Stream rendering failing for PDF/ Excel/ Docs after MS11-100 patch from Aspx pages

by jask2002 24. January 2012 06:17

 

Few of the users started complaining that they are not able to use download/export functionality from the Aspx pages. They are getting following error

 

 

While checking back on the server only things changed was security patch for MS11-100 was installed recently.

Couple of question started running in the back of my mind:

  • Why only few users ? What is so special in those user’s environment?
  • If this problem is caused by patch MS11-100 it shouldn’t it be for all the users?

 

Further probing leads me to believe that this issue is happening only to users who are using IE 8 . Other users who are using  IE 9 does not have this problem.

 And interestingly it works for them when they check the following option in IE 8

 

 

Time to collect Fiddler traces for Working and Non-Working scenario

 

Working scenario without Patch

 HTTP/1.1 200 OK

Date: Mon, 23 Jan 2012 19:10:09 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Content-Length: 420

Content-Disposition: attachment; filename=Test.xls

Cache-Control: private

Content-Type: application/octet-stream

Set-Cookie: .ASPXAUTH=5CC683A343EC1320267711C79539716234312D65D6C3B260DDE314AB6318689; path=/; HttpOnly

 

Non Working scenario after Patch

HTTP/1.1 200 OK

Date: Mon, 23 Jan 2012 19:02:09 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Content-Length: 420

Content-Disposition: attachment; filename=Test.xls

Cache-Control: private, no-cache="Set-Cookie"

Content-Type: application/octet-stream

Set-Cookie: ASPXAuth=75DB64291EAB7FE8EEFDC291A205522349681BB08556285BBD1ACD93CA69368; path=/; HttpOnly

 

Did your eyes spotted the difference. if not look again at bolded text

Cache-Control: private, no-cache="Set-Cookie"

 

What is  no-cache="Set-Cookie" ?

Seems like it introduced in MS11-100 to address Forms Auth Vulnerablity


Going by old blog by Eric Lawrence (yeah the creator for Fiddler)

http://blogs.msdn.com/b/ieinternals/archive/2009/10/02/internet-explorer-cannot-download-over-https-when-no-cache.aspx

 

If the header values are in this order (Cache-Control: no-storeno-cache) you won’t hit the issue


Bingo! Two ways to fix it

 1)      If your application is hosted on IIS 7.x then you have the option to create a rule using URLRewrite to remove the cache control response header and instead add Cache-Control: no-store, no-cache

 

2)      Or other option is to modify the headers in streaming code

 

I preferred the later approach to modify my code to ClearHeaders and then AddHeader("Cache-Control", " no-store, no-cache ")

 

Response.ClearHeaders()
Response.AddHeader("Cache-Control", " no-store, no-cache ")
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Length", stream.Length.ToString());          
Response.AddHeader("Content-Disposition",”test.xls”);
Response.BinaryWrite(mem_stream.ToArray()));

 


Hope this helps!

 


PayPal — The safer, easier way to pay online. Has this post helped you? Saved you? If you'd like to show your appreciation. Please buy me a coffee or make a small contribution toward blog's maintenance(to keep it Ads free )

Tags: , , , ,

IE 8 | MS11-100

Comments (5) -

GC
GC United States
1/24/2012 12:58:53 PM #

We had this issue:

social.msdn.microsoft.com/.../0a5bc981-c247-4c09-b018-a47b120cba50

The fix of changing cache-control to "no-store, no-cache" does not work for us.

Reply

Pawan
Pawan United States
1/24/2012 9:30:32 PM #

Good one Jas

Reply

Dan
Dan Canada
3/15/2012 7:00:32 AM #

I just wanted to say thanks for this fix.  Works perfectly fo rmy app which started experiencing this exact issue after MS11-100 was installed

Dan

Reply

jask2002
jask2002
3/19/2012 5:23:52 AM #

@Dan,

I'm glad to see this post has helped you!

Thanks
JAs

Reply

SimpleScripts
SimpleScripts United States
7/8/2012 1:32:56 AM #

Appreciate it for this post, I am a big fan of this website would like to keep updated.

Reply

Pingbacks and trackbacks (1)+

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About me

Hi there,

My name is  Jas and I'm currently working with Microsoft IIS/ASP.Net Escalation services.  Services

 

Tag cloud

Month List

RecentComments

Comment RSS

TextBox

 

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.