This appendix lists the syntax for each configuration element and describes the attributes and child elements available for that element (where applicable). The names of configuration elements and their attributes are case sensitive and are in what is referred to as camel case. In camel case, the entire first word of a name is lowercase, and the initial letter of each additional word in the name is capitalized. For example, the sessionstate configuration element becomes sessionState. Remember that if you don’t use camel case with both configuration element names and attribute names, you’ll get an error when you try to access a page in the application.
The <trace> element allows you to enable or disable application-wide tracing (see Chapter 14 for more information on this useful feature), as well as set the parameters for the tracing functionality. When tracing is enabled, you can review information about requests received by the Web server with the special URL http://<servername>/<appname>/trace.axd. The <trace> element has the following syntax:
<trac enabled="true|false localOnly="true|false pageOutput="true|false requestLimit="integer traceMode="SortByTime|SortByCategory" />
Table B-1 describes the <trace> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
enabled |
Determines whether application-level tracing is enabled for the application. |
true: Turns on application-level tracing. false: Turns off application-level tracing. The default is false. |
localOnly |
Determines whether trace information is viewable by computers other than the local Web server. |
true: Trace output can be viewed only from the local Web server. false: Trace output is viewable from any machine. The default is true. |
pageOutput |
Determines whether trace output is appended to each ASP.NET page in the application or is available only through trace.axd. |
true: Trace output is appended to each page within the scope of the configuration file. false: Trace output is available only by browsing the special trace.axd URL. The default is false. |
requestLimit |
Determines the number of requests that are stored for review through the trace.axd URL. Once this limit has been reached, the current trace must be cleared by browsing trace.axd to collect information on additional requests. |
The default is 10, but the higher this number, the more overhead is involved in tracing. Set this number as small as is feasible. |
traceMode |
Determines the sort order of the requests stored. |
SortByTime: Sorts trace information by the order in which events are processed. SortByCategory: Sorts trace information alphabetically by category. When used with the Trace.Write method, SortByCategory can be useful for grouping Trace.Write statements using the same category argument. The default is SortByTime. |
The <globalization> element controls globalization settings for ASP.NET applications. This includes the encoding used for requests, responses, and files, as well as settings for specifying the culture to be associated with Web requests and local searches. The <globalization> element has the following syntax:
<globalizatio culture="any valid culture string fileEncoding="any valid encoding string requestEncoding="any valid encoding string responseEncoding="any valid encoding string uiCulture="any valid culture string" />
Table B-2 describes the <globalization> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
culture |
Determines the culture (such as language defaults) used to process incoming Web requests. |
This attribute must be set to a valid culture string. For a list of valid culture strings, see the Microsoft .NET Framework documentation entry for the System.Globalization.CultureInfo class. |
fileEncoding |
Determines the type of character encoding used for parsing ASP.NET application files (.aspx, .asmx, and .asax). |
This attribute must be set to a valid encoding string. If this attribute is not included in either Machine.config or Web.config, encoding is based on the machine’s Regional Options setting in Control Panel. |
requestEncoding |
Determines the type of character encoding used to process incoming Web requests. |
This attribute must be set to a valid encoding string. If this attribute is not included in either Machine.config or Web.config, encoding is based on the machine’s Regional Options setting in Control Panel. The default is utf-8. |
responseEncoding |
Determines the type of character encoding used to encode outgoing responses. |
This attribute must be set to a valid encoding string. If this attribute is not included in either Machine.config or Web.config, encoding is based on the machine’s Regional Options setting in Control Panel. The default is utf-8. |
uiCulture |
Determines the culture (such as language defaults) used to process searches that are culture- or locale-specific. |
This attribute must be set to a valid culture string. For a list of valid culture strings, see the .NET Framework documentation entry for the System.Globalization.CultureInfo class. |
The <httpRuntime> element controls several aspects of the ASP.NET HTTP runtime engine. The <httpRuntime> element has the following syntax:
<httpRuntim appRequestQueueLimit="number of requests enableKernelOutputCache="true|false enableVersionHeader="string executionTimeout="seconds maxRequestLength="kbytes minLocalRequestFreeThreads="number of threads minFreeThreads="number of threads useFullyQualifiedRedirectUrl="true|false" />
Table B-3 describes the <httpRuntime> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
appRequestQueueLimit |
Specifies the number of requests that ASP.NET will queue when no threads are available to process them, before returning a “503– Server Too Busy” error message. |
Increasing this value can result in unacceptably long wait times for users, so use caution and test carefully when making adjustments to this value. The default is 100. |
enableKernelOutputCache |
Specifies whether the http.sys cache is enabled for IIS 6.0 and higher. New for version 1.1. |
Kernel output caching can significantly improve performance. The default is true. |
enableVersionHeader |
Specifies whether the X-AspNet-Version header is output with each request. New for version 1.1. |
The default is true. |
executionTimeout |
Determines amount of time, in seconds, that an ASP.NET request can continue executing before being shut down. |
This attribute, which is similar to classic ASP’s Server.ScriptTimeout property, can be used to prevent hung or long- running requests from consuming more resources than necessary. This attribute should be set somewhere higher than the average time it takes to process requests, but not so high as to allow processor overutilization by errant or inefficient pages. The default is 90 seconds. |
maxRequestLength |
Determines maximum size of incoming file uploads, in kilobytes. |
This attribute is designed to help prevent denial of service attacks mounted by uploading large files to a server. Set it to the smallest size feasible for files you expect your users to upload. The default is 4,096 kbytes. |
minFreeThreads |
Configures the minimum number of threads ASP.NET will keep free for processing new requests. |
The default is 8. |
minLocalRequestFreeThreads |
Configures the minimum FreeThreads number of threads ASP.NET will keep free for processing requests coming from the local machine. Maintaining these free threads can help prevent deadlocks in multithreaded processing. Note that this is incorrectly identified in the current .NET Framework documentation as minFree LocalRequestFreeThreads. |
The default is 4. |
useFullyQualifiedRedirectURL |
Determines whether relative or fully qualified URLs are used for client-side redirects. This attribute allows developers to support certain mobile controls that require fully qualified URLs for client-side redirects. |
true: Client-side redirects are fully qualified. false: Client-side redirects are relative. The default is true. |
With 10 attributes and two child elements, the <compilation> element is one of the more extensive ASP.NET configuration elements and contains settings that determine how ASP.NET compiles code in your Web applications and Web Services. The settings you’ll see most frequently are the debug and defaultLanguage attributes, which are placed in your application’s Web.config file by default when you’re using Microsoft Visual Studio .NET. Other settings, such as the <assemblies> and <namespaces> child elements, are equally important but usually are inherited from the settings in Machine.config, unless overridden by a developer.
The <compilation> element has the following syntax:
<compilatio batch="true|false batchTimeout="seconds debug="true|false defaultLanguage="language explicit="true|false maxBatchSize="number of pages maxBatchGeneratedFileSize="kbytes numRecompilesBeforeAppRestart="number strict="true|false tempdirectory="directory" > <compilers> <compile extension="file extension language="language compilerOptions="compiler options type=".NET type warningLevel="number" /> </compilers> <assemblies> <add assembly="assembly name" /> <remove assembly="assembly name" /> <clear /> </assemblies> </compilation>
Table B-4 describes the <compilation> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<compilation> |
Determines compiler options for the application. Supports the <compilers> and <assemblies> child elements. |
||
Batch |
Determines whether the application supports batch compilation of ASP.NET pages. When batch compilation is enabled, ASP.NET will attempt to compile all ASP.NET pages within the application directory on the first request. This prevents later page requests from having to be compiled on request. |
true: Batch compilation is supported. false: Pages will be compiled one by one as they are requested. The default is true. | |
BatchTimeout |
Determines the amount of time, in seconds, before timeout of batch compilation. If the timeout is exceeded, the compiler will switch to per- request compilation mode. |
This setting will vary depending on the size of an application and the amount of time you are willing to allow for batch compilation. The default is 15 seconds. | |
Debug |
Determines whether debug information is included in compiled assemblies for ASP.NET pages and Web Services. This attribute should always be set to false in a production application because debug assemblies are larger and don’t perform as well as release-type assemblies. |
true: Assemblies are compiled with debug info. false: Assemblies are compiled without debug info. The default is false. | |
DefaultLanguage |
Determines the language(s) to be used during dynamic compilation. |
This attribute is the name of a language, as specified by one of the <compiler> child elements. The default is vb. | |
Explicit |
Determines whether ASP.NET compiles pages written in Microsoft Visual Basic .NET using the Visual Basic Option Explicit compiler option (which forces explicit declaration of variables). Enabling this setting makes it easier to locate and fix common problems, such as misspelled variable names, that otherwise wouldn’t be discovered until runtime. |
true: Enabled. false: Disabled. The default is true. | |
maxBatchSize |
Determines the maximum number of pages for batch compilation. |
The default is 1,000. | |
maxBatchGeneratedFileSize |
Determines the maximum combined size, in KB, of the generated source files in batch compilation. |
The default is 3,000. | |
numRecompiles- BeforeAppRestart |
Determines how many times application resources can be dynamically recompiled before the application is automatically restarted. This setting can be configured at both the application level and the global level through Machine.config. |
The default is 15. | |
strict |
Determines whether ASP.NET compiles pages written in Visual Basic .NET using the Visual Basic Option Strict compiler option (which prevents type conversions that would result in data loss, late binding, and other error-prone coding habits) to your .aspx files before compilation. |
true: Enabled. false: Disabled. It’s a good practice to turn this on, through either Machine.config or Web.config, through the Visual Studio .NET properties dialog box for the project (choose Build under Common Properties), or by adding Option Strict to the page or module you’re working on. This makes it easier to fix common problems, such as overflows or rounding errors, that otherwise wouldn’t be discovered until runtime. The default is false. | |
tempDirectory |
Determines the directory in which the temporary ASP.NET files resulting from dynamic compilation will reside. |
Any valid directory. | |
<compilers> |
Child element containing individual <compiler> child elements. |
||
<compiler> |
Determines options for specific language compilers. One or more of these child elements can be contained within the <compilers> element. |
||
extension |
Determines the file extension used by dynamically compiled code-behind modules for a specific compiler. The extensions for the three most commonly used ASP.NET languages (Visual Basic .NET, Microsoft C#, and Microsoft JScript .NET) are included in Machine.config, so you don’t need to set them yourself unless you want to add additional extensions for one of these languages. |
String representing the file extension (.vb, .cs, and so on). Use semicolons to delimit multiple extensions. This setting should match the language specified in the language attribute. This attribute is required. | |
language |
Determines the list of language names to be handled by a specific compiler. The names for the three most commonly used ASP.NET languages (Visual Basic .NET, C#, and JScript .NET) are included in Machine.config, so you don’t need to set them yourself unless you want to add additional names for one of these languages. |
String representing the language name (vb;visualbasic; vbscript). Use semicolons to delimit multiple names. This setting should match the language specified in the extension attribute. This attribute is required. | |
compilerOptions |
Determines any compiler- specific options to be passed along during compilation. |
Consult the .NET Framework SDK documentation to determine available options. | |
Type |
Determines which .NET class or assembly is used to compile resources using the language specified in the language attribute, or with the extension in the extension attribute. The types for the three most commonly used ASP.NET languages (Visual Basic .NET, C#, and JScript .NET) are included in Machine.config, so you don’t need to set them yourself unless you want to modify the type for one of these languages (not recommended). |
This attribute is a comma-delimited list that can include the class name, assembly name, and version information. The Machine.config file contains good examples of the syntax for this attribute. This attribute is required. | |
warningLevel |
Determines the compiler warning levels, which determine the types of warning messages (and the severity) that are emitted by the compiler. |
The value for this attribute depends on the language compiler being configured. The default for C# is 1. | |
<assemblies> |
Child element containing one or more of the <add/>, <remove/>, or <clear/> child elements. |
The child elements of the <assemblies> element are used to add references to assemblies to be used during compilation. ASP.NET automatically links in the assemblies specified here during dynamic compilation. | |
<clear> |
Specifies that all current or inherited assembly references should be removed. | ||
<add> |
assembly |
Specifies an assembly, by its assembly name, to be referenced during dynamic compilation. |
This setting should be the assembly name, not the DLL name, of the desired assembly. You can also use the wildcard * to add all assemblies from the application’s private assembly cache (by default, in the bin subdirectory). |
<remove> |
assembly |
Specifies an assembly, by its assembly name, to be removed from use during dynamic compilation. |
The assembly name used must match exactly the name of an assembly added by a previous add directive (for example, from a parent Web.config). You cannot use wildcards for this attribute. |
The <pages> element allows you to set the defaults for the page-level attributes that are more commonly associated with the attributes of the @ Page ASP.NET directive. The settings in this element apply to all pages for which specific attributes of the @ Page directive do not appear. If these attributes do appear in an ASP.NET page, their settings will override those in either the Machine.config or Web.config configuration files. As such, the <pages> element provides a handy way of configuring the SessionState, ViewState, and other settings at an application or subfolder level, giving you a great deal of control over your application.
The <pages> element has the following syntax:
<page autoEventWireup="true|false buffer="true|false enableSessionState="true|false|ReadOnly enableViewState="true|false enableViewStateMac="true|false pageBaseType="typename, assembly smartNavigation="true|false userControlBaseType="typename validateRequest="true|false" />
Table B-5 describes the <pages> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
autoEventWireup |
Determines whether support for page events (Page_Load and so on) is automatically provided in an application’s ASP.NET pages. |
true: Event support is provided automatically. false: Event support is not provided. Event handlers must be manually wired by developers. The default is true. Pages created in Visual Studio .NET will have autoEventWireup set to false by default. |
Buffer |
Determines whether responses are buffered before being sent to the client. This setting is analogous to the classic ASP Response.Buffer property. |
true: Buffering is enabled. Page output will be buffered until the page is completely processed, or until either the End or Flush method of the HTTPResponse class is called. false: Buffering is not enabled. Buffering is to the client as it is rendered. The default is true. |
PageBaseType |
Provides the type or assembly name of a class from which ASP.NET pages should inherit. In the absence of this attribute, the default is to inherit from the Page class of the System.Web.UI namespace. |
You can use this attribute to provide a class derived from the Page class if you want to provide additional functionality not included in the base Page class. This is a simple yet powerful way to extend ASP.NET applications. |
smartNavigation |
Determines whether the SmartNavigation feature, which uses IFrame elements to minimize page “flash” on postbacks, is enabled by default. |
The default is false. |
userControlBaseType |
Provides the type or assembly name of a class from which ASP.NET User Controls (.ascx files) should inherit. In the absence of this attribute, the default is to inherit from the UserControl class of the System.Web.UI namespace. |
|
enableSessionState |
Determines whether a new session is created by default for the current user by an ASP.NET page. Note that if the user already has a session from a prior page in which this attribute is set to false, this attribute will not affect that session. However, setting the attribute to ReadOnly will prevent the page from modifying values set in previous pages. |
true: If the user does not have a current session when he or she requests a page, a new session will be created. false: If the user does not have a current session, one will not be created. If the user does have a session, it will not be affected, but its values cannot be accessed from pages where this attribute is false. ReadOnly: If the user does not have a current session, one will not be created. If the user does have a session, its values can be read from within a page where this attribute has been set to ReadOnly, but they cannot be modified. The default is true. |
enableViewState |
Determines whether ViewState (the method by which ASP.NET Server Controls store their state between page requests) is enabled. |
true: ViewState is enabled. Server Controls will maintain their values from one request to the next. false: ViewState is not enabled. Server control state will be reset with each request. |
enableViewStateMac |
Determines whether a Machine Authentication Check (MAC) is performed on ViewState data when a Web Form is posted back to the server. The MAC can help identify client-side tampering with the ViewState hidden field. |
true: MAC is enabled for ViewState. false: MAC is not enabled for ViewState. The default is true. |
validateRequest |
Specifies whether request validation is enabled for pages affected by the configuration file. New for version 1.1. |
Since the Request Validation feature can help prevent a variety of script injection attacks, it is recommended that you leave this set to true (the default), unless you are certain that your application properly filters and validates all user input. |
The <customErrors> element allows you to customize how your ASP.NET application responds to error conditions. In this element, you can specify whether the raw error messages generated by ASP.NET should be visible to local or remote clients, or whether to redirect the client to either a custom error page or a page specific to the error that occurred (based on the status code of the error). The <customErrors> element supports one child element, <error>, and has the following syntax:
<customError defaultRedirect="url mode="on|off|RemoteOnly"> <error  redirect="url statusCode="status code"/> </customErrors>
Table B-6 describes the <customErrors> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<customErrors> |
Determines how ASP.NET errors are handled. |
||
defaultRedirect |
Determines the page to which a user is redirected if an error occurs. |
The page to which this URL points can be either an .aspx page, in which you attempt to clean up or recover from the error, or a static HTML page, to inform the user of the error and offer guidance. | |
mode |
Determines whether raw ASP.NET error messages are sent to the client. |
On: Custom errors are enabled. When an error occurs, the client, whether on the local Web server or remote, will be redirected to the custom error page specified by the defaultRedirect attribute (or to a page specified in an <error> child element). Off: Custom errors are not enabled. When an error occurs, the client will see the error page generated by ASP.NET. Note that depending on how your application is designed, this can expose proprietary information to clients, so you should rarely use this setting. RemoteOnly: Custom errors are enabled for remote clients. When an error occurs, remote clients will be redirected to a custom error page, while clients on the local Web server will see the error page generated by ASP.NET. This allows developers to track down errors without allowing clients to see raw error pages. RemoteOnly is the default. | |
<error> |
Determines redirect page for a specific error type, based on the HTTP status code for the error. |
Adding <error> tags provides finer-grained control over error handling. | |
redirect |
Determines the page to which a user is redirected if an error of the type specified in the statusCode attribute occurs. |
||
statusCode |
Determines the HTTP status code (404–Not Found, and so on) that is handled by this <error> child element. |
The <authentication> element controls configuration of authentication in ASP.NET. You can choose from one of three authentication methods, and you can set appropriate parameters for the method you choose or you can choose no authentication at all. The <authentication> element supports two child elements: <forms> and <passport>. Additionally, the <forms> element supports one child element, <credentials>, which in turn supports one child element, <user>, as shown in the following example:
<authentication  mode="Windows|Forms|Passport|None"> <form loginUrl="url name="name path="/ protection="All|None|Encryption|Validation requireSSL="true|false slidingExpiration="true|false timeout="number"> <credentials  passwordFormat="Clear|MD5|SHA1"> <use name="username"  password="password" /> </credentials> </forms> <passpor redirectUrl="url" /> </authentication>
Table B-7 describes the <authentication> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<authentication> |
Determines how ASP.NET authentication is handled. |
||
mode |
Determines the authentication mode to be used. Authentication is discussed in greater detail in Chapter 6. |
Windows: ASP.NET will use Windows authentication by default. Works with IIS’s Basic, Digest, NTLM, or Certificate- based authentication methods. Forms: ASP.NET will use Forms-based authentication, which provides basic support for “roll-your- own” security scenarios, by default. Passport: ASP.NET will use Microsoft Passport as the default authentication method. None: No authentication will be performed by ASP.NET. | |
<forms> |
Determines the parameters associated with Forms-based authentication. |
||
loginUrl |
Determines the URL to which a user is redirected if he doesn’t have a valid authentication cookie. |
This can be any page in your ASP.NET application that allows a user to log in. The default is login.aspx. | |
name |
Determines the name of the cookie used for authenticating a user. |
Default is .ASPXAUTH. | |
path |
Determines the path to set for the authentication cookie. |
Default is /. This is to prevent the possibility of missing cookies because of browser case sensitivity with respect to URL paths and cookies. | |
protection |
Determines the methods used to protect the authentication cookie from being compromised. Your choice of which method to use, or whether to use any at all, will depend on your security needs vs. the amount of resources you’re willing to devote to security. Generally, the higher the level of security, the greater the performance overhead. |
All (default): Both encryption and data validation will be used to protect the cookie. This is the recommended setting. Encryption: The authentication cookie will be encrypted, but will not be validated. This leaves the cookie vulnerable to certain types of attacks. Validation: The authentication cookie’s contents will be validated to ensure that they haven’t been changed between the browser and the server. None: Neither encryption nor validation is used. Not recommended. | |
requireSSL |
Determines whether the authentication cookie will be sent with requests that do not use SSL. New for version 1.1. |
If set to true, the forms authentication cookie will not be sent over a non-SSL connection. The default is false. | |
slidingExpiration |
Determines whether each request in a given session resets the expiration of the authentication cookie. New for version 1.1. |
The default is false. | |
Timeout |
Determines the amount of time, in minutes, until the authentication cookie expires. |
Default is 30. You should set this value to the minimum amount that will allow users to use your site effectively. If you use persistent cookies with forms authentication, they will not time out. | |
<credentials> |
In conjunction with the <user> child element, allows you to define credentials to authenticate against within a configuration file. |
If you use this method to store credentials in a Web.config file within your application scope, and your application is compromised, it might be possible for intruders to gain the passwords stored there, even if they’re encrypted. Remember that no encryption method is perfect. | |
PasswordFormat |
Determines the encryption used for stored passwords. |
Clear: No encryption is used. Not recommended. MD5: Passwords are encrypted using the MD5 hash algorithm. SHA1: Passwords are encrypted using the SHA1 hash algorithm. | |
<user> |
Determines the username and password of a single user. Use one <user> child element for each set of credentials you want to store in the configuration file. |
||
name |
Specifies the username of the user to authenticate against. |
||
password |
Specifies the password of the user to authenticate against. |
This value should be an encrypted version of the password created with the hash algorithm specified by the passwordFormat attribute of the <credentials> tag. | |
<passport> |
Child element used to set the parameters for Microsoft Passport- based authentication. |
||
redirectUrl |
Determines the URL where the user will be redirected if he or she has not been authenticated. |
By default, requests made by ASP.NET applications for resources requiring authentication, such as files secured by NT Access Controls Lists (ACLs), are made in the context of either the IUSR_MACHINENAME or IWAM_MACHINENAME accounts, depending on whether the application is configured to run in-process or out-of-process relative to IIS. The <identity> element allows ASP.NET applications to use impersonation, in which an application takes on the security context of the user making a request, or of a specified account. The <identity> element has the following syntax:
<identit impersonate="true|false userName="username password="password" />
Table B-8 describes the <identity> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
impersonate |
Determines whether ASP.NET applications will use impersonation. |
true: Enables impersonation of security accounts by ASP.NET applications. false: Disables impersonation of security accounts by ASP.NET applications. |
userName |
Specifies a user account that the affected ASP.NET application will impersonate. |
Any valid user account. You should ensure that the account that you choose has access to only the desired resources. For example, as a rule, it is not a good idea to have an ASP.NET application impersonate an account in the Administrators group. If omitted, ASP.NET will impersonate the account of the logged on user (as provided by IIS). |
password |
Specifies the password for the account named in the userName attribute. |
The <authorization> element lets you specify which accounts or roles (groups) are authorized to access resources within the scope of the configuration file. The <authorization> element supports two child elements, <allow> and <deny>, both of which have three attributes. The <authorization> element has the following syntax:
<authorization> <allow  users="userlist roles="rolelist verbs="verblist" /> <deny  users="userlist roles="rolelist verbs="verblist" /> </authorization>
Table B-9 describes the <authorization> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<authorization> |
Determines authorization settings for an application or directory. Contains one or more <allow> or <deny> child elements. |
||
<allow> |
Allows access to resources based on user account, group membership, or HTTP request method. |
||
users |
List of users (NT user accounts) granted access to the resource(s). |
This attribute takes a comma-delimited list. Access to anonymous users is allowed using the ? wildcard, and access to everyone is allowed using the * wildcard. | |
roles |
List of roles (NT groups) granted access to the resource(s). |
This attribute takes a comma-delimited list. | |
verbs |
List of HTTP verbs (GET, POST, etc.) granted access to the resource(s). |
This attribute takes a comma-delimited list. Verbs available are GET, HEAD, POST, and DEBUG. | |
<deny> |
Denies access to resources based on user account, group membership, or HTTP request method. |
||
users |
List of users (NT user accounts) denied access to the resource(s). |
This attribute takes a comma-delimited list. Access to anonymous users is denied using the ? wildcard, and access to everyone is denied using the * wildcard. | |
roles |
List of roles (NT groups) denied access to the resource(s). |
This attribute takes a comma-delimited list. | |
verbs |
List of HTTP verbs (GET, POST, etc.) denied access to the resource(s). |
This attribute takes a comma-delimited list. Verbs available are GET, HEAD, POST, and DEBUG. |
The <machineKey> element allows you to specify the keys used for encryption and decryption of cookie data in Forms-based authentication. This element can be used at the machine level through Machine.config, as well as at the site and application levels through Web.config files, but it cannot be used at the subdirectory level. The <machineKey> element has the following syntax:
<machineKe decryptionKey="AutoGenerate|value[,IsolateApps] validation="AutoGenerate|value[,IsolateApps] validationKey="3DES|MD5|SHA1" />
Table B-10 escribes the <machineKey> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
decryptionKey |
Determines whether the decryption key to be used is autogenerated or specifies a key value to be used. |
AutoGenerate (default): ASP.NET will generate a random key for decryption. New for version 1.1. In version 1.1, the IsolateApps modifier is added, which ensures that each application will have a unique key generated, based on the application ID. value: This represents a string of characters (minimum 40, maximum 128) to be used as a decryption key. Note that 128 characters is the recommended length. For shorter-length keys, you should ensure that the key is randomly generated. This setting is necessary in Web farms to ensure that all servers are using the same keys, providing transparent user access while still taking advantage of encryption. |
validation |
Determines the type of encryption to be used by ASP.NET. |
3DES: Data is encrypted using Triple-DES (3DES) encryption. MD5: Data is encrypted using the MD5 hash algorithm. SHA1 (default): Data is encrypted using the SHA1 hash algorithm. |
validationKey |
Determines whether the validation key to be used is autogenerated or specifies a key value to be used. |
AutoGenerate (default): ASP.NET will generate a random key for validation. New for version 1.1. In version 1.1, the IsolateApps modifier is added, which ensures that each application will have a unique key generated, based on the application ID. value: This represents a string of characters (minimum 40, maximum 128) to be used as a validation key. Note that 128 characters is the recommended length. For shorter-length keys, it is recommended to ensure that the key is randomly generated. This setting is necessary in Web farms to ensure that all servers are using the same keys, providing transparent user access while still taking advantage of encryption. |
The <securityPolicy> element allows you to specify one of several named security policies, or a custom policy, for code-access security based on the name and policyFile attributes of its <trustLevel> child element. The <trust> element, described in the next section, specifies which of the named policies is implemented for a given site or application. The <securityPolicy> element supports one child element, <trustLevel>, with two attributes, and has the following syntax:
<securityPolicy> <trustLevel  name="value policyFile="value" /> </securityPolicy>
Table B-11 describes the <securityPolicy> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<securityPolicy> |
Determines the available named security policies for sites and/or applications. |
||
<trustLevel> |
Each <trustLevel> child element sets up an available named policy based on its name and policyFile attributes. |
||
name |
Specifies the name to use for the policy. |
The name specified by this attribute is also used by the <trust> element to implement the named policy. | |
policyFile |
Specifies the file name of the file that contains the code-access security settings to be used under the named policy. |
The file name specified by this attribute is relative to the location of the Machine.config file. |
The <trust> element is used to implement one of the named security policies created by the <securityPolicy> element. This element can be used at the machine level through Machine.config, as well as at the site and application levels through Web.config files. However, it can’t be used at the subdirectory level. The <trust> element has the following syntax:
<trus level="Full|High|Low|None|custom name originUrl="url" />
Table B-12 describes the <trust> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
level |
Determines the applicable trust level, based on a named security policy. |
Full: Code-access security is based on the Full named policy set up by default in Machine.config. High: Code-access security is based on the High named policy set up by default in Machine.config. Low: Code-access security is based on the Low named policy set up by default in Machine.config. None: Code-access security is based on the None named policy set up by default in Machine.config. custom name: Code-access security is based on a custom named policy set up in either Machine.config or a Web.config file at the site or application level. |
originUrl |
Specifies the origin URL for an application. |
Optional: This attribute can be used to support permissions for Socket and WebRequest requests that allow connectivity to the origin host. |
The <sessionState> element is used to configure the Session State HttpModule, including the type of state management to be used (in-process, out-of-process, or Microsoft SQL Server), the default session timeout, and whether to use cookies for associating requests with user sessions. The <sessionState> element has the following syntax:
<sessionStat stateConnectionString="IP address:port number cookieless="true|false mode="Off|Inproc|StateServer|SQLServer sqlConnectionString="sql connection string timeout="number of minutes" />
Table B-13 describes the <sessionState> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
stateConnectionString |
Specifies the server and port number to connect to when the mode attribute is set to StateServer. |
This attribute is required when the mode is set to StateServer. The default is tcpip=127.0.0.1:42424. |
cookieless |
Determines whether user sessions are mapped to requests by using cookies or by adding a user’s SessionID to the URL string for requests by that user. |
true: SessionIDs are added to request URLs, and cookies are not used. false: Cookies are used to map user requests to sessions. The default is false. |
mode |
Determines the type of session state management that applications will use. |
Off: Session state is disabled. Inproc: Session state is stored in- process with the application, as in classic ASP. StateServer: Session state is managed by an out-of-process NT Service, allowing multiple servers in a Web farm to share a single state store. SQLServer: Session state is managed by SQL Server database, allowing multiple servers in a Web farm to share a single state store. This mode has the added advantage of providing persistent state storage in the event of a Web server crash. The default is InProc. |
sqlConnectionString |
Specifies the connection string used to connect to a SQL Server database where state information is stored. |
This attribute is required when the mode is set to SQLServer. |
timeout |
Specifies the amount of time, in minutes, before the user’s session expires. |
Like the classic ASP Session.Timeout property, this attribute uses sliding expiration. Each request by the user resets the amount of time before his session expires. The default is 20 minutes. |
The <httpHandlers> element allows you to assign requests of certain types or for certain resources to specific handler classes. For example, in Machine.config, the handling of ASP.NET pages (requests with the .aspx extension) is assigned to the System.Web.UI.PageHandlerFactory class. The <httpHandlers> element can also be used to prevent HTTP access to certain types of files by assigning them to the System.Web.HttpForbiddenHandler class, as is done by default for configuration files (*.config) and source files (*.vb and *.cs, for example).
The <httpHandlers> element supports three child elements, <add>, <remove>, and <clear>, and has the following syntax:
<httpHandlers> <add  path="path type="type, assembly name validate="true|false verb="verblist" /> <remove  path="path verb="verblist" /> <clear /> </httpHandlers>
Table B-14 describes the <httpHandlers> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<httpHandlers> |
Determines the assignment of requests to httpHandlers for ASP.NET applications. |
||
<add> |
Each <add> child element maps a specific type of request to a given httpHandler. |
||
path |
Specifies the URL path this httpHandler will handle. |
This can be a single URL, as in the case of the default mapping of the trace.axd URL to System.Web.Handlers. TraceHandler, or can use a wildcard to specify that the httpHandler should handle all requests of a given type (such as *.aspx or *.asmx). | |
validate |
Determines whether the ASP.NET runtime should attempt to load the class before the actual request is received, in order to ensure that it exists. |
true: The ASP.NET runtime will attempt to load the class when the associated application is started up. false: The ASP.NET runtime will load the class only when the actual request is received. This can improve start-up time, but will delay the appearance of the error if the class does not exist. This attribute is optional. | |
type |
Specifies the .NET class that should handle the requests specified by the path and verb attributes. |
This is a string containing a comma-separated list with the class name and other information, such as version and public key, that enables ASP.NET to locate the class in either the application’s bin directory or the global assembly cache. | |
verb |
Specifies the HTTP verbs for which the httpHandler will handle requests. |
Comma-separated list of verbs (GET, POST) or a wildcard (such as *, which specifies that all verbs should be handled). | |
<remove> |
Removes an httpHandler mapping, based on the path and verb attributes specified. |
||
path |
Specifies path of the httpHandler to be removed. |
This attribute must exactly match the path attribute of an httpHandler added by a previous <add> child element. | |
verb |
Specifies verb(s) of the httpHandler to be removed. |
This attribute must exactly match the verb attribute of an httpHandler added by a previous <add> child element. | |
<clear> |
Removes all httpHandler mappings, either those configured by the current file or those inherited from parent configuration files. |
HttpModules are classes that implement the IHttpModule interface and are used to provide functionality to ASP.NET applications. For example, by default, the Machine.config file adds HttpModules for output caching, session-state management, authentication, and authorization. The <httpModules> element allows you to add HttpModules to ASP.NET applications.
