Geeks With Blogs
Chris Breisch   .NET Data Practices
Search this Blog!

Scott Guthrie has a nice summation on a why you don’t want to run with debug=”true” on production servers, and a simple way system admin’s can make sure no one does.

One of the things you want to avoid when deploying an ASP.NET application into production is to accidentally (or deliberately) leave the <compilation debug=”true”/> switch on within the application’s web.config file.


Doing so causes a number of non-optimal things to happen including:


1) The compilation of ASP.NET pages takes longer (since some batch optimizations are disabled)

2) Code can execute slower (since some additional debug paths are enabled)

3) Much more memory is used within the application at runtime

4) Scripts and images downloaded from the WebResources.axd handler are not cached

Posted on Friday, April 14, 2006 11:24 AM .NET Development | Back to top

Comments on this post: ASP.NET and debug="true"

# re: ASP.NET and debug="true"
Requesting Gravatar...
I have an even better reason to not deploy debug code. When you compile in debug mode, the PDB file includes references to the enviroment on which it was compiled. You will note that when an exception gets thrown in code that has debug mode on, it shows you the code that contains the error, as well as the path to the file. This path is always the location where the code was compiled, NOT the location where the code was running from.

This has two problems 1) you reveal your dev landscape naming to anyone who sees the error, which could create some security problems

2) More importantly, when an exception is thrown, the CLR tries to retrieve the code "live" from the location containted in the PDB. If you deploy debug code to production, it tries to retrieve the code from your dev server when the exception is thrown. It tries to log in to the dev server. The problem is that it logs into the dev server, using your production credentials (of the aspnet user) Assuming your password is not the same in prod and dev, it fails this authentication. If it gets a few errors in a row (3 on my server) the dev account gets locked out!

Obviously this is only an issue if your prod server has network level connectivity to your dev server.
Left by Jason Coyne on Apr 17, 2006 8:18 AM

Your comment:
 (will show your gravatar)

Copyright © Chris J. Breisch | Powered by: