Video: The best web stack in the world

This is the demo I made for the Microsoft Demos Happen Here competition. The criteria was that it had to be under 10 minutes, and show one or more of the features from the launch wave technologies – Visual Studio 2008, SQL Server 2008 and Windows Server 2008.
I chose to demonstrate PHP running on IIS7 using FastCGI, then integrating this with an ASP.NET application before finally load balancing the whole application between two servers in a high availability, automatic failover cluster.
I managed to do all that with 2 minutes to spare, so I think it’s pretty clear that Windows Server 2008 is the best web stack in the world.

Update 5-Sep-08: I won. 🙂 

Tearing down the tents (and moving them closer together)

Being fairly focused on Microsoft technologies myself, I see a lot of the “us vs. them” mentality where you either use Microsoft technologies, or you’re part of “the other group”. Seeing Lachlan Hardy at Microsoft Remix was awesome – he was a Java dude talking about web standards at a Microsoft event. The more we can focus on the ideas rather than which camp you’re from, the more we’ll develop the inter-camp relationships and eventually destroy this segmentation. Sure, we’ll still group up and debate the superfluous crap like which language is better (we’re nerds – we’ll always do that) but at least these will be debates between the sub-camps of one big happy web family. (It’s not as cheesy as it sounds – I hope.)

What’s the first step in making this happen? Meet people from “the other group”!

The boys and girls at Gruden and Straker Interactive have put together Web on the Piste for the second year running. It’s a vendor neutral conference about rich internet technologies – so you’ll see presentations about Adobe Flex and Microsoft Silverlight at the same event (among lots of other cool technologies of course). These types of events are a perfect way to meet some really interesting people and cross pollinate some sweet ideas.

It’s coming up at the end of August, and I understand that both conference tickets and accommodation are getting tight so I’d encourage you to get in soon if you’re interested (Queenstown is crazy at this time of year).

And of course, yours truly will be there evangelising the delights of Windows Live as well as ASP.NET AJAX to our Flash using, “fush and chups” eating friends. 🙂

Will you be there?

Video: ASP.NET MVC Preview 3

Last night I gave an introduction to MVC at the Wollongong .NET User Group. We had a bit of time at the end, so I also covered off Inversion of Control (IoC) and how it can be used with the MVC framework.

The talk assumed a working knowledge of ASP.NET, but required no existing knowledge about ASP.NET MVC or IoC.

You can watch it on Vimeo:

Tip: Watching on the actual Vimeo site instead of this embedded player will give you a bigger and clearer video.

Or download it as a WMV: (64MB, 68min)

Tip: Learn through sharing

Finula sent out an email yesterday asking a group of us to supply some tips for being a successful developer. The short versions will get included in this afternoon’s MSDN Flash newsletter, and we’re each blogging our full response.

My personal advice is to recognize the power of learning through sharing. Coatesy touched on the idea at the end of his own tip.

Attending user groups is one thing, but getting up and contributing your own knowledge is what really drives these groups. You’ll be pleasantly surprised at how much you’ll actually learn about a technology if you step back and prepare a presentation for your peers which explains what that technology is, and how it works.

One of my work mates, Steve Godbold, recently delivered a presentation about LINQ. In prepping for the talk he knew he’d need to explain expression trees, and he guessed he’d get some questions about LINQ to SQL vs LINQ to Entities. Pleasantly shocked about how much more there was to know about LINQ, he’s know turned this prep into a series of blog posts too.

Presenting isn’t for everyone though, but this is where blogging steps in. It might seem a bit egotistical at first to think that people want to read what you have to say, but the reality is people genuinely do! Think about the number of times you’ve ended up reading somebody’s blog post before to help you solve a problem. Posts don’t need to be technical wizardry to warrant publishing either – it’s often the simple little tricks that people find real value in. One of my more popular posts describes how to do a hover effect in CSS. It also opens up your ideas for others to comment on, which might prompt something you’d never thought of before.

Hopefully this will give you a bit of inspiration to get up and really participate in the vibrant technical community around you.

What now? If you haven’t already, subscribe to MSDN Flash, submit your 10 minute demo for the chance to win big prizes, contribute to your local user group, and start a blog.

What’s your tip for being a great developer?

Video: Architectural Considerations for the ASP.NET MVC framework

Update (16th July 2008): There’s a better version of this presentation available at

This talk doesn’t actually assume any prior knowledge of the ASP.NET MVC Framework, so it goes through the whole intro at the start (albeit quickly). I then delve into some IoC concepts, and finally mash it all together. The IoC framework used is Castle Windsor.

This was recorded at the VIC.NET usergroup in Melbourne, Australia on 10th June 2008.

You can grab the Windows Media file directly from: (48MB, 47min)

Or stream it from Google Video:

Mark Pesce to keynote Remix Australia 2008

It was great to see this afternoon’s announcement on the Remix website that Mark Pesce will be taking the top presentation slot.

Mark did the locknote at last year’s Web Directions conference in a Sydney with his “Mob Rules” talk. He discussed some amazing social aspects of the internet and, in a more general sense, the unprecedented communications in poor communities. Over the last decade we’ve gone from more than 50% of the worlds population never having made a phone call, to over half the population now owning a mobile phone. The social impacts of this are quite surprising in ways that people never could have predicted.

I highly recommend watching the Mob Rules talk when you get a chance. You can watch it all online at

He’s an amazing presenter, whos presentation technique reminds me a lot of Al Gore (another speaker I have immense respect for).

I look forward to seeing what he’ll deliver at Remix.

Using cookies in ASP.NET

For a comparison of various ASP.NET state management techniques (including cookies) and their inherit advantages and disadvantages, see my previous post – Managing State in ASP.NET – which bag to use and when. This post covers the purely technical side of dealing with cookies in ASP.NET

I’m glad the ASP.NET team gave us access as raw as they did, but it also means that you need to have an understanding of how cookies work before you use them. As much as it might seem, you can’t just jump in and use them straight away.

First of all, you need to understand how they are stored and communicated. Cookies are stored on the user’s local machine, actually on their hard-drive. Every time the browser performs a request, it sends the relevant cookies up with the request. The server can then send cookies back with the response, and these are saved or updated on the client accordingly.

Now you need to remember that cookies are uploaded with every request, so don’t go storing anything too big in there particularly as most users have uplinks which are much slower than their downlinks. With this in mind, you should generally try and just store an id in the cookie and persist the actually data in a database on the server or something like that.

Finally, you only need to send cookies that have changed back with the response, somewhat like a delta. This introduces some intricacies, like “how do you delete a cookie” which I’ll discuss in a sec.

Reading Cookies

This is the easy part. Because cookies are uploaded with every request, you’ll find them in the Request.Cookies bag. You can access cookies by a string key (Request.Cookies[“mycookie”]) or enumerate them. Cookies can contain either a single string value, or a dictionary of string values all within the one cookie. You can access theses by Request.Cookies[“mycookie”].Value and Request.Cookies[“mycookie”].Values[“mysubitem”] respectively.

Creating Cookies

The Request.Cookies bag is writeable, but don’t let that deceive you. Adding cookies here isn’t going to help you, because this is just the upload side. To create a new cookie, we need to add it to the Response.Cookies bag. This is the bag that is written back to the client with the page, and thus it plays the role of our “diff”.

The HttpCookie constructor exposes very simple name and value properties:

new HttpCookie(“mycookie”,”myvalue”)

To get some real control over your cookies though, take a look at the properties on the HttpCookie before you call Response.Cookies.Add.

  • Domain lets you restrict cookie access to a particular domain.
  • Expires sets the absolute expiry date of the cookie as a point in time. You can’t actually create a cookie which lives indefinitely, so if that’s what you’re trying to achieve just set it to DateTime.UtcNow.AddYears(50).
  • HttpOnly lets you restrict the cookie to server side access only, and thus prevent locally running JavaScript from seeing it.
  • Path lets you restrict cookie access to a particular request path.
  • Secure lets you restrict cookie access to HTTPS requests only.

If a cookie is not accessible to a request, it will just not be uploaded with the request and the server will never know it even existed.

Updating Cookies

Any cookie that exists in Response.Cookies will get sent back to the client. The browser will then save each of those cookies, and override any cookies that have the same key and belong to the same domain, path, etc.

This means that to update the value of a cookie, you actually have to create a whole new cookie in the Response.Cookies collection that will then override the original value.

Updating the value of cookies is rare though, because as suggested early you should only be aiming to save an id in the cookie, and ids don’t generally have to change.

Deleting Cookies

As with updating, this is rare, but sometime you gotta do it.

We know that we only have to send back cookies that we want to update, so how do we delete a cookie? Not specifying it in the response just tells the browser it hasn’t changed.

Well, this is fun. 🙂

Create a new cookie in the Response.Cookies bag with the same key as the one you are trying to delete, then set the expiry date of this cookie to be in the past. When the client browser attempts to save the cookie it will override what was there with an expired cookie, thus effectively deleting the original cookie.

Remember that your user’s time maybe offset from your servers, so play it safe and set the expiry date to at least DateTime.Now.AddHours(-24);

Managing State in ASP.NET – which bag to use and when

There’s been some discussion on the Readify mailing lists lately about all the different types of ASP.NET state mechanisms. There didn’t seem to be a good comparison resource online, so I thought it’d be my turn to write one.

Session State

The most commonly used and understood state bag is the good old Session object. Objects you stored here are persisted on the server, and available between requests made by the same user.

  • Security isn’t too much of an issue, because the objects are never sent down to the client. You do need to think about session hijacking though.
  • Depending on how ASP.NET is configured, the objects could get pushed back to a SQL database or an ASP.NET state server which means they’ll need to be serializable.
  • If you’re using the default in-proc storage mode you need to think carefully about the amount of RAM potentially getting used up here.
  • You might lose the session on every request if the user has cookies disabled, and you haven’t enabled cookie-less session support, however that’s incredibly rare in this day and age.

Usage is as simple as:

Session[“key”] = “yo!”;

Application State

Application state is also very commonly used and understood because it too is a hangover from the ASP days. It is very similar to session state, however it is a single state bag shared by all users across all requests for the life of the application.

  • Security isn’t really an issue at all here because once again, the objects are never sent over the wire to the client. With application state, you also don’t have the risk of session hijacking.
  • Everything in the bag is shared by everyone, so don’t put anything user specific here.
  • Anything you put here will hang around in memory like a bad smell until the application is recycled, or you explicitly remove it so be conscious of what you’re jamming in to memory.

I can’t remember ever seeing a legitimate use of application state in ASP.NET. Generally using Cache is a better solution – as described below, it too is shared across all requests, but it does a very good job of managing its content lifecycle.

I’d love to know why the ASP.NET team included application state, other than to pacify ASP developers during their migration to the platform.

Usage is a simple as:

Application[“key”] = “yo!”;

HttpContext / Request State

Next up we have HttpContext.Current.Items. I haven’t come across a good name for this anywhere, so I generally call it “Request State”. I think that name clearly indicates its longevity – that is, only for the length of the request.

It is designed for passing data between HTTP modules and HTTP handlers. In most applications you wouldn’t use this state bag, but its useful to know that it exists. Also, because it doesn’t get persisted anywhere you don’t need to care about serialization at all.

Usage is as simple as:

HttpContext.Current.Items.Add(“key”, “yo!”);

View State

Ah … the old view state option that sends chills down the spine of any semantic web developer who longs for the days when the web worked like the web instead of winforms hacked into HTML. (Don’t worry – ASP.NET MVC lets us return to those glory days!) But enough with my whining …

View state is used to store information in a page between requests. For example, I might pull some data into my page the first time it renders, but when a user triggers a postback I want to be able to reuse this same data.

While it makes life easier for us young drag-n-drop developers, it is a force to be reckoned with carefully.

  • View state gets stored into the page, and if you save the wrong content into it you’ll rapidly be in for some big pages. I’ve seen ASP.NET pages with 10KB of HTML and 1.2MB of view state. Have a think about how long that page took to load!
  • It’s generally used for controls to be able to remember things between requests, so that they can rebuild themselves after a postback. It’s not very often that I see developers using view state directly, but there are some legitimate reasons for doing so.
  • Each control has its own isolated view state bag. Remember that pages and master pages each inherit from Control, so they have their own isolated bags too. View state is meant to support the internal plumbing of a control, and thus if you find that the bags being isolated is an issue for you then it’s a pretty good indicator that you’ve taken the wrong approach with your architecture.
  • It can be controlled on a very granular level – right down to enabling or disabling it per control. There’s an EnableViewState property on every server control, every page (in the page directive at the top) every master page (also in the directive at the top), and an application wide setting in web.config. These are all on my default, but the more places you can disable it in your app, the better.

A full explanation of ViewState is beyond the scope of this article, but I highly recommend that every ASP.NET developer read TRULY Understanding ViewState by Dave Reed.

If you want a simpler discussion, be sure to take a look at my previous post – Writing Good ASP.NET Server Controls.

Usage is as simple as:

ViewState[“key”] = “yo!”;

Control State

Control state is somewhat similar to view state, except that you can’t turn it off.

The idea here is that some controls need to persist values across requests no matter what (for example, if it’s hard to get the same data a second time ’round).

I’m a bit hesitant about the idea of control state. It was only added in ASP.NET 2.0 and in many ways I wish they hadn’t. Sure, some controls will break completely if you do a postback without view state having being enabled. What if I never expect my page to postback though? Maybe I want to be able to turn it off still. Unfortunately I think this comes from the arrogance that is ASP.NET not trusting the browser to even wipe its own ass … even the most personal of operations must go via a server side event, so you’ll always do a postback – right? Wrong.

If you’re a control developer, please be very very conscious about your usage of control state.

Usage is a bit more complex … you need to override the LoadControlState and SaveControlState methods for your control. MSDN is a good place to find content for this – take a look at their Control State vs. View State Example.


Cache is cool. As a general rule, it’s what you should be using instead of Application.

Just like application, it’s shared between all requests and all users for the entire life of your application.