The <httpModules> element supports three child elements, <add>, <remove>, and <clear>, and has the following syntax:
<httpModules> <add  name="name type="classname.assemblyname" /> <remove  name="name <clear /> </httpModules>
Table B-15 describes the <httpModules> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<httpModules> |
Determines the httpModules available for ASP.NET applications within the scope of the configuration file. |
||
<add> |
Each <add> child element adds a specified httpModule. |
||
name |
Specifies a name that can be used by ASP.NET applications to refer to the module identified by the type attribute. |
||
type |
Specifies the .NET class that implements the desired httpModule. |
This is a string containing a comma-separated list with the class name and other information, such as version and public key, that enables ASP.NET to locate the class in either the application’s bin directory or the global assembly cache. | |
<remove> |
Removes an httpModule, based on the name and type attributes specified. |
||
name |
Specifies the name of the httpModule to remove. |
This attribute must exactly match the name attribute of an httpModule added by a previous <add> child element. | |
<clear> |
Removes all httpModules, either those configured by the current file or those inherited from parent configuration files. |
The <processModel> element configures settings related to how ASP.NET applications run, and it provides access to a number of features geared towards improving the availability of applications. These include automatic restart (which can be configured based on elapsed time or number of requests), allowed memory size, and Web garden, in which applications can be associated with specific processors in a multiprocessor machine. Note that when ASP.NET is running under IIS 6.0 in native mode, the settings in the <processModel> element are ignored in favor of the settings configured by the IIS administrative UI.
The <processModel> element has the following syntax:
<processMode clientConnectedCheck="time in hh:mm:ss format comAuthenticationLevel="Default|None|Connect|Call|Pkt PktIntegrity|PktPrivacy comImpersonationLevel="Default|Anonymous|Identify|Impersonate Delegate cpuMask="number enable="true|false idleTimeout="time logLevel="All|None|Errors maxIoThreads="number maxWorkerThreads="number memoryLimit="percent pingFrequency="hh:mm:ss pingTimeout="hh:mm:ss requestLimit="number requestQueueLimit="Infinite|number responseDeadlockInterval="Infinite|hh:mm:ss responseRestartDeadlockInterval="Infinite|hh:mm:ss restartQueueLimit="Infinite|number serverErrorMessageFile="filename shutdownTimeout="time timeout="time webGarden="true|false username="user name password="password" />
Table B-16 describes the <processModel> element attributes in more detail.
Attribute |
Description |
Options |
---|---|---|
clientConnectedCheck |
Determines the frequency with which ASP.NET checks if the client is still connected while a request is queued. |
This attribute takes a time value in the format hh:mm:ss. The default is 0:00:05. This attribute can be useful for preventing processor resources from being wasted on queued requests for which the client has disconnected. |
comAuthenticationLevel |
Specifies the DCOM authentication level. |
Default: DCOM will determine authentication level based on its normal security negotiation algorithm. None: No authentication. ConnectCall: DCOM authenticates the credentials of the client with each remote procedure call. Pkt: DCOM authenticates that all received data is coming from the expected client. PktIntegrity: Same as Pkt, but also verifies that data has not been modified in transport. PktPrivacy: Same as PktIntegrity, but adds encryption. The default value is Connect. |
comImpersonationLevel |
Specifies the COM authentication level. |
Anonymous: Client is anonymous. Not supported in the current release. Identify: Server can obtain the client’s identity and impersonate the client for ACL checking, but cannot access system objects using the client’s identity. Impersonate: Allows the server to impersonate the client and access system resources using the client’s security context, but this context can only be passed across a single machine boundary. Delegate: Same as Impersonate, but the impersonation token can be passed across multiple machine boundaries. |
cpuMask |
Specifies the processors (on a multiprocessor server) that are allowed to run the ASP.NET application. This attribute works with the webGarden attribute. When webGarden is set to true, cpuMask determines the eligible processors for the application. |
The default is 0xffffffff. |
Enable |
Enables or disables the processModel settings for ASP.NET applications. |
true: processModel settings are enabled. false: processModel settings are disabled. |
idleTimeout |
Determines the amount of time, in minutes, before ASP.NET shuts down an inactive worker process. |
Default is Infinite, in which case the process will not be shut down when idle. |
logLevel |
Specifies the types of process events that will be written to the event log. |
All: All process events are logged. Errors: Only unexpected shutdowns, memory limit shutdowns, and deadlock shutdowns are logged. None: No events are logged. The default is Errors. |
maxIoThreads |
Specifies the maximum number of IO threads per CPU. |
Any value from 5 to 100 is valid. The default is 25. |
maxWorkerThreads |
Specifies the maximum number of worker threads per CPU. |
Any value from 5 to 100 is valid. The default is 25. |
memoryLimit |
Determines the maximum allowable memory size for an ASP.NET application. |
This attribute takes a number representing the percentage of the total system memory that the application’s worker processes can consume. If this value is exceeded, ASP.NET will launch a new process, reassign existing requests to it, and then shut down the old process. |
pingFrequency |
Determines how often the ASP.NET ISAPI extension pings the worker process to see if it is running. If the process does not respond in the interval specified by pingTimeout, the worker process will be restarted. |
The format of this value is hh:mm:ss. The default is 30 seconds. |
pingTimeout |
Determines the time interval after which an unresponsive worker process is restarted. |
The format of this value is hh:mm:ss. The default is 5 seconds. |
responseDeadlock- |
