If you do not use ODBC in PHP, but use its own database functions (which are more efficient than using ODBC) to connect to the database, the function names of PHP cannot be unified when using different databases. In this way, the transplantation of the program becomes somewhat troublesome. However, as the most widely used back-end language at present, PHP's advantages are still extremely obvious.
JSP, the full name is JavaServerPages/Servlet
JSP and Servlet should be discussed together because they are both part of Sun's J2EE (Java2platformEnterpriseEdition) application system.
The form of Servlet is similar to the CGI mentioned earlier. It is separated from HTML code and background program. Their startup principles are similar. The server responds after receiving the client's request. The difference is that CGI opens a process (Process) for each customer request, but the Servlet is loaded in response to the first request. Once the Servlet is loaded, it is in the executed state. For future requests from other users, it does not open a process, but opens a thread (Thread) and sends the results to the client. Since threads can realize resource sharing by generating their own parent threads (ParentThread), which reduces the burden on the server, JavaServlet can be used to provide large-scale application services.
Although JSP looks very similar to ASP or PHP in form - both can be embedded in HTML code. However, the way it performs is completely different from ASP or PHP. When the JSP is executed, the JSP file is converted into Servlet code by the JSP interpreter (JSPParser), and then the Servlet code is compiled into a .class byte file by the Java compiler, so that the generated Servlet responds to the client. Therefore, JSP can be regarded as the script language (ScriptLanguage) version of Servlet.
Since JSP/Servlet are all based on Java, they also have the greatest advantage of the Java language - platform independence, which is the so-called "Write Once, Run Anywhere (WORA_WriteOnce, RunAnywhere)". In addition to this advantage, the efficiency and security of JSP/Servlet are also quite amazing. Therefore, although JSP/Servlet is not widely used in China, its future is limitless.
When debugging JSP code, if a program error occurs, the JSP server will return error information and display it in the browser. At this time, since the JSP is first converted into a Servlet and then run, the number of lines with error code displayed in the browser is not the number of lines of the JSP source code, but the number of lines of the converted Servlet program code. . This makes debugging the code somewhat difficult. Therefore, when troubleshooting errors, you can adopt a segmented elimination method (output some strings before and after the code that may go wrong, and use whether the string is output to determine where the code segment starts to go wrong), and gradually narrow the scope of the erroneous code segment. Finalize the location of the error code.
Comparison between JSP and ASP:
running speed, running overhead, running platform, scalability, security, function support, vendor support, XML support, etc., ASP has Not a rival to JSP. The complexity of COM components makes it difficult to implement programming. The combination of JAVABeans and JAVA is seamless.
Comparison between JSP and ASP.NET:
1. Compared with C#, JSP's scripting language JAVA is also an object-oriented, distributed, and interpreted language.
2. Similar to C#, JAVA also removes difficult-to-understand concepts such as pointers and replaces them with classes and objects.
3.JSP has a brand-new technology - Servlet (server-side program), which saves server resources very well.
4. JAVABeans is a technology for ASP.NET's ServerControl.
As long as you know JAVA, JavaBeans is easy to write.
5. Then there is JAVA's JDBC database connection technology.
6. JSP also has very extensive support for XML.
1) Object-oriented:
ASP+ uses C# as an object-oriented language. In many ways, C# will become Microsoft's language similar to Java.
Another interesting thing about C# is that all objects automatically become COM objects. If C# can gain significant market share, it will bring Java-like functionality to ASP+ with faster performance because it can be tightly integrated with the Windows environment.
C# is one of the most important functions in ASP+ development, and Microsoft will develop C# into a strong rival to Java. This is also an important part of their .Net framework. I think C# is Microsoft's main tool to beat its rivals in the programming market. I look forward to Microsoft putting all its efforts behind this product so that C# can become another choice for many programmers. The result of C# is to further strengthen the product lines of Microsoft and Sun. This is beneficial to users, who can choose one of the two to develop new applications.
2) Database connection:
Another highlight of ASP is its use of ADO objects, ODBC, OLE-DB and transaction processing managers. Therefore, ASPWeb database application development is particularly simple. ASP+ has developed more functions because of ADO+! ADO+ brings more powerful and faster functions. JSP and JDBC currently lag behind ASP/ADO in terms of ease of use and performance. This difference will be more obvious when the new version ASP+/ADO+ appears. I personally hope that SUN will make great efforts to catch up with the ASP+/ADO+ combination as soon as possible.
