ASP rule Guide

Introduction

The success of an "Active Server Page (ASP)" application often depends on the architecture and design. Considering the wide range of ASP technology and the inherent complexity of the current application, this trade-off is very difficult. In this article, I will provide you with some specific guidelines to help you successfully develop ASP-based applications.

I have organized the guidelines into a set of development principles. When evaluating solutions and technologies, you can apply the following principles to help you make decisions. The following principles are my long-term experience gained from successful development models.

Principle 1: adopt standard methods

Creating naming conventions and standardizing directory structures can greatly improve the readability and maintainability of ASP applications. Although there are no formal standards for ASP applications, many developers have established some common methods. Here, I will share some more common methods with you.

Because ASP technology relies on the script engine for work, and the script type is not strict, the naming conventions are also vague. In languages with very strict types, variables are declared according to their actual types. When ASP technology is used, variables are usually declared in ASP code according to the way variables are processed instead of their actual data types. For example, when "Visual Basic (R) Scripting Edition (VBScript)" is used, even though all VBScript variables are Variant, you will declare the success mark as bSuccessb representing a Boolean value ), instead of vSuccessv representing Variant ).

The following table lists common naming conventions.

Variable Prefix:

Example of variable prefix
B or bln Boolean bSuccess
C or cur Currency cAmount
D or dbl Double dblQuantity
Dt or dat Date and Time dtDate
F or flt Float fRatio
L or lng Long lMilliseconds
I or int Integer iCounter
S or str String sName
A or arr Array aUsers ()
O or obj COM Object oPipeline


Variable prefix of the database object:

Example of variable prefix
Cnn Connection cnnPubs
Rst Recordset rstAuthors
Cmd Command cmdEmployee
Protected Field fldLastName

Range and prefix usage:

Prefix description
G _ is created on Global. asa.
M _ is partial to ASP pages or Include files.
No prefix) non-static variables. For the process, the prefix is partial.

An article in Knowledge Base (KB), "Q110264 INFO: Microsoft Consulting Services Naming Conventions for Visual Basic", provides insights on Naming Conventions.

Use the directory structure whenever possible to provide consistent location for your various application components. The actual directory structure of your application is of course determined by yourself. However, images, documents, include files, and components are usually placed in separate directories. The following is an example of a simple ASP application directory structure.

Directory structure example:

\ SimpleAspApp
\ Docs
\ Images
\ Shortdes

A good directory structure allows you to selectively apply NTFS permissions. You can also use the relative path within the ASP application. For example, you can use the following code to reference the include file top. asp in the uplodes directory from the default. asp page in the SimpleAspApp directory:

./Shortdes/top. asp

Note that the extension of my include file is. asp, not. inc. This is done for security considerations, and the use of. asp extension instead of. inc) can also use color encoding in Visual InterDev (R.

For other tips and tips on structured ASP applications, see ASP Conventions ).

Principle 2: designed to run under a service

ASP will run under the service. When designing ASP applications, you will immediately face security environment and thread issues that are not encountered in desktop applications. In a desktop environment, it is usually executed only in a single thread running as an interactive user and has the right to access the current desktop system. In "Internet Information Service (IIS)", simulate multiple client threads in different user environments to call your applications, and your applications are limited to "system" desktops.

What does this mean to you? Learn about the security mode of IIS. We also want to remind you that something can run normally only in Visual Basic IDE, and does not mean it can run securely in ASP technology. Visual Basic IDE does not accurately simulate the runtime environment. Common design errors include: using the. OCX control that requires the user interface in ASP technology, using components that are not secure for the thread, and using components that require special user context. The simplest problem to avoid is to try to access the HKEY_CURRENT_USER (HKCU) registry entry from the application. For example, do not call the GetSetting and SaveSetting functions of Visual Basic, both depend on HKCU ). Similarly, Do Not Display message boxes or other dialogs that require user interaction.

The following is a good entry-level book on ASP security and verification:

"Authentication and Security for Internet Developers" (English)
"Q172925 INFO: Security Issues with Objects in ASP and ISAPI Extensions" (English)

Principle 3: encapsulate business logic

ASP provides the expression service by generating HTML output. In short, it generates a user interface. You need to separate the business logic from the ASP representation script. Even if you do not use COM components to separate the business logic from ASP code, you must at least separate the business logic into functions and include files to improve maintainability, readability, and reusability. When troubleshooting and isolation problems are required, you can also appreciate the benefits of modular design methods.