Determines the time interval Interval after which the process will be restarted when there are queued requests, and no responses have been generated for this interval. |
The format of this value is hh:mm:ss. The default is 3 minutes. |
responseRestartDeadlockInterval |
Determines the time interval that must elapse before a second restart to cure a deadlock (as specified by responseDeadlockInterval) can occur. |
The format of this value is hh:mm:ss. The default is 9 minutes. |
requestLimit |
Determines the number of requests an application can fulfill before ASP.NET launches a new worker process and shuts down the old one. |
Default is Infinite, in which case the process will not be shut down, regardless of the number of requests. This setting can be used to restart the application after a given number of requests, and it can help deal with problems such as memory leaks in legacy COM components used by an application or blocked processes. |
requestQueueLimit |
Determines the number of requests that can be queued before ASP.NET returns the “503–Server Too Busy” status error. |
Default is 5,000. |
restartQueueLimit |
Specifies the number of requests that are kept in the queue while the process is restarting. |
Default is 10. |
serverErrorMessageFile |
Provides custom message for Server Unavailable error condition. |
Path and file name to the desired file. If omitted, the default Server Unavailable message is used. |
shutdownTimeout |
Determines the amount of time that an ASP.NET worker process is given to shut itself down. |
This attribute takes a time value in the format hh:mm:ss. If the time specified by this attribute is exceeded, ASP.NET will force the shutdown of the worker process. The default is 0:00:05. |
timeout |
Determines the amount of time, in minutes, before ASP.NET launches a new worker process and shuts down the old one. |
This setting can be used to restart the application after a given period of time, and it can help deal with problems such as memory leaks in legacy COM components used by an application or blocked processes. |
webGarden |
Determines whether Web gardening is enabled. |
true: Web gardening is enabled. false: Web gardening is disabled. |
password |
Specifies a password for the user account specified in the username attribute. |
Default is autogenerate, which can be used with either the SYSTEM or MACHINE special accounts. |
username |
Determines the identity under which ASP.NET worker processes are run. |
Default is MACHINE, which runs worker processes as an unprivileged ASP.NET service account called ASPNET. This provides a higher level of security than the beta releases of ASP.NET (which used the more privileged SYSTEM account), but can make certain techniques, such as using trusted connections with SQL Server, more difficult because the ASPNET account is not trusted. You can also use another special account, SYSTEM, to run the ASP.NET worker processes, but for security reasons, this is not recommended. |
The <webControls> element allows you to specify the location of script files used by client-side implementations of ASP.NET Server Controls, such as the validation controls. The <webControls> element has the following syntax:
<webControl clientScriptsLocation="path" />
Table B-17 describes the <webControls> element attribute in more detail.
Attribute |
Description |
Options |
---|---|---|
clientScriptsLocation |
Determines where ASP.NET will look for client-side scripts for use with ASP.NET Server Controls. |
This attribute is relative to the root Web of the Web server. |
The <clientTarget> element allows you to set up aliases to be used by the ClientTarget property of the Page class. The <clientTarget> element supports one child element, <add>, and has the following syntax:
<clientTarget> <add  alias="aliasname userAgent="true|false" /> <clear /> <remov alias="aliasname" /> </clientTarget>
Table B-18 describes the <clientTarget> element attributes in more detail.
Element |
Attribute |
Description |
---|---|---|
<clientTarget> |
Creates aliases for specific browser user agents that can then be specified from the Page.ClientTarget property. | |
<add> |
Maps a specific user agent string to an alias name. | |
alias |
Specifies the name of the alias. | |
userAgent |
Specifies the browser user agent that the alias looks for. | |
<clear> |
Removes all aliases added (or inherited) by the current Web.config file. | |
<remove> |
alias |
Removes the specified alias added (or inherited) by the current Web.config file. |
The <browserCaps> element contains settings used by ASP.NET to provide the functionality of the browser capabilities component (accessible via the Request.Browser property). It provides filtering processes that allow the browser capabilities component to populate its properties with information on the capabilities of a user’s browser, based on the information contained in the user agent string passed by the browser. The <browserCaps> element supports three child elements, <result>, <use>, and <filter>. The <filter> element supports one child element, <case>. The <browserCaps> element has the following syntax:
<browserCaps> <result type="System.Web.HttpBrowserCapabilities" /> <use var="HTTP_USER_AGENT" /> list of default property value <filter> <cas match="string1|string2|stringN"> property=valu </case> </filter> </browserCaps>
Table B-19 describes the <browserCaps> element attributes in more detail.
Element |
Attribute |
Description |
Options |
---|---|---|---|
<browserCaps> |
Allows filtering and mapping of strings within the browser user agent string to properties of the browser capabilities component. |
||
<result> |
Specifies the result type of the configuration element. |
||
type |
.NET class used as the result type. |
The default is System.Web.HttpBrowserCapabilities. | |
<use> |
Determines the server variables used while evaluating <filter> and <case> elements. |
||
var |
Server variable used in evaluating <filter> and <case> elements. |
The default is HTTP_USER_AGENT. | |
<filter> |
The <filter> contains one or more <case> child elements to search for specific strings within the user agent string. |
||
<case> |
Each <case> child element searches for a specific string or strings within the user agent string. |
||
match |
Specifies the string or strings (separated by | characters) to look for in the code. |
If a specified string is found, the property assignment enclosed by the <case></case> tags is executed. |