Академический Документы
Профессиональный Документы
Культура Документы
Practices
George V. Reilly
Software Design Engineer
Internet Information Services
Microsoft Corporation
02/09/08 1
ASP Best Practices
How to build good Active Server Pages
applications, with an eye to robustness,
correctness, maintainability, and
performance.
What not to do.
02/09/08 2
Agenda
What is ASP
Website Design
3- or 4-Tier Application Design
Readability, Maintenance, Testing
Session and Application State
Caching
Components
Performance
Databases
New in IIS 5
02/09/08 3
What is ASP?
Active Server Pages is:
What Connects the User Interface
(HTML) with Business Logic
A Consistent, Easy-To-Use Interface to
Web-based Clients that Maintains State
The Environment for Web Applications
that Require Transactions
Active Server Pages is not:
The place to put business logic (use
MTS/COM+ Components or the
database instead)
02/09/08 4
ASP Lessons
Learned
Use script as glue only
Developing Applications
Develop applications, not just stand alone pages
Caching
Cache Inputs
Cache Outputs
Blocking versus Non-blocking scripts
Threads per processor
Benchmark
Set absolute goals, not just relative goals
02/09/08 5
More ASP Lessons
Learned
Test before deploying
Use good components
Minimize database access
Cache transformed output
Benchmark
Dedicated lab
Tools
02/09/08 6
Website Design (1
of 3)
What does your site offer?
Information Architecture: 80/20 Rule
Site Navigation
Page Layout
Usability
Accessibility
use ALT and TITLE attributes
navigable without images or image maps
02/09/08 9
3- or 4-Tier Design
Middle Tier -- ASP
02/09/08 10
Readability and
Maintainability
Use comments
<% Option Explicit %> for VBScript
Use string variables for SQL statements =>
easier debugging
Use Server.MapPath and relative paths
Use adovbs.inc or <!--METADATA
TYPE=typelib FILE=some.dll-->, not
hardcoded literal constants
Specify all parameters to ADO so that
defaults don’t cause problems
Encapsulate code: libaries, components
02/09/08 11
Correctness
Server.URLEncode
Error handling
No nested vroots
02/09/08 12
Internationalization/L
ocalization
Use <% @codepage %> if using string literals
from codepages other than default codepage for
the machine
Use Session.CodePage dynamically whenever
DB data accessed in non-default codepage
(IIS 5) UTF-8 supported for Response.Write only
02/09/08 13
Miscellaneous
Use fine-grained #includes to factor
and reuse code
Break queries into Page i of N.
02/09/08 14
Testing
Proofread the content
Multiple Browsers
Stress Testing
Performance Testing
Homer, er, Web Application Stress Tool
IIS Exception Monitor
WebMeter
Mutek BugTrapper
02/09/08 15
Monitoring Site
HTTPMonitor
Log Analyzers
WebTrends
Site Server Express Usage Analyst
02/09/08 16
Securing your
Website
Validate users
Validate input
Don’t use .inc file extension for
#includes. Use .asp, script map .inc, or
secure the directory
Put .MDBs outside vdirs
Use ADSI for Security Administration
02/09/08 17
Authentication
Basic
Remote nodes
Auditing?
Access control?
02/09/08 18
Session State (1 of
2)
Seductively convenient but problematic
HTTP Protocol is stateless
Useful for shopping baskets
Hampers scalability
Serializes execution, e.g., frames
Use <% @ EnableSessionState=False %> to
disable sessions on pages that don’t need them
Disable completely if possible
Doesn’t scale well to web farms
Apt-threaded components lock session down to a
single thread => decreases throughput
Wastes memory
Fragile: always use same case in URLs
Session state doesn’t persist to disk
02/09/08 19
Session State (2 of
2)
Sessions time out
Requires cookies to be enabled on user’s browser
Disconnect Recordsets in Session state; don’t
cache connections
Don’t have empty Session_OnEnd in global.asa
Alternatives
Cookies
Encode state directly => easy, small, insecure
ID for back-end database (e.g., Site Server Active
User Object)
Querystring parameters
Munged URLs (like Amazon)
Hidden FORM variables
02/09/08 20
Application State
Useful for shared data
Non-persistent
Doesn’t work well in webfarms => only
readonly state useful
02/09/08 21
Process Isolation
Robustness/performance trade-off
POOP (Pooled out-of-process) is
default in IIS 5
IUSR_machinename: in-proc apps
IWAM_machinename: OOP apps
02/09/08 22
Caching
Wonderful for static content that doesn’t change
often
Annoying for really dynamic content
Transatlantic links often saturated
Don’t use Response.Expires=0, use negative
number
Response.Expires = -100000
