Additional security when calling JSON serialized services
A security feature of ASP.NET web services that are JSON serialized through the ASP.NET AJAX extensions is that they must be requested in a specific way. This is an important deterrent against your services being used in XSS attacks. Scott Guthrie has a great post providing detailed information on the particulars. It boils down to is two things:
- The request must be an HTTP POST request
- The request’s content-type must be: “application/json; charset=utf-8?
When you register and call a web service through ASP.NET AJAX’s ScriptManager, you may safely enjoy blissful ignorance of these requirements. The framework transparently handles everything for you.
However, if you want to use a third party AJAX framework to request the JSON serialized output, you may run into trouble due to these security features.
Volatile Fields
Software built on the .NET framework is subject to many optimisations. Some optimisation is performed when compiling your program or library in Visual Studio or using the command-line compiler. Other optimisations are applied when executing the compiled intermediate language (IL) code. These vary according to the type of processor used to run the program. In many situations these optimisations lead to faster code or smaller programs without any noticeable side effects.
One optimisation that can have side effects relates to publicly visible fields in classes or structures. When you request the value of such a field the program normally performs a non-volatile read. This type of read can be optimised to improve the performance of the program. For example, the processor may choose to read the value from memory earlier than expected, and potentially in a different order than specified, in preparation for its later use. This may move the value to the processor's cache memory, where it can be accessed more quickly than from the main memory, or to its registers for yet faster performance. In single-threaded code these changes are unnoticeable.
When you are creating a multithreaded application or one that uses parallel programming code, non-volatile reads can present a problem. To illustrate this, consider the following program:
What is XAML?
- It is Declarative Markup Language.
- It simplifies creating a UI for a .NET Framework application.
- It can create visible UI elements in XAML , and then separate the UI definition from the run-time logic by using code-behind files. This joined to the markup through partial class definitions. XAML represents the instantiation of objects in a special set of backing types defined in assemblies.
- It enables a workflow where separate parties can work on the UI and the logic of an application, using different tools. ex: Expression Blend and Visual Studio
- It is Visual designer to create User friendly UI
- XAML is not dependent on WPF or WPF is not dependent on XAML. WPF Designed to be XAML Friendly
Basic WPF interview questions
- Strong .NET 2.0 Background & willing to learn!
- Explain dependency properties?
- What's a style?
- What's a template?
- Binding
- Differences between base classes: Visual, UIElement, FrameworkElement, Control
- Visual vs Logical tree?
- Property Change Notification (INotifyPropertyChange and ObservableCollection)
- ResourceDictionary - Added by a7an
- UserControls - Added by a7an
- difference between bubble and tunnel routing strategies - added by Carlo
- Why did Microsoft introduce yet another markup language?
- XAML
C# interview questions and answers
- What debugging tools come with the .NET SDK? CorDBG – command-line debugger, and DbgCLR – graphic debugger. Visual Studio .NET uses the DbgCLR. To use CorDbg, you must compile the original C# file using the /debug switch.
- What does the This window show in the debugger? It points to the object that’s pointed to by this reference. Object’s instance data is shown.
- What does assert() do? In debug compilation, assert takes in a Boolean condition as a parameter, and shows the error dialog if the condition is false. The program proceeds without any interruption if the condition is true.
- What’s the difference between the Debug class and Trace class? Documentation looks the same. Use Debug class for debug builds, use Trace class for both debug and release builds.
- Why are there five tracing levels in System.Diagnostics.TraceSwitcher? The tracing dumps can be quite verbose and for some applications that are constantly running you run the risk of overloading the machine and the hard drive there. Five levels range from None to Verbose, allowing to fine-tune the tracing activities.
- Where is the output of TextWriterTraceListener redirected? To the Console or a text file depending on the parameter passed to the constructor.
- How do you debug an ASP.NET Web application? Attach the aspnet_wp.exe process to the DbgClr debugger.
- What are three test cases you should go through in unit testing? Positive test cases (correct data, correct output), negative test cases (broken or missing data, proper handling), exception test cases (exceptions are thrown and caught properly).
- Can you change the value of a variable while debugging a C# application? Yes, if you are debugging via Visual Studio.NET, just go to Immediate window.