Calling functions and methods Inside the script can avoid code disorder and add structures to ASP applications. The following example shows how to separate the logic from the ASP code to the method call:

Lt; % Main ()
MyBizMethod ()
...

Sub Main ()
GetData ()
DisplayData ()
End Sub
%>

This principle can be applied when using technologies that contain ASP functions. The following example shows how to use Visual Basic WebClass:

Because WebClass itself references ASP code to generate HTML, you should not place the business logic directly in WebClass. Because this is your presentation layer and does not directly run WebClass under MTS/COM +.
From WebClass, you can call individual business components that can run in MTS/COM +.
You can create your own COM component that references ASP, instead of relying on the WebClass Framework Structure and additional WebClass runtime overhead-you can also use ASP scripts to directly automate business components.

Principle 4: Get resources as soon as possible and release resources as soon as possible

A common problem is the transition from a desktop system to a server. Many developers with a desktop background have never worried about server problems or resource sharing. In traditional desktop applications, connecting to a server is a time-consuming process. To improve the user experience, we usually use the method of obtaining resources as soon as possible and postponing the release of resources. For example, many applications always connect to the database during the entire running time.

This method works normally in traditional desktop applications because the number of users is very clear, it is easy to control, and the backend is closely connected to the front-end. However, this method is no longer feasible for current Web applications because limited server resources will face more and more users. In order for your applications to cope with the increase of users, You need to obtain resources as soon as possible and release resources as soon as possible.

Sharing helps increase the effectiveness of this method. Through sharing, multiple users can share resources with the minimum waiting time and the minimum impact on the server. For example, when processing a database, ODBC Connection Sharing and OLEDB resource sharing can enable you to select a connection from the shared pool to minimize the overhead of connecting to the database.

For more information about sharing ADO, see "Pooling in Microsoft Data Access Components ).

Principle 5: Use a database to maintain complex states

Although HTTP is stateless, ASP developers often use the built-in status persistence mechanism of ASP. For example, if you use an Application Object built in ASP, the resources saved by the developer can be shared by all users of the Application. By using the ASP built-in Session object, developers only save resources for a single user.

Although it sounds like saving information in Session objects of ASP technology is a very convenient way to maintain the state, this method is too costly, it may also be one of the biggest limits on scalability. The scalability of an application is essentially the ability to continue to maintain its performance as the number of users increases. For each user, Session objects consume server resources before the Session times out or is abandoned. Sessions also bind you to a server, which limits your use of Web Cluster functions. Do not use ASP Session objects for status management. If you do not use a Session, you can disable the Session Status of the Web application. For details, see the IIS documentation ). Otherwise, you can use the following statement to disable the Session status for each page:

<% @ ENABLESESSIONSTATE = False %>

For some simple data, you can use QueryString cookies or hidden form fields to maintain the status between ASP requests. We recommend that you use databases for more complex information. Generally, a specific Identifier is generated, sent to each requesting client, and saved as a hidden form field. In subsequent requests, this specific Identifier is used to find the status information related to the user in the database. This method provides higher scalability and more concise and clear code.

For more information about QueryString cookie and hidden form fields, see "Q175167 HOWTO: Persisting Values Without Sessions ).

Principle 6: Use Server. CreateObject to create an object

When creating an asp object, you can select <OBJECT> tag, Server. CreateObject, and CreateObject. The behavior of each technology is slightly different. Although in IIS 4.0, the <OBJECT> flag or CreateObject is better than the Server. createObject has some performance advantages. We generally recommend using Server. createObject, so that ASP applications can recognize your objects. Note that in IIS 5.0, the first two items have no performance advantage over Server. CreateObject.

<OBJECT> the tag creates a component only when the first method is called, saving resources. Server. CreateObject uses the Server Object built in ASP technology to create components. Essentially, it only executes CoCreateInstance, but ASP can recognize this object. At the same time, the traditional OnStartPage and OnEndPage of ASP technology will also be called. Note that it is best to use ObjectContext in IIS 4.0 or later ). If you only use CreateObject, you will use the Scripting engine directly beyond ASP technology.

The following is an exception: when calling through the firewall, you may need to call CreateObject instead of Server. CreateObject. For more information, see "Q193230-PRB: Server. CreateObject Fails when Object is Behind Firewall ).