What’s cool about Cache is that it actually manages the lifecycle of its contents rather than just letting them linger around in memory for ever ‘n ever. It facilitates this in a number of ways:

  • absolute expiry (“forget this entry 20 minutes from now”)
  • sliding expiry (“forget this entry if it’s not used for more than 5 minutes”)
  • dependencies (“forget this entry when file X changes”)

Even cooler yet, you can:

  • Combine all of these great features to have rules like “forget this entry if it’s not used for more than 5 minutes, or if it gets to being more than 20 minutes after we loaded the data, or if the file we loaded it from changes”.
  • Handle an event that tells you when something has been invalidated and thus is about to be removed from the cache. This event it is per cache item, so you subscribe to it when you create the item.
  • Set priorities per item so that it can groom the lower priority items from memory first, as memory is needed.
  • With .NET 2.0, you can point a dependency at SQL so when a particular table is updated the cache automatically gets invalidated. If you’re targeting SQL 2005 it maintains this very intelligently through the SQL Service Broker. For SQL 2000 it does some timestamp polling, which is still pretty efficient but not quite as reactive.

Even with all this functionality, it’s still pathetically simple to use.

Check out the overloads available on Cache.Items.Add();


I don’t really think of profile as state. It’s like calling your database “state” – it might technically be state, but who actually calls it that?! :p

The idea here is that you can store personalisation data against a user’s profile object in ASP.NET. The built in framework does a nice job of remembering profiles for anonymous users as well as authenticated users, as well as funky things like migrating an anonymous user’s state when they signup, etc.

By default you’d run the SQL script they give you create a few tables, then just point it at a SQL database and let the framework handle the magic.

I don’t like doing this because it stores all of the profile content in serialized binary objects making them totally opaque in SQL and non-queryable. I like the idea of being able to query out data like which theme users prefer most. There’s a legitimate business value in being able to do so, as trivial as it may sound. (If you think it sounds trivial, go read Super Crunchers – Why Thinking-by-Numbers Is The New Way To Be Smart by Ian Ayres.)

This problem is relatively easily resolved by making your own provider. You still get all the syntactic and IDE sugar that comes with ASP.NET Profiles, but you get to take control of the storage.


Cookies are how the web handles state, and can often be quite useful to interact with directly from ASP.NET. ASP.NET uses cookies itself to store values like the session ID (used for session state) and authentication tokens. That doesn’t stop us from using the Request.Cookies and Response.Cookies collections ourselves though.

  • Security is definitely an issue because cookies are stored on the client, and thus can be very easily read and tampered with (they are nothing more than text files).
  • Beware the cookies can often be access from JavaScript too, which means that if you’re hosting 3rd party script then it could steal cookie contents directly on the client = major XSS risk. To avoid this, you can flag your cookies as “HTTP only”.
  • They are uploaded to the server with every request, so don’t go sticking anything of substantial size in there. Even on my broadband connection, my uplink is 1/24th the speed of my downlink. Typically you will just store an id or a token in the cookie, and the actual content back on the server.
  • Cookies can live for months or even years on a user’s machine (assuming they don’t explicitly clear them) meaning they’re a great way of persisting things like shopping carts between user visits.

I’m glad the ASP.NET team gave us access as raw as they did, but it also means that you need to have an understanding of how cookies work before you use them. As much as it might seem, you can’t just jump in and use them straight away.

For a rather in-depth look at exactly how cookies work, and how to use them in ASP.NET, look at my post: Using cookies in ASP.NET.

Query Strings

The query string is about as simple as you can get for state management. It lets you pass state from one page, to another, even between websites.

I’m sure you’re all familiar with query strings on the end of URLs like ShowProduct.aspx?productId=829.

Usage is as simple as:

string productId = Request.QueryString[“productId”];

I hope that’s been a useful comparison for you. If you think of any other ways of storing state in ASP.NET that you think I’ve missed, feel free to comment and I’ll add them to the comparison. 🙂

Update 15Apr08: Added cookies and query strings. Hidden form fields still to come.

Remix 2008: Developing great applications using ASP.NET MVC and ASP.NET AJAX

Continuing my recent focus on ASP.NET MVC, I’ll now be presenting it at the upcoming Remix conference.

Microsoft Remix 2008 is being held in Sydney on the 20th May and Melbourne on the 22nd May.

My talk is:

Developing great applications using ASP.NET MVC and ASP.NET AJAX: Learn how to use ASP.NET MVC to take advantage of the model-view-controller (MVC) pattern in your favourite .NET Framework language for writing business logic in a way that is de-coupled from the views of the data. Then add ASP.NET AJAX for a highly interactive front end.

Get all the details from the Remix site and get your ticket soon. ($199 is very cheap for a full copy of Expression Suite!)