清单：在ASP.NET中不能做什么

new aspects to ASP.NET that are only a year old, and perhaps haven't soaked into the zeitgeist quite yet. ASP.NET的新方面也只有一年的时间很老，也许还没有浸入时代精神。

Damian Edwards gave his version of this talk at NDC 2013 and you can watch the video here if you like, it's very entertaining.

达米安·爱德华兹(Damian Edwards)在NDC 2013上发表了他的演讲版本，您可以在这里观看视频，这很有趣。

We took the information we gathered from people like Damian, Levi Broderick and others, and Tom FitzMacken put together a whitepaper on the topic. It's not complete, but it covers some of the most common "gotchas" folks run into.

我们从达米安，莱维·布罗德里克(Levi Broderick)等人那里收集了信息，汤姆·菲茨麦肯( Tom FitzMacken)就该主题撰写了一份白皮书。 它并不完整，但是涵盖了一些最常见的“陷阱”。

Here are the areas we call out in the whitepaper so far, with highlights below from me.

这是到目前为止我们在白皮书中提到的领域，以下是我的重点介绍。

• Standards Compliance

  符合标准

  • Control Adapters - Control adapters were a good idea in .NET 2, but it's best to use solid adaptive CSS and HTML techniques today.

    控制适配器-控制适配器在.NET 2中是个好主意，但如今最好使用可靠的自适应CSS和HTML技术。

  • Style Properties on Controls - Set CSS classes yourself, don't use inline styles.

    控件上的样式属性-自己设置CSS类，不要使用内联样式。

  • Page and Control Callbacks - Page Callbacks pre-date standard AJAX techniques, so today, stick with SignalR, Web API, and JavaScript.

    页面和控件回调-页面回调是标准AJAX技术之前的技术，因此，今天，请坚持使用SignalR，Web API和JavaScript。

  • Browser Capability Detection - Check for features, not for browsers whenever possible.

    浏览器功能检测-检查功能，尽可能不检查浏览器。

  Standards Compliance

  符合标准

• Security

  安全

  • Request Validation - While Request Validation is useful, it's not focused and it doesn't know exactly what you app is doing. Be smart and validate inputs with the full knowledge of what your app is trying to accomplish. Don't trust user input.

    请求验证-虽然请求验证很有用，但它没有针对性，也不知道您的应用程序在做什么。 聪明一点，并充分了解您的应用程序要完成的工作，验证输入。 不信任用户输入。

  • Cookieless Forms Authentication and Session - Don't pass anything auth related in the query string. Cookieless auth will never be secure. Don't do it.

    无Cookie表单身份验证和会话-不要在查询字符串中传递与身份验证相关的任何内容。 无Cookie身份验证将永远不会安全。 不要这样

  • EnableViewStateMac - This should never be false. Ever.

    EnableViewStateMac-永远不能为假。 曾经

  • Medium Trust - Medium trust isn't a security boundary you should count on. Put apps in separate app pools.

    中度信任-中度信任不是您应该依靠的安全边界。 将应用程序放在单独的应用程序池中。

  • <appSettings> - Don't disable security patches with appSettings.

    <appSettings> -不要通过appSettings禁用安全补丁。

  • UrlPathEncode - This doesn't do what you think it does. Use UrlEncode. This method was very specific, poorly named, and is now totally obsolete.

    UrlPathEncode-这并没有您认为的那样。 使用UrlEncode。 这种方法非常具体，名称不正确，现在已经完全过时了。

  Security

  安全

• Reliability and Performance

  可靠性和性能

  • PreSendRequestHeaders and PreSendRequestContext - Leave these alone making managed modules. These can be used with native modules, but not IHttpModules.

    PreSendRequestHeaders和PreSendRequestContext-保留这些单独的托管模块。 这些可以与本机模块一起使用，但不能与IHttpModules一起使用。

  • Asynchronous Page Events with Web Forms - Use Page.RegisterAsyncTask instead.

    Web表单的异步页面事件-改用Page.RegisterAsyncTask。

  • Fire-and-Forget Work - Avoid using ThreadPool.QueueUserWorkItem as your app pool could disappear at any time. Move this work outside or use WebBackgrounder if you must.

    一劳永逸的工作-避免使用ThreadPool.QueueUserWorkItem，因为您的应用程序池可能随时消失。 将此工作移到外部，或必须使用WebBackgrounder。

  • Request Entity Body - Stay out of Request.Form and Request.InputStream before your handler's execute event. It may not be ready to go.

    请求实体主体-在处理程序的execute事件之前，不要使用Request.Form和Request.InputStream。 它可能尚未准备就绪。

  • Response.Redirect and Response.End - Be conscious of Thread.Aborts that will happen when you redirect.

    Response.Redirect和Response.End-注意重定向时将发生的Thread.Aborts。

  • EnableViewState and ViewStateMode - There's no need to hate on ViewState. Turn it off everywhere, then turn it on only for the individual controls that need it.

    EnableViewState和ViewStateMode-无需讨厌ViewState。 随处将其关闭，然后仅针对需要它的各个控件将其打开。

  • SqlMembershipProvider - Consider using ASP.NET User Providers, or better yet, the new ASP.NET Identity system.

    SqlMembershipProvider-考虑使用ASP.NET用户提供程序，或者更好的是使用新的ASP.NET身份系统。

  • Long Running Requests (>110 seconds) - ASP.NET isn't meant to handle long running requests that are a minute (or two) long. Use WebSockets or SignalR for connected clients, and use asynchronous I/O operations.

    长时间运行的请求(大于110秒) -ASP.NET并非要处理一分钟(或两分钟)长的长时间运行的请求。 将WebSockets或SignalR用于连接的客户端，并使用异步I / O操作。

  Reliability and Performance

  可靠性和性能

I hope this helps someone out!

我希望这可以帮助某人！

Sponsor: Big Thanks to Aspose for sponsoring the blog this week! Aspose.Total for .NET has all the APIs you need to create, manipulate and convert Microsoft Office documents and a host of other file formats in your applications. Curious? Start a free trial today.

赞助商：非常感谢Aspose本周赞助了该博客！ .NET的Aspose.Total具有您在应用程序中创建，处理和转换Microsoft Office文档所需的所有API以及许多其他文件格式。 好奇？ 立即开始免费试用。

关于斯科特 (About Scott)

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

斯科特·汉塞尔曼(Scott Hanselman)是前教授，前金融首席架构师，现在是演讲者，顾问，父亲，糖尿病患者和Microsoft员工。 他是一位失败的单口相声漫画家，一个玉米种植者和一本书的作者。

About   关于 Newsletter 时事通讯

Hosting By 主持人

翻译自: https://www.hanselman.com/blog/checklist-what-not-to-do-in-aspnet