Alik Levin's

Clarity, Technology, and Solving Problems | 

August, 2007

  • Alik Levin's

    Improve ASP.NET Performance By Disabling ViewState And Setting Session As ReadOnly


    During recent engagement we tried to improve performance of some web page. Original response time was 0.74 seconds. Our objective was to get 0.4 seconds.

    The page was simple Html Frameset that was loading two dynamic ASPX pages. Using technique described in Performance Testing For The Masses we identified that it takes 0.4  seconds for one page and 0.2 seconds for another to run on the server (we used time-taken property of the IIS log).

    Reviewing the code revealed that there is usage of server controls and both pages read from the Session object.

    The assumption was that since no user input is done we can disable ViewState saving on CPU to build the ViewState.

    The other assumption was that since the Session is accessed for read only then we can set it as read only saving on locking and preventing race conditions.

    This is how each page's header looked after the change:

    <%@ Page EnableViewState=”false” EnableSessionState=”ReadOnly” ...%>

    Simple change for ASP.NET mark up, no rebuild required.

    After running load test for this new version of ASPX page response time was 0.35 seconds.

    Another metric was ASP.NET\ Request Execution Time performance counter that dropped from 0.7 seconds to 0.3 seconds.


    Source of performance wisdom is here Improving .NET Application Performance and Scalability


  • Alik Levin's

    Web Services Over SSL - Is It Really That Slow Like They Say?


    My answer is "no".

    I am working on solution where there is no Windows Active Directory Domain so we cannot utilize our beloved Kerberos and Windows Integrated Authentication saving big on configuration and management while taking advantage of increased security it offers.

    Other technique that we thought that could give us a lots of benefits in terms of strong authentication, transport level protection, and interoperability was using Client Certificates.

    Here is the scenario.

    ASP.NET web page calls on ASP.NET Web Service on separate machine. Think of scenario where Internet facing ASP.NET web site calls on Web Service deployed in internal zone:


    The other scenario would be so called B2B scenario where intranet facing ASP.NET web site calls on Web Service over the Internet:



    Another scenario would be calling Java Web Service.

    Not that friendly for Windows Integrated Authentication.

    The question we asked ourselves was - will it be fast enough? The following post by my colleague Eddie - Fast and Secured: Performance Impact of SSL gave us a lots of hope. But it discussed SSL between Web Browser and the Web Server. Web Browser (IE) has nice feature of caching SSL state so what depicted below happens less thus improving performance (think of OLEDB Connection pooling and you got the idea):


    Well, our beloved Internet Explorer does a great job, what about .Net?

    After some research we happily discovered the following:


    The Framework caches SSL sessions as they are created and attempts to reuse a cached session for a new request, if possible. When attempting to reuse an SSL session, the Framework uses the first element of ClientCertificates (if there is one), or tries to reuse an anonymous sessions if ClientCertificates is empty.

    That was encouraging and I decided I need to see it my eyes, so I set sample code and deployed to my lab domain. I also have used diagnostics technique described in Use Sysinternals DebugView To Diagnose The Application. When I fired up DebugView this is what I saw:



    Each pair of records reflects on single Web page access telling me how many milliseconds was spent on each action to complete during the page processing.

    Notice first two records - one for Web Service proxy creating and adding certificate to it:

                //START STOPWATCH

                Stopwatch stopwatch = new Stopwatch();


                //GET HOLD ON CERT

                X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);


                X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "w3w1", true);

                X509Certificate2 cert = certs[0];

                //CREATE WEB SERVICE PROXY

                Service1 proxy = new Service1();


                Debug.WriteLine("Web Service Proxy Created: " + stopwatch.ElapsedMilliseconds.ToString());


    and the second one is actual Web Service call:

                // CALL ON WEB SERVICE

                string result = proxy.HelloWorld(cert.Subject);

                Debug.WriteLine("Web Service Call Completed: " + stopwatch.ElapsedMilliseconds.ToString());


    Notice that all subsequent calls are pretty fast. It should prove that SSL session caching is in place also with .Net as promised. Cool.



    While these numbers have been taken on lab environment for super simple scenario it can serve as talking point when considering applying SSL to protect your sensitive data to its way to downstream servers. Also client certificate authentication should be considered as a strongest authentication available today when Kerberos is not available.

  • Alik Levin's

    Use Performance Counters Templates To Streamline Performance Analysis


    I create perf counters sets up front. That way I could start collecting and measuring proper metrics right away each time I am assigned to do detailed performance analysis.

    Measuring .NET Application Performance lists important perf counters. What I really love about it is that the guide holds the list of performance counters to collect, explanation for each why collecting it, and the thresholds.

    Here are the steps I take creating performance counters templates:

    • Open perfmon MMC (start-> run -> perfmon -> Enter)
    • Expand "Performance Logs and Alerts" node
    • Right click on "Counter Logs" node and click "New Log Settings", provide some name for the new log and hit Enter.
    • Add counters to measure - right from Measuring .NET Application Performance.

    This is how it may look:

    imageNext would be saving the performance sets I created as depicted. It is done easy by right clicking each and saving it as html page. The resulting html page displays ActiveX with the performance counters in the set.

    To restore the performance counters-set to measure it  on another computer right click on "Counter Logs" and chose "New Log Settings From..." and point to your html file.

    One pitfall though. If the performance counters settings were created for specific computer then it will fail when recreating it on another. To fix it open html setting file in Notepad, remove \\MyComputer and save the file. For example:


    <PARAM NAME="Counter00005.Path" VALUE="\\MyComputer\System\Context Switches/sec"/>


    <PARAM NAME="Counter00005.Path" VALUE="\System\Context Switches/sec"/>

    That means that performance counters are valid for current computer.



Page 1 of 2 (6 items) 12