Application Security Testing: An Integral Part of DevOps
by Jayram Tallamraju
This article gives the details of how to share single Application/Session state across different ASP.NET web application projects developed. This is required for web applications developed separately for the sake of modularity and require integration into a single website at a later stage.
It is better to develop each module independent of other. If there is information that needs to be shared across modules, it can be achieved through database and/or Session/Application variables, depending on the requirements. With Visual Studio, each new ASP.NET web application project creates a new virtual directory. This means creating separate Session/Application state for each module/application. Drawback of this approach is there is no way to share same Session/Application across these different modules developed for same website.
Well, it is not a drawback if each module is truly a web application by itself and not part of single website or does not share any thing in common. But what happens when it comes to simple things like login? Mostly applications developed for single website are required to support Single Sign on (SSO) or Share/check some Session/Application variables.
Most of the cases, each module is created as web application, just to allow multiple teams to develop different functionality in parallel, and when it comes to deployment, each module is expected to be part of one single application. Sharing single login session across different modules without much programming effort is the goal of this article.
To allow isolated development of each module and integrate all the modules into single web site, you can do the following:
Develop modules independently:
Create each module as new ASP.NET web application (Using Visual Studio). It is possible that each module might be developed in different location or by different team. Having independent standalone projects make testing of each module easy.
At this point in development phase, each module will have its own virtual directory and it is fine. Focus at this point is developing and testing the functionality of module itself. But things will change at the time of integration and deployment.
Integrating different ASP.NET web applications:
When it is time to Integrate different modules into single application:
- Using Administrative Tools
->Internet Services Manager: Delete all virtual directories previously created for each module by Visual Studio .net.
- Create new ASP.NET Web application (Ex: MasterWeb) project.
- Open explorer and copy each module project directory, below MasterWeb project directory.
- In each module project directory, open "<ModuleProjectName>.csproj.webinfo" file
- Modify URLPath value in .csproj.webinfo file to:
<Web URLPath = http://localhost/MasterWeb/<ModuleProjectName>/<ModuleProjectName>.csproj" />
Why? Since there is no virtual directory created for each module, module project file should have right URL so that Visual Studio can open and compile the project.
Web.Configfile and remove all sections except
<appSettings>section (You can move required sections to parent directory
Web.Configin Parent directory of this project will have the common settings required for all modules. Any module specific settings can be overridden in
Web.Configfile in module project directory (Ex:
<appSettings>/connectionStringvalue in may be different for each module).
- Make sure that each module .csproj.webinfo file has changes in Step 5.
- Make sure that
Web.Configfile in parent directory (MasterWeb) has all the correct settings required for all modules.
- Make sure that each module has
Web.Configfile with module specific settings in
<appSettings>section. If module does not require module specific data, it can share common configuration from parent application (MasterWeb).
- Delete any
Global.asax* files from each module.
- Rebuild all modules and make sure that all module project output assembly files are stored under
<MasterWeb>/bindirectory (Ref: Step 2).
Run the main MasterWeb application and from
http://MachineName/MasterWeb and access each module by
http://MachineName/MasterWeb/Module1/ module specific directories.
NOTE: All above changes should allow having single Session/Application across different modules. This will allow development of each module separately and integrating them at a later stage. Once deployed, this approach takes less memory as same Session/Application state is used across all modules. Solution described takes: "SAME BUT DIFFERENT" approach during development phase and "DIFFERENT BUT SAME" approach during integration/deployment phase.
Debugging the website:
Open MasterWeb application project in Visual Studio and add all the module projects from sub-directories (Add->Existing Projects). Save this into single solution on Visual Studio. You can compile/debug individual projects or all of them as you prefer.
It assumed in this article that, most of the .NET/ASP.NET development is done using Microsoft Visual Studio.NET (IDE) and readers are familiar with Visual Studio.NET/ASP.NET.
Placeholders in the document:
"<", ">" brackets in the document represent that actual name should be replaced in place of the string enclosed with "<>". Example: "<MachineName>" should be replaced with actual machine name like "localhost" etc.