- Explain the three services model (three-tier application). Presentation (UI), business (logic and underlying code) and data (from storage or other sources).
C# interview questions
1 Describe the difference between a Thread and a Process?
2 What is a Windows Service and how does its lifecycle differ from a "standard" EXE?
3 What is the maximum amount of memory any single process on Windows can address? Is this different than the maximum virtual memory for the system? How would this affect a system design?
4 What is the difference between an EXE and a DLL?
5 What is strong-typing versus weak-typing? Which is preferred? Why?
6 Corillian's product is a "Component Container." Name at least 3 component containers that ship now with the Windows Server Family.
7 What is a PID? How is it useful when troubleshooting a system?
8 How many processes can listen on a single TCP/IP port?
9 What is the GAC? What problem does it solve?
10 What is serialization in .NET? What are the ways to control serialization?
11 Does C# support multiple inheritance?
12 What’s the implicit name of the parameter that gets passed into the class’ set method?
13 What’s the top .NET class that everything is derived from?
14 How’s method overriding different from overloading?
15 What is CLR?
16 What is CTS?
17 What is CLS?
18 What is strong name?
19 What is Application Domain?
20 Describe the difference between Interface-oriented, Object-oriented and Aspect-oriented programming.
General Questions
1.Does C# support multiple-inheritance?
No. But you can use Interfaces.
2.Where is a protected class-level variable available?
It is available to any sub-class derived from base class
3.Are private class-level variables inherited?
Yes, but they are not accessible.
4.Describe the accessibility modifier “protected internal”.
It is available to classes that are within the same assembly and derived from the specified base class.
6.Which class is at the top of .NET class hierarchy?
System.Object.
7.What does the term immutable mean?
The data value may not be changed.
Note: The variable value may be changed, but the original immutable data value was discarded and a new data value was created in memory.
8.What’s the difference between System.String and System.Text.StringBuilder classes?
System.String is immutable.
System.StringBuilder was designed with the purpose of having a mutable string where a variety of operations can be performed.
9.What’s the advantage of using System.Text.StringBuilder over System.String?
StringBuilder is more efficient in cases where there is a large amount of string manipulation. Strings are immutable, so each time a string is changed, a new instance in memory is created.
10.Can you store multiple data types in System.Array?
No.
11.What’s the difference between the System.Array.CopyTo() and System.Array.Clone()?
The Clone() method returns a new array (a shallow copy) object containing all the elements in the original array. The CopyTo() method copies the elements into another existing array. Both perform a shallow copy. A shallow copy means the contents (each array element) contains references to the same object as the elements in the original array. A deep copy (which neither of these methods performs) would create a new instance of each element's object, resulting in a different, yet identacle object.
12.How can you sort the elements of the array in descending order?
By calling Sort() and then Reverse() methods.
13.What’s the .NET collection class that allows an element to be accessed using a unique key?
HashTable.
14.What class is underneath the SortedList class?
A sorted HashTable.
15.Will the finally block get executed if an exception has not occurred?
Yes.
16.What’s the C# syntax to catch any possible exception?
A catch block that catches the exception of type System.Exception. You can also omit the parameter data type in this case and just write catch {}.
17.Can multiple catch blocks be executed for a single try statement?
No. Once the proper catch block processed, control is transferred to the finally block .
18.Explain the three services model commonly know as a three-tier application?
Presentation (UI), Business (logic and underlying code) and Data (from storage or other sources).
What is viewstate in ASP.NET?
The postback question is the heart of any interview on ASP NET. When a postback happens (i.e. when a form is submitted to a server), the variable values that are set in the code-behind page are erased from the memory of the client system. This concept would be different from what happens in Windows-based applications, where the variable variables persist in memory until they are freed from the memory either by the garbage collector, or by specific codes like dispose or finalize.
In web applications, variable values simply get erased. But it is very simple to persist these values. They may be persisted using the Viewstate object. Before the postback is invoked, the variable's value is saved in a viewstate object. In the recieving page, the viewstate's value may be retrieved back. See example code below...
//Save the value in ViewState object before the PostBack
ViewState("SomeVar") = txtFirstName.text;
//Retrieve the value from ViewState object after the PostBack
String strFirstName = ViewState("SomeVar").ToString();
