I have a site in ASP.NET 2.0. I plan to move to 4.0. Is there any thing in particular I need to take care of or I just select the 4.0 framework and recompile and VS 2010 will update the web.config to reflect the changes?
A:
Just use the conversion wizard when prompted and you should be good. Note: if you are using source control with others, the version number in the project file will change (vs2008 = "9" and vs2010 = "10").
Also, if you experience any JavaScript issues, make sure you choose the correct setting for identifying the IDs in 4.0:
http://weblogs.asp.net/asptest/archive/2009/01/06/asp-net-4-0-clientid-overview.aspx
IrishChieftain
2010-09-25 03:42:56
Any inherent advantage moving to .NET 4.0 if I am not using new features?
Karl Iot
2010-09-25 04:25:31
Yes, since the migration is painless, it's always good to "future proof" yourself. You can check if there are any specific features you want to avail of here: http://www.asp.net/learn/whitepapers/aspnet4
IrishChieftain
2010-09-25 04:38:55
A:
one thing you need to do upgrading or not is the workaround to the padding oracle vulnerability.
Even more important when you move to anything above 3.5 sp1.
Overall it should just work.
eglasius
2010-09-25 03:53:04
Any inherent advantage moving to .NET 4.0 if I am not using new features?
Karl Iot
2010-09-25 04:24:43
Honestly I haven't thought about it that way / don't recall at the moment. By now I'm so used at using 3.5+ features that I haven't payed attention to any info on same existing features improvements (specially 2.0 features).
eglasius
2010-09-25 15:36:48
The padding oracle vulnerability is no different in .NET4 versus .NET2, the only difference is that the newer version provides the ability to further protect from timing attacks which could conceivably exploit the flaw: http://www.troyhunt.com/2010/09/why-sleep-is-good-for-your-apps-padding.html
Troy Hunt
2010-09-26 01:16:39
@Troy that's misleading. Sure the padding oracle vulnerability is there in both, But what you can gain with it is a Complete different story: http://eglasius.blogspot.com/2010/09/aspnet-padding-oracle-how-it-relates-to.html. Unfortunately I don't have a ms link at the moment, but they also mentioned the part of the issue that allowed to serve files like the web.config issue occurs in 3.5 sp1 and above.
eglasius
2010-09-26 01:23:52
to be clear, I agree with what you said in the article about earlier versions still being exposed, but the level of vulnerability Is different because of the separate issue that exposes the web.config. I sent a comment to your very nice article.
eglasius
2010-09-26 01:48:31
I actually think we're both correct; the ability to apply the padding oracle attack POET style (i.e. decoding / encoding the ciphertext) is equal in both frameworks. If successful, there is more to exploit in the newer versions (which is a very important distinction) but conversely, the newer versions offer the ability to add the additional defence layer by means of random sleep. Anyway, that's probably getting a bit semantic and I think we're starting to hijack Karl's thread!
Troy Hunt
2010-09-26 04:16:26
A:
There are some few thinks that you must take care of.
Read all the changes and have it near you on tests: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes
The validation mode has change: http://stackoverflow.com/questions/3132368/can-i-deploy-net-4-0-web-application-on-iis6/3132724#3132724
The default.aspx has change when you try to get the url : http://stackoverflow.com/questions/2821514/default-aspx-with-iis-6-0-and-net-4
Aristos
2010-09-26 06:54:21