Stream rendering failing for PDF/ Excel/ Docs after MS11-100 patch from Aspx pages

by jask2002 24. January 2012 06:17

 

Few of the users started complaining that they are not able to use download/export functionality from the Aspx pages. They are getting following error

 

 

While checking back on the server only things changed was security patch for MS11-100 was installed recently.

Couple of question started running in the back of my mind:

  • Why only few users ? What is so special in those user’s environment?
  • If this problem is caused by patch MS11-100 it shouldn’t it be for all the users?

 

Further probing leads me to believe that this issue is happening only to users who are using IE 8 . Other users who are using  IE 9 does not have this problem.

 And interestingly it works for them when they check the following option in IE 8

 

 

Time to collect Fiddler traces for Working and Non-Working scenario

 

Working scenario without Patch

 HTTP/1.1 200 OK

Date: Mon, 23 Jan 2012 19:10:09 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Content-Length: 420

Content-Disposition: attachment; filename=Test.xls

Cache-Control: private

Content-Type: application/octet-stream

Set-Cookie: .ASPXAUTH=5CC683A343EC1320267711C79539716234312D65D6C3B260DDE314AB6318689; path=/; HttpOnly

 

Non Working scenario after Patch

HTTP/1.1 200 OK

Date: Mon, 23 Jan 2012 19:02:09 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Content-Length: 420

Content-Disposition: attachment; filename=Test.xls

Cache-Control: private, no-cache="Set-Cookie"

Content-Type: application/octet-stream

Set-Cookie: ASPXAuth=75DB64291EAB7FE8EEFDC291A205522349681BB08556285BBD1ACD93CA69368; path=/; HttpOnly

 

Did your eyes spotted the difference. if not look again at bolded text

Cache-Control: private, no-cache="Set-Cookie"

 

What is  no-cache="Set-Cookie" ?

Seems like it introduced in MS11-100 to address Forms Auth Vulnerablity


Going by old blog by Eric Lawrence (yeah the creator for Fiddler)

http://blogs.msdn.com/b/ieinternals/archive/2009/10/02/internet-explorer-cannot-download-over-https-when-no-cache.aspx

 

If the header values are in this order (Cache-Control: no-storeno-cache) you won’t hit the issue


Bingo! Two ways to fix it

 1)      If your application is hosted on IIS 7.x then you have the option to create a rule using URLRewrite to remove the cache control response header and instead add Cache-Control: no-store, no-cache

 

2)      Or other option is to modify the headers in streaming code

 

I preferred the later approach to modify my code to ClearHeaders and then AddHeader("Cache-Control", " no-store, no-cache ")

 

Response.ClearHeaders()
Response.AddHeader("Cache-Control", " no-store, no-cache ")
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Length", stream.Length.ToString());          
Response.AddHeader("Content-Disposition",”test.xls”);
Response.BinaryWrite(mem_stream.ToArray()));

 


Hope this helps!

 


PayPal — The safer, easier way to pay online. Has this post helped you? Saved you? If you'd like to show your appreciation. Please buy me a coffee or make a small contribution toward blog's maintenance(to keep it Ads free )

Tags: , , , ,

IE 8 | MS11-100

Comments (6) -

GC
GC United States
1/24/2012 12:58:53 PM #

We had this issue:

social.msdn.microsoft.com/.../0a5bc981-c247-4c09-b018-a47b120cba50

The fix of changing cache-control to "no-store, no-cache" does not work for us.

Reply

Pawan
Pawan United States
1/24/2012 9:30:32 PM #

Good one Jas

Reply

Dan
Dan Canada
3/15/2012 7:00:32 AM #

I just wanted to say thanks for this fix.  Works perfectly fo rmy app which started experiencing this exact issue after MS11-100 was installed

Dan

Reply

jask2002
jask2002
3/19/2012 5:23:52 AM #

@Dan,

I'm glad to see this post has helped you!

Thanks
JAs

Reply

SimpleScripts
SimpleScripts United States
7/8/2012 1:32:56 AM #

Appreciate it for this post, I am a big fan of this website would like to keep updated.

Reply

Teodoro Francia
Teodoro Francia United States
11/14/2014 10:07:46 PM #

Many thanks for this particular web web site. Sorry for the offtopic inquiry, but would anybody advocate blogEngine more than Wordpress? cause I am thinking about implementing that.

Reply

Pingbacks and trackbacks (2)+

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

Tag cloud

Month List

RecentComments

Comment RSS

TextBox

 

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.