(or Response.ExpiresAbsolute=#Jan 1, 1999 00:00:00#)
Response.AddHeader “Pragma”,”no-cache”
Response.AddHeader “cache-control”,”no-store”
Server caching
Proxy caching
02/09/08
Client caching 23
Components (1 of
3)
Performance
Excessive script
Scalability
Isolate Business Logic from ASP
Presentation Layer
Reuse by ASP and other environments
Transactions
Strong Typing
Access OS features
Protect Intellectual Property
02/09/08 24
Components (2 of
3)
Use Server.CreateObject if you need
MTS Transactions
Security Context
02/09/08 26
Components: MTS
vs. Classic
Use classic COM for trusted, non-
transactional components
Use COM for Session- or Application-scoped
components
Use MTS library packages for trusted,
transactional components
Use MTS server packages for untrusted
components, transactional or not
Or, mark applications as isolated (OOP) and
run components inproc to the application
Transactional components must be stateless;
other (MTS) components need not be
02/09/08 27
Component
Threading
Cause of much pain
Models
Use Agile (Both-threaded + FTM), Apartment,
or Neutral (COM+) threading
Never use Single or Free threading for ASP
VB components are Apartment-threaded –- at
best; Single-threaded if not careful
Agile => C++/ATL or Java
Neutral => C++/ATL
Page scope: any good model
Session scope: Agile or Neutral preferred;
Apartment locks session down to a thread
Application scope: Agile or Neutral only;
Apartment serializes app, requires marshalling,
runs in wrong security context
02/09/08 28
ASP Performance
(1 of 2)
Many players & layers
Use static HTML wherever possible: XBuilder
Enable Response buffering
Cache, cache, cache: Use LookupTable
Cache object properties (inc. collections)
Use local variables
Use <object> instead of Server.CreateObject
Close connections and Set to Nothing
Don’t use Session or Application object
Don’t store COM objects in Session or
Application state
Disable script debugging
02/09/08 29
ASP Performance
(2 of 2)
Avoid repeated string concatenation
Use Response.IsClientConnected
at top of expensive pages. Only works
correctly after first Response.Write.
Real-enough time: MSMQ
Don’t store large arrays in
Session/Application
Don’t redim arrays
Copy collections to local variables
Long, blocking pages => increase
ProcessorThreadMax
02/09/08 30
Perf: Offload work
to Clients
CSS, DHTML
XML
RDS
Remote scripting
XmlHttp
Client-side validation
Minimize file sizes
Avoid https/SSL wherever possible
02/09/08 31
Performance
Testing
WebTool (Homer)
PerfMon
Tracer component
Poor man’s ASP profiling
Measure ASP page under high load
Put Response.End in middle of script
Measure page again
If throughput and response time are about the
same, the problem’s in the first half of the script; if
they’re much improved, it’s in the second half
Add a comment detailing the results at the
Response.End location
Put Response.End in the appropriate half and re-
measure until problem(s) isolated
02/09/08 32
ASP Performance
Graphs ASP Performance
120
100
80
60 Uniprocessor
2P
4P
40
20
0
In-Process Out-of-Process In-Proc OOP In-Proc OOP
02/09/08 33
Databases (1 of 2)
Minimize database access
Cache transformed output
Use ODBC connection pooling or OLEDB
resource pooling
Use System DSNs or DSN-less DSNs, not
User DSNs or File DSNs
Make ADO both-threaded: makefre15.bat
Use ADO Field object
GetString and GetRows are fast
RDS and XML: offload work to client
Don’t Select * -- use named columns
02/09/08 34
Databases (2 of 2)
Use SQL Server 7.0, not Access
Let SQL Server do the work
stored procedures, joins, sorting, grouping
Use Query Analyzer: Show
Execution Plan
Use Indexes
Named Pipes locally, Sockets remotely
Always specify command types explicitly
02/09/08 35
New in IIS 5
Pooled out-of-process applications
Reliable restart
Much improved ASP performance
Server.Transfer preferred to Response.Redirect
Server.Execute
Server.GetLastError
XML/ADO Recordsets w/ Response & Request
Better error messages – no more ASP 0115
Custom Errors (500-100.asp)
Thread gating
02/09/08
Remote scripting 36
Resources
http://www.useit.com
http://msdn.microsoft.com/workshop/
http://www.15seconds.com
http://www.activeserverpages.com
http://www.4GuysFromRolla.com
http://www.asptoday.com
http://www.aspguild.org
http://www.microsoft.com/backstage/
http://www.aspwire.com
http://www.htmlhelp.com
http://www.swynk.com
http://www.microsoft.com/technet/iis/
Prof. ASP Techniques for Webmasters, Homer
Information Architecture for WWW, Rosenfeld
02/09/08 37
IIS Resource Kit