3) Large site applications:
ASP+ will have better support for large sites (webfarms). In fact, Microsoft has made great efforts in this regard. ASP+ allows you to consider multiple servers. When you need more powerful functions, you only need to add one server. The entire .Net framework has fully provided this method. ASP+ provides external session state (externalsessionstate) to provide built-in webfarm support. In addition, it is very fast because the various components of the request are fully optimized for each other.
So ASP+ can now have the same capabilities as JSP in large projects. ASP+ also has a price advantage because all components will be part of the server operating system. For JSP, you need to purchase expensive application server farms to achieve the same purpose.
4) ASP+ also provides more new features in other aspects, such as:
*Built-in object caching and page result caching.
* Built-in XML support for simple processing of XML data sets.
* Server control provides fuller interactive control.
ASP+ has indeed made great progress in ASP.
What does NET.Framework mainly include? In more detail?
It is a language development software
NET Framework supports COM+ and MTS through COMInterop (COM interoperability) technology. A traditional COM application can call a .NET component, and a .NET component (called .NETAssembly in .NET) can also call a COM component. This extremely powerful bidirectional interoperability feature allows you to mix both technologies in your application.
NET Framework is the result of the joint efforts of several Microsoft development teams. It is mainly used to produce a development platform that can be used to quickly develop and deploy website services and applications. This architecture is the result of two projects: the first project is designed to improve program development on the Windows operating platform, especially to improve COM (ComponentObjectModel, Component Object Module.
A software technology developed by Microsoft; allowing the functions of objects to be called by other software, allowing components to be reused, easy to update and maintain); the second project is to create a software with the goal of developing service (Service) development platform. The two project teams have been working together more than three years ago, and they hope to develop a development platform that can quickly develop on the Internet and is easy to learn and use.
Current Security Issues
In today's software environment, applications come from many sources and perform many tasks. Trust in application code is a major need because none of us want software or information to be compromised. A security policy that gives permission will not allow inappropriate access to sensitive information, or expose the local machine to malicious programs or even mundane buggy code.
In the past, security architectures provided user account-based isolation and access control—giving code full access within those limits and assuming the same level of trust as code runnable by a specific user. Unfortunately, if all programs run on behalf of a user, isolating code by user is not enough to protect a program from being used by other users. Alternatively, code that cannot be fully trusted is often moved to a "sandbox" model, where the code runs in an isolated environment without access to most services.
Successful security solutions for today's applications must enforce a balance between the two security models. It must provide access to resources in order to complete useful work, and it requires careful control over application security to ensure that code is identified, detected, and given the appropriate level of security. .NET Framework provides such a security model.
Microsoft.NETFramework Security Solution
The .NETFramework security solution is based on the concept of managed code and security rules enforced by the Common Language Runtime (CLR). Much of the management code needs to be verified to ensure type safety and the behavior of other predefined properties. For example, in the verified code, an access declared to receive a 4-byte value would reject a call providing an 8-byte parameter as not being type-safe. The verification process also ensures that the execution flow is only directed to known locations, such as method entry points - this process removes the ability to jump to arbitrary locations of execution.
Validation will prevent code that is not type-safe from executing, catching many common programming errors before they cause damage. Common vulnerabilities - such as buffer overflows, reads from arbitrary or uninitialized memory, and random transfers of controls - are no longer possible. This will benefit the end users as the code will be checked before they execute it. This also benefits developers, who will find that many common errors (that have plagued previous developers in the past) can now be pinned down and prevented from causing havoc.
The CLR also enables unmanaged code to run, but unmanaged code cannot benefit from these security measures. Special permissions are associated with the ability to call unmanaged code, and a strong security policy can ensure that these permissions are granted appropriately. Over time, the migration of unmanaged code to managed code will reduce the frequency of calls to unmanaged code.
Components of Microsoft .NET Framework security mechanism
Evidence-based security
.NET Framework introduces the concept of "evidence-based security". In essence, it is an answer to the question of security policy exposure:
· From which site did the combination come?
Compositions are the building blocks of .NET Framework applications. They form the basic unit of deployment, version control, reuse, activation scope, and security authentication. The combination of applications is downloaded to the client from the website.
·Which URL is the combination obtained from?
