ASP.NET pages now automatically validate all input sent with the request (including any
Form ,
QueryString and
Cookies collection contents) against a hard-coded list of undocumented but potentially dangerous string values, and raise an exception if any potentially dangerous content is detected. Input validation can be disabled using a
Page directive:
<%@Page Language="VB" ValidateRequest="false" %>
or in
machine.config /
web.config :
<pages validateRequest="false" ... />
The
System.Web.HttpRequest class gains a new method named
ValidateInput that checks if the values submitted to the page are potentially dangerous. Used when automatic input validation is disabled for a page, and raises an exception if any potentially dangerous content is detected.
The
System.Web.UI.Page class gains a new property named
ViewStateUserKey to which a value that is unique to the current user can be assigned. It is encoded into the viewstate of the page, and when the page is submitted, the viewstate will only be valid if this value is present.
The
ListControl ,
DropDownList ,
CheckBoxList ,
RadioButtonList and
ListBox classes from the
System.Web.UI.WebControls namespace gain a new property named
SelectedValue that returns the
Value property for the first selected
ListItem object in the list. It can also be used to select an item in these controls by assigning the required
String value to the property.
The
System.Web.HttpContext.RewritePath method gains a new overload that accepts three
String parameters: the new path, any extra path information, and the query string to be passed to the requested resource.
The
System.Web.HttpBrowserCapabilities class gains a new method named
GetClrVersions that returns an array of
Version instances indicating the .NET Framework versions installed on the client.
The
System.Web.HttpResponse class gains a new property named
RedirectLocation that sets or returns the location that the client will be redirected to (the value of the
Location HTTP header).
The
System.Web.HttpRuntime class gains a new method named
UnloadAppDomain that forces the current ASP.NET application to be unloaded and restarted when the next request is received.
The
System.Web.HttpUtility class gains a new method named
UrlPathEncode that encodes only the path section of a URL string, producing a URL in a format that is suitable for use within hyperlinks and other HTML elements within the page.
The
System.Web.Mail.MailMessage class gains a new property named
Fields that is a reference to a
Dictionary object that containing additional information on the contents of the message that is not available from the existing properties.
The
System.Web.Caching.HttpCachePolicy class gains a new method named
SetAllowInBrowserHistory which, when set to
True , instructs the client to cache the response in their
History folder or document cache. This means that the
Back and
Forward commands in the browser will not request a new version of the page each time.
The
System.Web.Caching.HttpCacheability enumeration gains two now values.
ServerAndNoCache specifies that the content is cached at the origin server, but all other caching systems are explicitly denied the ability to cache the response.
ServerAndPrivate indicates that the response is cached at the server and at the client, but nowhere else (proxy servers and other shared caching systems are not allowed to cache the response).
The
System.Web.Security.FormsAuthentication class gains two new read-only properties that return information about the configuration of Forms authentication. The
RequireSSL property returns a
Boolean value indicating if the cookie must only be sent over a secure SSL-encrypted channel. The
SlidingExpiration property returns a
Boolean value indicating if the timeout is reset with each page request (
True ), or is treated as a fixed value from the initial login (
False ). Two new attributes are added to the
<forms> element in machine.config and web.config that specify if SSL is required and if sliding expiration is enabled:
<authentication mode="Forms">
<forms requireSSL="true|false" slidingExpiration="true|false" ... />
</authentication>
The default
<machineKey> element within the
<system.web> section of the
machine.config and
web.config files now applies a modifier named
IsolateApps to the validation and decryption keys:
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1"/>
The
IsolateApps modifier causes these keys to include details of the ASP.NET application that is using Forms authentication and creating the cookie, so different applications that use Forms authentication will each generate different keys for securing their cookies and encoding viewstate in the pages.