HTML Injection Attacks: Impact and Mitigation Strategies
ASP.NET 4.0 Cache Extensibility
1. ASP.NET 4.0 Cache Extensibility Stefan SchackowProgram Manager Microsoft Corporation PC41
2. What's the current state? Why is it changing? How are we changing it? .NET Framework Caching
3. A great in-memory object cache in ASP.NET Lots of configurable "knobs" Expiration policies Automatic scavenging behavior Before and after removal callbacks Extensible cache dependencies Output caching of ASP.NET content Pages Fragment caching of ASP.NET controls Donut caching with cache substitution Output caching of arbitrary HTTP response Current Cache Functionality
4. In-memory cache has various constraints Object cache API exists in System.Web Awkward to use object cache outside of ASP.NET Common question: Why do I have to include System.Web.dll in my WPF/Winforms project? Not available in 3.5 SP1 Client SKU Caching is a "black box" Where can vendors and developers plugin? Memcached, Velocity, ScaleOut, etc… have no clean integration point available to them Output caching is completely opaque Each custom caching solution is a completely different API for developers to learn Why Make Changes?
5. Proposed New Cache Functionality A new, extensible, object cache API in its own namespace and assembly Supports both client and server applications Can be made available on both desktop and client SKUs A factored version of the ASP.NET cache engine Extensible ASP.NET output caching Consistent APIs for programming against Disk-based output caches Custom object caches Cloud-based object caches Distributed object caches
6. New 4.0 Cache Functionality Namespace System.Caching { In-memory Disk based Cache Windows Azure CacheProvider Distributed }
9. New 4.0 Output Cache Functionality Namespace System.Web.Caching { Default.aspx In-memory Disk based Foo.ascx Windows Azure OutputCacheProvider Distributed }
11. Core Versus Optional APIs Cache API is a "union" of common functionality Not all cache providers need to implement all features Core functionality for all providers Represented on CacheProvider base type Storing and retrieving a key-value pair Basic Add/Get/Set/Contains/Remove methods Named cache partitions Providers specialize by deriving from InMemoryCacheProvider OutOfProcessCacheProvider
12. InMemoryCacheProvider Represents a provider running exclusively in a single app-domain Count of items in cache Sliding expirations Distributed caches usually can't synchronize sliding expiration values across multiple servers Cache dependencies (derivations of CacheDependency) Distributed caches may have no concept of dependencies Item removal callbacks (before and after removal) Distributed caches may not be able to call back to anything
13. OutOfProcessCacheProvider Represents a provider that stores data outside of an app-domain Version-based updates (CacheItem.Version) Useful for caches that support optimistic concurrency Lock-based updates (CacheItem.LockHandle) If a cache supports pessimistic concurrency Get multiple items Saves multiple round-trips on fetches Query-tag metadata (CacheItem.QueryTags) Retrieving multiple cache items based on string tags
14. "Velocity" Integration "Velocity" – codename for distributed cache created by the Sql Server team Planned "Velocity" integration points OutOfProcessCacheProvider implementation for object caching SessionStateStoreProviderBase implementation for ASP.NET session state Sidenote: Updates to session state API are planned in 4.0 to allow for more granular sets and gets. OutputCacheProvider implementation for ASP.NET output caching
16. Migrating From Existing APIs System.Web.Caching.Cache Current plan is that it stays un-changed Might enable "opting-in" to using an object cache provider Requires developing a “shim” that can re-route calls to the new object cache provider layer Currently the “shim” is only in the “idea phase” ASP.NET output caching Both page and control caching can opt-in to using custom providers By default both types of output caching continue to use ASP.NET’s in-memory cache
17. Migrating From Existing APIs ASP.NET control output caching <@OutputCacheoutputCacheProvider="…" /> ASP.NET page output caching Programmatically choose different providers Override a new method on HttpApplication HttpApplication.GetOutputCacheProviderName Custom page output caching supports: Absolute expirations File-based dependencies only Validation and substitution callbacks must be static
19. Summary 4.0 Caching is all about extensibility! Both object caching and ASP.NET output caching will be pluggable New object cache APIs available for both client and full versions of .NET Framework
20. Related Content Breakout Sessions/Chalk Talks PC21 – ASP.NET MVC PC30 – ASP.NET Dynamic Data PC31 – ASP.NET and Jquery PC32 – ASP.NET Ajax Futures PC33 – Microsoft Visual Studio: Easing ASP.NET WebDev PC41 – ASP.NET Cache Extensibility TL48 – Microsoft Visual Studio: Web Development Futures ES15 – Deploying Web Applications with Microsoft Internet Information Services 7.0 and the Web Deployment Tool
21. Evals & Recordings Please fill out your evaluation for this session at: This session will be available as a recording at: www.microsoftpdc.com