What’s New for ASP.NET?

Editor's//Comment

What's New for ASP.NET?

By EldenNelson

Sometimewithin the next month or two (or three, I suppose), Microsoft will releaseversion 1.1 of the .NET Framework. As you'd expect, it sports a bunch of newfeatures - and you can check out Microsoft's official overview at http://msdn.microsoft.com/netframework/productinfo/next/overview.aspif you're the kind of person who likes to get the full scoop.

If you'remore like me, however, you'll prefer to know only what matters toASP.NET developers in this update. I talked with ASP.NET program managers RobHoward and Shawn Nandi to find out what changes in the Framework you shouldcare about.

ImprovedSecurity

Theforms authentication feature is a cookie-based authentication system. The userenters a username and password, which are verified, encrypted, and stored as acookie. In version 1.1, you can now specify requireSSL (see the following code)so that when the cookie is sent back to the browser, SSL must be in place;otherwise, the form throws an exception. This ensures usernames and passwordsare not sent in clear text when the negotiation of usernames and passwords isoriginally being done. This will set to "false" by default:

       name=".ASPXAUTH"          loginUrl="login.aspx"      protection="all"        timeout="30"      path="/"      requireSSL="false"              slidingExpiration="true"     />   You'llalso notice the slidingExpiration option in the previous code, which lets youspecify whether to have the account time out in the specified time, regardlessof whether the user left then came back to the site during that period of time.   Machine.confighas several places that require a username and password. Version 1.1 now has away to encrypt that information so you don't have to store it in clear text.   Onecrucial security fix Microsoft is making is called "Safe-postback." Beforeversion 1.1, you could do "cross-site scripting" - that is, you could inputHTML and JavaScript code in forms that, after postback, would store that codeback in the database. Then, when users requested that page, the code would beretrieved from the database and executed. You can see where this could causemassive problems. With version 1.1, if content contains any markup or script,an exception is thrown. You can disable this feature, but it's enabled bydefault.   Performanceand .NET Server WhenASP.NET runs under .NET Server - to be released in the same timeframe - ittakes advantage of the IIS 6 process model, which lets you set up multipleapplications, each with their own process, whereas traditionally all ASP.NETapps must run under the same process.   Anotherimportant performance enhancement in version 1.1 comes from Shared Cache UserControls. The new "shared" attribute means instead of each page having tocreate its own cached version, pages can share information in the cache.     StarterKits Theseare all interesting tweaks, to be sure, but the new thing I'm mostexcited about isn't even part of the .NET Framework update. About the same timethe 1.1 version of the .NET Framework becomes available, Microsoft will be releasinga number of ASP.NET "Starter Kits." In the same way the IBuySpy sample appmakes it easy to get started on building an e-commerce site, these new StarterKits will give you robust, working code you can fold right in to your ownASP.NET applications. In addition to e-commerce, expect apps that will help youbuild portals, time-tracking apps, reporting apps, and communities.   Bythemselves, these Starter Kits are pretty darn helpful. Expect some articles inthe near future from asp.netPRO, though, that will make them incrediblyuseful. You're really going to like what we've got on tap - unless you don'tlike code and real-world development strategies that can save you time and makeyou more productive.   Withversion 1.1 in beta and about ready to ship, it's time to start thinking aboutthe next big thing - ASP.NET version 2. What new features do you think we'llsee then? What new features do you think ASP.NET needs? And how long doyou think we'll have to wait for it? Peek into your crystal ball and let meknow. Send me e-mail at [email protected].   Elden Nelson is editor-in-chief of asp.netPRO and itscompanion newsletter, asp.netNOW.   Tell us what you think! Please send any comments aboutthis article to [email protected].Please include the article title and author.