Principle 7: provide a wide range of troubleshooting information

Make sure that all your ASP applications contain the error handling process. Make sure that you provide useful diagnostic information. I have not encountered any complaints. The error message is too descriptive. Make sure that the error log contains the following information:

User context if you are using a component, you can call GetUserName)
Thread ID in the component, you can call GetCurrentThreadId) <
Time
The complete error information includes the number, source, and description)
Parameter Value

Because it will run in ASP, you may want to write this information to a file or NT Event Log. You can also create application event logs that record critical application events for use in diagnosing application errors.

The following articles provide detailed information about error handling techniques:

"Bulletproofing Your ASP Components" (English), by Charles Alexander
"Fitch & Mather Stocks: Web Application Design" (English)
"Handling and Avoiding Web Page Errors, Part 1: The Basics)
"Handling and Avoiding Web Page Errors, Part 2: Run-Time Errors)
"Handling and Avoiding Web Page Errors, Part 3: An Ounce of Prevention" (English)

Principle 8: test performance, scalability, and reliability

The browser is not an accurate test method. It can only show you the potential use of the application. Set specific performance targets for your applications and use load tools such as Web Application Stress Tool for Stress testing. You need to determine what conditions your environment can accept. The following are general guidelines to help you start the test process:

Test the performance by testing the number of ASP requests per second, and establish a minimum threshold value. Generally, at least 30 pages should be returned per second for simple ASP pages without database access. Call a component or access a database page and return at least 25 pages per second.
Append users to the application continuously until the number of requests per second falls below the preset threshold. This method is used to test scalability.
Remove machines from the Web Cluster and check errors and faults to test reliability.
Match the test environment with the actual running environment, and even the firewall is no exception. It sounds expensive, but I have heard that developers have lost their jobs because they didn't take the firewall into account.

For more information about using the Web Application Stress Tool to Test ASP applications, see "I Can't Stress It Enough -- Load Test Your ASP Application ).

Principle 9: increased isolation

Using the isolation function to protect your application processes can greatly enhance the stability of the server. When talking about Internet applications, whether or not to use the isolation function may have a huge difference: one is that the application crashes, and the other is that the server runs on the machine. Protecting the main IIS process (InetInfo.exe) is usually at a higher level in the priority list. This is especially important when you use components.

Generally, the technology used to protect the main ISS process is to enable Web applications to run in their own memory space. In Internet Services Manager, you can set this option for each Web. Although system resources overhead by grouping processes may have slight impact on performance, the protection of applications is worth the cost of this generation. In IIS 4.0, you can run applications in two ways: in-process (in-process) and out-of-process (OOP. The OOP Application runs in the new Mtx.exe instance. In IIS 5.0, you can also use other isolation options. You can set the isolation level to "low" for Inetinfo.exe, which means that in the process, the application program zookeeper shares a non-shared instance with dllhost.exe or a non-shared instance with a higher isolation level ).

In addition to isolating Web applications in their own memory space, you may also want to isolate untrusted components. Untrusted components are usually components that fail to pass the test time in the actual environment. You can run these components in the Server package so that they will run in the new Dllhost.exe instance.

In general, if you want to take a moderate mean between performance and protection measures, run the Web application in the "high" isolation state and run the components in the library package. This approach minimizes Group expenses and provides the strongest protection between processes.

For more information, see "Server Reliability Through Process Isolation ).

Principle 10: do not abuse the thread sharing Group

In IIS 4.0, for each MTS-managed processor, the default ASP group is 10 threads. In IIS 5.0, the default value is 20. This means that each thread is a potentially valuable resource that can process multiple client requests. You also need to avoid blocking methods, such as making large database calls. If you want to perform this operation, it will prevent ASP applications from returning the response to the client quickly, consider using the queue function. For example, you can use MSMQ in NT 4.0. In Windows 2000, you can use Q. In Windows 2000, you can use the Queued Components Queuing component ).
Do not store the Single-threaded Apartment (STA) component in sessions. A common defect in this method is that it fills up the Visual Basic object in the session range. The user will be locked to a thread, which is contrary to the purpose of the thread sharing group. Potential users will be blocked behind other users, waiting for the thread to create their components to become effective. You should design stateless components that can be created and destroyed based on each page in other ways