Web Q&A: Refreshing Web Pages, Spyware, Group P...

We were unable to locate this content in de-de.

Here is the same content in en-us.

New information has been added to this article since publication.
Refer to the Editor's Update below.

Web Q&A
Refreshing Web Pages, Spyware, Group Policy, and More
Edited by Nancy Michell


Q Is there a simple way to refresh a Web page at certain time intervals in ASP.NET?
Q Is there a simple way to refresh a Web page at certain time intervals in ASP.NET?

A You can use the Meta tag to keep the page refreshing. The following tag refreshes the page every 20 seconds:
<META HTTP-EQUIV="Refresh" CONTENT="20">
A You can use the Meta tag to keep the page refreshing. The following tag refreshes the page every 20 seconds:
<META HTTP-EQUIV="Refresh" CONTENT="20">
A programmatic way that is a little more complicated is shown in the following code snippet:
string script = "<script language=JavaScript>\n" +
                "  window.setInterval('postme()',5000);\n" + 
                "  function postme()\n" +
                "  {\n" + 
                "    document.forms[0].submit();\n" +
                "  }\n" + 
                "</script>\n";
RegisterStartupScript("myBlock",script);
An advantage of injecting script from server-side code is that you can use custom logic to set the interval or decide to enable or disable the refresh. Keep in mind, though, that simple is better; you shouldn't do this with scripting unless you have no choice. If you do decide to use scripting but don't need to be able to modify the refresh interval or disable it, you could use the script itself declaratively in the page rather than registering it from the ASP.NET code.

Q What's a good way to prevent spyware or adware from being installed when using Microsoft® Internet Explorer? Are there any upcoming changes to Internet Explorer that would help?
Q What's a good way to prevent spyware or adware from being installed when using Microsoft® Internet Explorer? Are there any upcoming changes to Internet Explorer that would help?

A Windows® XP Service Pack 2 will make it more difficult for you to inadvertently install software. See Changes to Functionality in Microsoft Windows XP Service Pack 2 for details. With Service Pack 2, Internet Explorer provides better user controls and user interfaces to help prevent malicious applications from getting onto your machine. There is also an add-on manager included in Service Pack 2, although the best first line of defense would be to prevent installation in the first place. If you have something really vicious that renames itself and re-registers itself every day, even the add-on manager won't help.
A Windows® XP Service Pack 2 will make it more difficult for you to inadvertently install software. See Changes to Functionality in Microsoft Windows XP Service Pack 2 for details. With Service Pack 2, Internet Explorer provides better user controls and user interfaces to help prevent malicious applications from getting onto your machine. There is also an add-on manager included in Service Pack 2, although the best first line of defense would be to prevent installation in the first place. If you have something really vicious that renames itself and re-registers itself every day, even the add-on manager won't help.
You might want to take a look at Security at home: Fight spyware for more information on spyware. A variety of tools are available from other companies to detect and remove unwanted software from your computer. The aforementioned document recommends Spybot Search & Destroy and Ad-Aware.
There is also a default setting change in Windows XP Service Pack 2 called local machine zone lockdown. Some of the most important aspects of Internet Explorer security are the security zone settings. The current default settings for the My Computer zone (local machine zone) are now regarded as inadequate to protect the local machine. The previous assumption that your local machine is secure has been reviewed and there are new defaults for Windows XP Service Pack 2. This will mitigate one of the main attack vectors for Internet Explorer. See Knowledge Base article 833633 "How to strengthen the security settings for the Local Machine zone in Internet Explorer" for more information.

Q I need to set a Web site as a trusted site for all users in the domain. Is there a way to do this through a group policy object (GPO) or a logon script that edits the registry?
Q I need to set a Web site as a trusted site for all users in the domain. Is there a way to do this through a group policy object (GPO) or a logon script that edits the registry?

A Yes, you can use a GPO to do this. While you're editing the GPO, expand "Windows Settings" under "User Configuration." Expand "Internet Explorer Maintenance" and select "Security." On the right pane, double-click "Security Zones and Content Ratings." In the "Security Zones and Privacy" group box, select the "Import the current security zones and privacy settings" radio button, and press the "Modify Settings" button. Use the control panel to configure your security zones and privacy settings. Keep in mind that this will not add to the user's current security settings. It will modify their settings to match what you set in the GPO.
A Yes, you can use a GPO to do this. While you're editing the GPO, expand "Windows Settings" under "User Configuration." Expand "Internet Explorer Maintenance" and select "Security." On the right pane, double-click "Security Zones and Content Ratings." In the "Security Zones and Privacy" group box, select the "Import the current security zones and privacy settings" radio button, and press the "Modify Settings" button. Use the control panel to configure your security zones and privacy settings. Keep in mind that this will not add to the user's current security settings. It will modify their settings to match what you set in the GPO.

Q What does the "Days to keep pages in history" setting in Internet Explorer mean? My understanding is that when you first navigate to a URL, the clock starts ticking and when the "Days to keep pages in history" value is reached, that URL is cleared from the history.
Q What does the "Days to keep pages in history" setting in Internet Explorer mean? My understanding is that when you first navigate to a URL, the clock starts ticking and when the "Days to keep pages in history" value is reached, that URL is cleared from the history.

A "Days to keep pages in history" is the number of days something will still show up in the history explorer bar after you have visited the site. If you visit the site again, it actually resets this value. However, there are a few quirks. If you change your clock, the setting may lose accuracy. If you clear your history, the URLs will disappear. The cleanup history code is run when you launch Internet Explorer and the History Manager is instantiated, so if you do not launch Internet Explorer for a long time, items in history may live longer than the numer of days that you have set in the "Days to keep pages in history" setting.
A "Days to keep pages in history" is the number of days something will still show up in the history explorer bar after you have visited the site. If you visit the site again, it actually resets this value. However, there are a few quirks. If you change your clock, the setting may lose accuracy. If you clear your history, the URLs will disappear. The cleanup history code is run when you launch Internet Explorer and the History Manager is instantiated, so if you do not launch Internet Explorer for a long time, items in history may live longer than the numer of days that you have set in the "Days to keep pages in history" setting.

Q Is there a limit on the number of Internet Explorer windows that can be open at one time? If I open about 30, Internet Explorer starts to behave strangely.
Q Is there a limit on the number of Internet Explorer windows that can be open at one time? If I open about 30, Internet Explorer starts to behave strangely.

A You may be low on desktop heap memory, a setting that you can double on most desktops that allows you to open more Internet Explorer sessions, as shown here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
 Manager\SubSystems]
A You may be low on desktop heap memory, a setting that you can double on most desktops that allows you to open more Internet Explorer sessions, as shown here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
 Manager\SubSystems]

Q In ADO.NET, I'm getting an error that says that the timeout period elapsed prior to obtaining a connection from the pool. Can I modify this in the .aspx page or do I need to change something on the SQL side?
Q In ADO.NET, I'm getting an error that says that the timeout period elapsed prior to obtaining a connection from the pool. Can I modify this in the .aspx page or do I need to change something on the SQL side?

A This occurs when the internal connection pool maintained by ADO.NET (on a per-connection-string basis) is full and no connections are being released from it. As an immediate measure, you can modify the SQL Connection string to append the following property to the existing connection string:
Max Pool Size=200
The default is 100, and changing it to 200 will give you relief while you attempt to isolate the issue.
A This occurs when the internal connection pool maintained by ADO.NET (on a per-connection-string basis) is full and no connections are being released from it. As an immediate measure, you can modify the SQL Connection string to append the following property to the existing connection string:
Max Pool Size=200
The default is 100, and changing it to 200 will give you relief while you attempt to isolate the issue.
Also, as indicated in Knowledge Base article 310369 ("PRB: No Method in DataReader Closes Its Underlying Connection"), you should make sure to use CommandBehavior.CloseConnection in ExecuteReader method calls when appropriate. The aforementioned document explains that the DataReader object doesn't have a property to get its underlying connection, so unless you have a reference to the connection or have set the CloseConnection behavior, you will not be able to close the underlying connection.
The ADO.NET programming model encourages aggressive opening and closing of connections, so you really shouldn't try to cache the connections in an attempt to amortize connection startup costs; this is done automatically and transparently by the ADO.NET connection pool.
Also be aware that in C#, you should try to use the "using" statement to manage the SqlConnection you are opening so that the Dispose method automatically gets called to close the connection when it goes out of scope.

Q I am creating Microsoft Excel reports and saving them in a particular folder through ASP.NET. But after each report is created, an Excel instance gets stacked up in memory, which I can see in Task Manager. I have the following code in my finally block:
finally
{          
  if (oExcel != null)
  {
    oExcel.Quit();
    System.Runtime.InteropServices.Marshal.ReleaseComObject(oExcel);
    oExcel = null;
    GC.Collect();
  }
} 
Q I am creating Microsoft Excel reports and saving them in a particular folder through ASP.NET. But after each report is created, an Excel instance gets stacked up in memory, which I can see in Task Manager. I have the following code in my finally block:
finally
{          
  if (oExcel != null)
  {
    oExcel.Quit();
    System.Runtime.InteropServices.Marshal.ReleaseComObject(oExcel);
    oExcel = null;
    GC.Collect();
  }
} 
I also tried calling ReleaseComObject in a loop until the count was zero, but that didn't work. What can I do to solve this memory leak problem?

A Make sure that you create explicit objects for each level of the Excel hierarchy—Application, Workbook, Worksheet—and that you then close/quit and destroy each of them in reverse order, before calling the .NET ReleaseCOMObject. You should also read Chris Brumme's thoughts on the ReleaseComObject API.
A Make sure that you create explicit objects for each level of the Excel hierarchy—Application, Workbook, Worksheet—and that you then close/quit and destroy each of them in reverse order, before calling the .NET ReleaseCOMObject. You should also read Chris Brumme's thoughts on the ReleaseComObject API.

Q I have ASP and ASP.NET pages creating cookies. Here's what I've been doing: first I create a cookie called "Test" with the value "123" in ASP. Then, I create a cookie called "Test" with the value "456" in ASP.NET. Now the ASP.NET page shows two cookies named "Test" with the two different appropriate values. However, the ASP page shows "Test" with the value "123" only. When I use JavaScript to show the cookies, both of them appear on the ASP page.
Q I have ASP and ASP.NET pages creating cookies. Here's what I've been doing: first I create a cookie called "Test" with the value "123" in ASP. Then, I create a cookie called "Test" with the value "456" in ASP.NET. Now the ASP.NET page shows two cookies named "Test" with the two different appropriate values. However, the ASP page shows "Test" with the value "123" only. When I use JavaScript to show the cookies, both of them appear on the ASP page.
I am using Request.Cookies in ASP on the server side and document.cookie in JavaScript. Why don't I see both cookies in ASP on the server side?

A When two cookies with the same name and same path are sent to the server, ASP returns the first cookie with the same name that it has added to the cookies collection. If two cookies with the same name are sent by the client browser, Request.Cookies returns the one with the deeper path structure. For example, if two cookies had the same name but one had a path attribute of /Www/ and the other of /Www/Home/, the client browser would send both cookies to the /Www/Home/ directory, but Request.Cookies would only return the second cookie.
A When two cookies with the same name and same path are sent to the server, ASP returns the first cookie with the same name that it has added to the cookies collection. If two cookies with the same name are sent by the client browser, Request.Cookies returns the one with the deeper path structure. For example, if two cookies had the same name but one had a path attribute of /Www/ and the other of /Www/Home/, the client browser would send both cookies to the /Www/Home/ directory, but Request.Cookies would only return the second cookie.
Add the following line to your ASP code and it will show that both cookies are being sent to the server:
Response.Write Request.ServerVariables("HTTP_COOKIE") & "<BR>"
If you want to get both cookies from ASP, you can just parse the cookie collection yourself by accessing the HTTP_COOKIE ServerVariable. You can see an explanation of the cookies collection in the MSDN Library at Request.Cookies Collection.

Q Is there a tool to measure how long a Web or SOAP request takes without adding any code?
Q Is there a tool to measure how long a Web or SOAP request takes without adding any code?

A If you have access to the box hosting the Web service, IIS logs are one of the best places to start. You will need the Time Taken property (and you will probably want to enable others to get additional info; most of the log properties, including this one, are not usually turned on by default). Then you can pull the data into Excel to utilize its filtering and sorting capabilities (see Performance and Reliability Monitoring and Publishing Dynamic Data with the Internet Information Server).
A If you have access to the box hosting the Web service, IIS logs are one of the best places to start. You will need the Time Taken property (and you will probably want to enable others to get additional info; most of the log properties, including this one, are not usually turned on by default). Then you can pull the data into Excel to utilize its filtering and sorting capabilities (see Performance and Reliability Monitoring and Publishing Dynamic Data with the Internet Information Server).
If you turn on the Time Taken property for the IIS logs of your Web server, IIS will record the time taken (duration) for your Web resource. It will reflect the time it took from when your Web server receives the request to when the acknowledgment of the last byte came from the client. This will include any time taken calling a downstream Web service because that is included in the execution time of your Web page. But it would not specifically give you the duration of the downstream Web service call separate from the duration of the rest of your Web page. This is all dependent on the fact that the SOAP traffic is over HTTP, of course.

Q We are considering hosting a Windows Forms control in an Internet Explorer Web browser for an intranet Web application. In order to avoid the issue of passing managed events from the Windows Forms control back to unmanaged JScript® code (we may not be able to ask all of our users to make the security changes necessary to allow this), I am thinking of having the JScript code poll the Windows Forms control (maybe four times per second) inquiring, basically, whether any events have fired that the JScript code needs to know about. In rough form, the JScript would look something like this:
window.setInterval(checkWinformEvents, 250);
var bCheckingEvents;
function checkWinformEvents() {
      if(!bCheckingEvents) {
            bCheckingEvents = true;
            var sEvents = objWinform.AnyEventsToReport();
            bCheckingEvents = false;
            if (sEvents) handleWinformEvents(sEvents) ;
      }
}
Q We are considering hosting a Windows Forms control in an Internet Explorer Web browser for an intranet Web application. In order to avoid the issue of passing managed events from the Windows Forms control back to unmanaged JScript® code (we may not be able to ask all of our users to make the security changes necessary to allow this), I am thinking of having the JScript code poll the Windows Forms control (maybe four times per second) inquiring, basically, whether any events have fired that the JScript code needs to know about. In rough form, the JScript would look something like this:
window.setInterval(checkWinformEvents, 250);
var bCheckingEvents;
function checkWinformEvents() {
      if(!bCheckingEvents) {
            bCheckingEvents = true;
            var sEvents = objWinform.AnyEventsToReport();
            bCheckingEvents = false;
            if (sEvents) handleWinformEvents(sEvents) ;
      }
}
The managed method, AnyEventsToReport, would then return something like "Double-click on line 14 of List view," and so on. Is it a good idea to check Windows Forms events from JScript?

A Having the JScript code poll the Windows Forms control seems a little weird, but it would give you a workaround for the security restrictions put in place by Internet Explorer. There are a few problems with the code snippet, but nothing that is insurmountable. For instance, where exactly do you make the second call to setInterval? No loop is evident.
A Having the JScript code poll the Windows Forms control seems a little weird, but it would give you a workaround for the security restrictions put in place by Internet Explorer. There are a few problems with the code snippet, but nothing that is insurmountable. For instance, where exactly do you make the second call to setInterval? No loop is evident.
The bottom line is that this program is really not robust in the face of exceptions. Plus, there's some uninitialized data in there and you treat a string as a bool, which is a bad idea. Also, why are you doing a re-entrancy check on a method which is not recursive?
You should probably write it like this instead:
window.setInterval(checkWinformEvents, 250) ;
function checkWinformEvents() 
{
    try
    {
        handleWinformEvents(winform.AnyEventsToReport());
    }
    finally
    {
      window.setInterval(checkWinformEvents, 250) ;
    }
}
[ Editor's Update - 12/6/2004: setInterval evaluates an expression each time a specified number of milliseconds has elapsed and until the timer is removed with the clearInterval method. As such, it does not need to be called again every time the checkWinformEvents function is invoked.]

Got a question? Send questions and comments to  webqa@microsoft.com.

Thanks to the following Microsoft developers for their technical expertise: Vineet Batta, Pritam Bhat, Todd Carter, Jim Cheshire, Ben Christenbury, George Chung, Andrew Cussons, Jeff Davis, Allen Dorfman, Ravi Gopinath, Anand Hegde, Mandar Inamdar, Douglas Laudenschlager, Eric Lippert, Dave Massy, Bill Safcik, Johnathan Seal, Krish Shenoy, Jai Singh, John Slyman, Rob Smith, Tommy Unger, Hang Vong, Joe Wilson, and Clement Yip.


Page view tracker