Wrox Programmer Forums
|
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old October 15th, 2003, 03:32 PM
dkb dkb is offline
Authorized User
 
Join Date: Oct 2003
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default Dynamic Server-side Caching and Security

Hi There I wonder if anyone can help me with a general query.

If a web application is displaying information from a database system where the content is secure (selected from restricted views in line with the user's profile), how would caching work?

For example user x selects the following:-

http://abc/test.asp?id =1

the outcome is presented to the screen (because the user has permissions to the data)

User y then accesses the same page, but does not have access to the data, would they see the result of user x's request from the cache?

I am aware of the ASP.net VaryByParam method, but have not seen the security question I pose above addressed anywhere.

Hope this is clear.

Thanks

 
Old October 17th, 2003, 12:40 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Well, it will all depend on what you cache and how you cache it.

First of all, it may not be a very secure solution to determine access rights to data based on a simple QueryString value. It would be too easy to fill in another ID and get to the data you're not allowed to see.

That said, VaryByParam would work. This would create a separate cached item for each different QueryString variable (in your case). If you have a lot of different users who request data not too often, this may not be a wise solution. You'll end up with loads of infrequently requested cached data.

If, however, the data is the same for all authorized users, you can choose to cache specific parts. It's pretty easy to cache, say, a dataset. You coding logic could then go like this:

Check User
If User Not Allowed
    Redirect Away
Else
    If data already exists in cache
      myDataset is DataSet from cache
    Else
      Get data from database
      Save Data in Cache
    End If
End If

This way, you check access rights and send users away if they are not allowed to see it. Again, this will work best when the data to be cached is the same for all users.

You can also use authentication in ASP.NET. This way, an unauthorized user is not allowed to request the page at all.

Regards,

Imar





---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old October 18th, 2003, 04:22 AM
dkb dkb is offline
Authorized User
 
Join Date: Oct 2003
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Imar,

Thanks very much for your response, you've really clarified the issues for me.

First of all, it may not be a very secure solution to determine access rights to data based on a simple QueryString value. It would be too easy to fill in another ID and get to the data you're not allowed to see.

In the application I am working on, the user ID and password are requested at login and are stored in session variables. they are never passed as part of the querystring for general requests. All data is provided in user specific views from a SQL server data warehouse

If, however, the data is the same for all authorized users, you can choose to cache specific parts. It's pretty easy to cache, say, a dataset.

Yes, the data is the same for all authorized users


I am really trying to confirm if there is an established approach to the problem I am trying to solve. I'm really looking for the best of all worlds. Dynamic data delivery where appropriate and static where possible. Does IIS even cache the output generated by an ASP script on the server side? I seem to have real problems finding any information about this on the web.

I imagine that to ensure true security I would need to store the output of dynamic requests in a cached table (at the data layer) and then use logic similar to that which you describe. Or is possible to access the cache in ASP as you describe below for ASP.net?

Thanks again.

Dean.


 
Old October 18th, 2003, 12:08 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Right, I see now that I misunderstood your question a bit. I thought you were referring to ASP.NET, because you mentioned the VaryByParam.

Caching in ASP is a different story. The Cache object is not available (it was introduced in ASP.NET), so you can't use it. Your caching options are pretty limited.

Storing your results back in the database as a caching mechanism kinda defeats the purpose; after all, you'll need to get it from the database, so you might just as well get the original data. This may be a workable solution though, when you have a really complex query that will run for a while. However, with this solution, you run the risk of getting stale data.

If you are using SQL Server, you'll notice that SQL does some caching of its own. Subsequent queries will perform faster than the first query. So, tuning / optimizing SQL and the way you access the database might help to improve the performance of your site.

How much data are you trying to cache? If you have just a little bit of data that is expensive to create, you can store it in Application state. For larger chunks of data, this is not recommend though.

If you're willing to spend some money, check out Active Cache at http://www.crainiate.com/activecache.asp I haven't used it myself, but it looks promising.

Cheers,

Imar



---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old October 19th, 2003, 05:24 AM
dkb dkb is offline
Authorized User
 
Join Date: Oct 2003
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Imar,

Thanks again for responding.

The Web application I am working with selects data from a datawarehouse and converts it into XML, Transfroms it with XSLT and delivers it as HTML (in most instances, although other formats are also considered). The performance of the application is good, average page deliver time approx 3 seconds. However in some instances (where the application demands a great deal of information on the screen) the transformations take an unacceptable amount of time.

In order to solve this problem I wanted to understand where caching could be used to improve performance so I monitored the application to see where the 'bottle-neck' is. It turned out it was not the database at all (which is performing well), it's the transformation of the XML.

 As the application uses data from within a data warehouse and the data is only refreshed once a day anyway, I thought why not perform time consuming tranformations during out of office hours and deliver the results from a 'cache' sql server table. transformation results in this table can then be secured in user views (Security was my orignal question!).Initial tests of this approach are very encouraging.

Before I take this idea any further, I really wanted to make sure that I was not missing any fundermental tools/facilities which ASP or IIS already provide.I don't want to re-invest the wheel,your response suggests that I would'nt be.

Can you think of any limitations/problems I could encounter which the cache to table approach?

Thanks

Dean




 
Old October 19th, 2003, 04:21 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Right. Well, in that case, I think that caching the transformed results in a database is a good idea. If the database is fast, this will indeed improve the performance of your site.

There are no real caching mechanism present in ASP, so you're not reinventing the wheel. Using Application state (for small amounts of data), a database, or a third party caching component are the most common ways to go, AFAIK.

Regards,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
 
Old October 20th, 2003, 08:05 AM
dkb dkb is offline
Authorized User
 
Join Date: Oct 2003
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Imar,

Thanks very much for your input.



 
Old October 20th, 2003, 08:24 AM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Hi Dean,

You're welcome. Glad I could help.

Would you mind sending your queries to this forum instead of to me directly? This way, other people can join the discussion and / or benefit from it.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem Converting Client-side to Server-side Code kwilliams ASP.NET 2.0 Professional 1 November 21st, 2007 05:25 PM
.NET|Issue with .aspx pages caching at Server side purtimalhotra ASP.NET 1.0 and 1.1 Professional 0 July 6th, 2006 12:13 AM
.NET|Issue with .aspx pages caching at Server side purtimalhotra ASP.NET 1.0 and 1.1 Basics 0 July 6th, 2006 12:03 AM
Firing server side events at client side codes mehdi62b ASP.NET 1.0 and 1.1 Basics 6 May 18th, 2005 09:11 AM
sharing a server-side variable with client-side pigtail Javascript How-To 6 November 4th, 2004 02:01 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.