Few of the users started complaining that they are not able to use download/export functionality from the Aspx pages. They are getting following error
While checking back on the server only things changed was security patch for MS11-100 was installed recently.
Couple of question started running in the back of my mind:
- Why only few users ? What is so special in those user’s environment?
- If this problem is caused by patch MS11-100 it shouldn’t it be for all the users?
Further probing leads me to believe that this issue is happening only to users who are using IE 8 . Other users who are using IE 9 does not have this problem.
And interestingly it works for them when they check the following option in IE 8
Time to collect Fiddler traces for Working and Non-Working scenario
Working scenario without Patch
HTTP/1.1 200 OK
Date: Mon, 23 Jan 2012 19:10:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Length: 420
Content-Disposition: attachment; filename=Test.xls
Cache-Control: private
Content-Type: application/octet-stream
Set-Cookie: .ASPXAUTH=5CC683A343EC1320267711C79539716234312D65D6C3B260DDE314AB6318689; path=/; HttpOnly
Non Working scenario after Patch
HTTP/1.1 200 OK
Date: Mon, 23 Jan 2012 19:02:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Length: 420
Content-Disposition: attachment; filename=Test.xls
Cache-Control: private, no-cache="Set-Cookie"
Content-Type: application/octet-stream
Set-Cookie: ASPXAuth=75DB64291EAB7FE8EEFDC291A205522349681BB08556285BBD1ACD93CA69368; path=/; HttpOnly
Did your eyes spotted the difference. if not look again at bolded text
Cache-Control: private, no-cache="Set-Cookie"
What is no-cache="Set-Cookie" ?
Seems like it introduced in MS11-100 to address Forms Auth Vulnerablity
Going by old blog by Eric Lawrence (yeah the creator for Fiddler)
http://blogs.msdn.com/b/ieinternals/archive/2009/10/02/internet-explorer-cannot-download-over-https-when-no-cache.aspx
If the header values are in this order (Cache-Control: no-store, no-cache) you won’t hit the issue
Bingo! Two ways to fix it
1) If your application is hosted on IIS 7.x then you have the option to create a rule using URLRewrite to remove the cache control response header and instead add Cache-Control: no-store, no-cache
2) Or other option is to modify the headers in streaming code
I preferred the later approach to modify my code to ClearHeaders and then AddHeader("Cache-Control", " no-store, no-cache ")
Response.ClearHeaders()
Response.AddHeader("Cache-Control", " no-store, no-cache ")
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Length", stream.Length.ToString());
Response.AddHeader("Content-Disposition",”test.xls”);
Response.BinaryWrite(mem_stream.ToArray()));
Hope this helps!
Subscribe