The security policy requires an explicit address from which the combination is downloaded.
·Which district did the combination come from?
Zones are based on the location of the code and are described by security standards such as Internet, intranet, local, etc.
·What is the strong name of the group?
A strong name is a password-strengthened identifier provided by the creator of the combination.
Although it does not provide any proof of the creator, it uniquely identifies the combination, ensuring that the combination has not been compromised.
Based on answers to these questions, and other evidence, the security policy can calculate the appropriate permissions to grant the combination. Evidence can be obtained from a variety of sources, including the CLR, browsers, Microsoft ASP.NET, and shells - depending on the source of the code.
Policy-driven trust model using code evidence
When a combination is called into memory, the CLR policy system determines the What permissions are given to the combination. The CLR policy system then grants the combination a set of permissions based on the evaluated evidence and the permission request made by the combination. Only after the combination is given a minimum set of permissions, or does the combination require no permissions at all, can the creator of the combination know that the combination is functioning correctly. Such additional requirements can be communicated to the room policy system through one or more requests for specific permissions.
Depending on the type of permission request, the policy system can further restrict the permissions given to the combination (removing unnecessary permissions) or even deny loading the combination into memory (if the minimum permissions required to run the combination are not granted by the policy ). A composition is never given more permissions than the policy system would grant in the absence of any permission requests; requests only further limit the permissions given.
A security policy contains a number of code groups that contain permissions that should be granted based on the evidence. Licenses described by code groups can be provided to combinations obtained from a specific security zone, to combinations signed by a specific publisher, and so on. Although a default set of code groups (and associated permissions) are shipped with the CLR, administrators can safely configure the CLR to suit their particular needs. Remember, by defining the code group associated with the evidence, anything can be submitted as evidence as long as the security policy can use it.
The process of creating a license involves an evaluation of the evidence to determine to which level the code group applies: enterprise, machine, and user. The policy evaluates these three levels in the order above and creates a permission setting that interleaves the three levels. Administrators can mark any policy level as final, which should prevent further evaluation of the policy at other levels. For example, an administrator can terminate a policy on a combination at the machine level, which prevents user-level policies from being applied to that combination.
Once the policy is completed, the initial settings for permissions are created. A composition can optimize these permissions by making specific requests from three aspects:
·The first aspect is to specify the minimum permission settings it must have in order for the composition to run. If these permissions are not given, then the combination will be loaded into memory differently and an exception will be thrown.
·Second, an optional set of permissions can be specified. Although the composition expects these permissions to be present, it can still load into memory if these permissions cannot be obtained.
·Finally, particularly well-behaved combinations will actually be denied risky permissions they don't need. These three optimization options are implemented as declaration statements when called.
At runtime, permissions are calculated based on code execution. The diagram on the right summarizes the sequence in which this process occurs. Combination A3 provides its evidence and evidence from the host to the policy evaluator. The policy evaluator also considers license requests from the combination, "G3", when creating licenses. Combination A3 is called by combination A2, which in turn is called by combination A1. When combination A3 performs an operation that triggers a security check, the permissions obtained by A2 and A1 are also checked to ensure that they have the permissions requested by A3. In this process, called stack walking, the permissions of each combination in the stack are checked to determine whether the given permissions set contains the permissions required by the security check. The call will succeed if every combination in the stack is given the permissions required by the security check. If any combination is not given the required permissions, the stack walking process fails and a security exception will be thrown.
Some "free" security activities called by NETFramework, such as reading and writing files, displaying dialog boxes, and reading and writing environment variables, can be implemented through the .NETFramework methods included in the framework's security architecture.
This allows .NET Framework to allow or disallow an operation based on security policy without requiring the programmer to do additional work. Although the creators of management classes that expose protected resources make explicit security requirements in their libraries, developers who use .NET Framework class libraries to access protected resources are free to exploit code that accesses the security system; they do not have to make explicit security requirements. call.
Administrators can optimize security policies by deciding which permissions to grant, and then rely on .NET Framework to handle all security operations. Code access security can prevent most malicious attacks, and verification of code reduces buffer overflows and other undesirable behaviors that can lead to security attacks. As a result, applications and components are inherently protected from most of the security issues that plague native code implementations.
Role-based security
Sometimes it is appropriate to make authentication decisions based on the authenticated identity or based on the role associated with the code execution context. For example, financial and enterprise software can enhance policies through enterprise logic that evaluates role information. Data on financial transactions can be restricted based on the user role making the request. Cashiers are allowed to handle requests up to a certain amount, and all work above that amount requires the supervisor role.
Identities can be mapped to users logged into the system, or be defined by the application. Corresponding principles encapsulate identity and other relevant role information (for example, but not limited to, user "groups" defined by the operating system).
Authentication and Authorization
Authentication is a process that receives a certificate from a user and confirms the authorization of the certificate. If the certificate is valid, then the user can say that he has an authenticated identity. The authorization process is to determine whether the authenticated user can access a given resource. Authentication can be done through system or enterprise logic, it is or obtained through some API. The authentication API is fully extensible so developers can use their own enterprise logic as needed. Developers can code their authentication requirements and can modify the underlying authentication methods without making major changes to their code. In addition to Microsoft Windows? operating system authentication, authentication methods include Basic HTTP, Digest and Kerberos, as well as Microsoft Passport and Forms-based authentication. These authentication methods are fully integrated into ASP.NET.
In ASP.NET forms authentication, the user provides the certificate and submits the form. If the application authenticates the request, the system sends a cookie that contains the certificate in some form or contains a keyword to regain the identity. Subsequent requests are sent with the cookie in the header, and the ASP.NET handler authenticates and authorizes these requests by any valid method expected by the application. If the request is not authenticated, the HTTP client will be used to send the request to an authentication form, where the user may provide a trust certificate. Forms authentication is sometimes used for personalization - tailoring content to known users. In some cases, identity is the issue rather than authentication, so the user's personalized information can be obtained simply by accessing the user or.
The purpose of authorization is to determine whether the identity making the request is granted access to a given resource. ASP.NET provides two types of authorization services: file authorization and URL authorization. File authorization determines which access control list the user uses based on the method in effect and the identity making the request. URL authorization is the logical mapping between URI namespaces and different users or roles.
Isolated Storage
.NET Framework provides a special feature, Isolated Storage, for storing data even when access to the file is not allowed - for example, when accessing the file from the Internet Downloaded an administrative control and ran it, giving it limited permissions but no power to read or write files.
Isolated storage is a new set of types and methods for local storage supported by .NET. In essence, each combination has access to a segment of isolated storage space on the disk. It does not allow access to other data, and isolated storage is only valid for the combination created for it.
Isolated storage can also be used by applications to keep a record of activity, save settings, or save state data to disk for future use. Because the location of quarantine storage is predetermined, quarantine storage provides a convenient way to specify a unique storage space without having to decide on a file path.
Code obtained from the local corporate LAN has similar restrictions, but less, and it can access large quotas of isolated storage. Finally, code coming from restricted sites zones (untrusted sites) does not have access to quarantine storage.
Encryption
.NET Framework provides a set of encryption objects that support encryption algorithms, digital signatures, hashing, and random number generation, which are implemented through well-known algorithms, such as RSA ,DSA, Rijndael/AES, TripleDES, DES, and RC2, as well as MD5, SHA1, SHA-256, SHA-384 and SHA-512 hashing algorithms. It also supports XML digital signature specifications developed at IETF and W3C. .NET Framework supports internal services using cryptographic objects. These objects are also provided as administrative code to developers who require cryptographic support.
How to specify security?
If you want to modify the behavior of the combined runtime, you can make declarative safety or forced safety modifications according to the needs of the programmer.
Declarative security
Declarative security allows programmers to specify security requirements for a composition directly in the metadata of the composition code. Permission requests and all other forms of declarative security are specified in the code as configuration properties. Annotations for classes, properties and methods are used to optimize licensing. For example, declarative security can be used by the caller of a class to check whether the caller is signed by a known trader or has a specific strong name before calling a method.
Because the declared attributes are part of the composition's metadata, the security requirements of the composition are easy to discern. Tools can be used to scan the combination to discover which methods require certain permissions and which methods assert certain permissions.
When the requested activity and permissions are known at compile time, declarative checking can be one of the solutions of choice. For example, if the method always checks for write access permission to C:temp, then the permission check will benefit from the declaration. On the other hand, if the location to which access is requested changes, then forced security may be a better solution.
Enforced safety
Enforced safety is implemented directly in the code. Programmer