Stream rendering failing for PDF/ Excel/ Docs after MS11-100 patch from Aspx pages

by jask2002 24. January 2012 06:17


Few of the users started complaining that they are not able to use download/export functionality from the Aspx pages. They are getting following error



While checking back on the server only things changed was security patch for MS11-100 was installed recently.

Couple of question started running in the back of my mind:

  • Why only few users ? What is so special in those user’s environment?
  • If this problem is caused by patch MS11-100 it shouldn’t it be for all the users?


Further probing leads me to believe that this issue is happening only to users who are using IE 8 . Other users who are using  IE 9 does not have this problem.

 And interestingly it works for them when they check the following option in IE 8



Time to collect Fiddler traces for Working and Non-Working scenario


Working scenario without Patch

 HTTP/1.1 200 OK

Date: Mon, 23 Jan 2012 19:10:09 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Content-Length: 420

Content-Disposition: attachment; filename=Test.xls

Cache-Control: private

Content-Type: application/octet-stream

Set-Cookie: .ASPXAUTH=5CC683A343EC1320267711C79539716234312D65D6C3B260DDE314AB6318689; path=/; HttpOnly


Non Working scenario after Patch

HTTP/1.1 200 OK

Date: Mon, 23 Jan 2012 19:02:09 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Content-Length: 420

Content-Disposition: attachment; filename=Test.xls

Cache-Control: private, no-cache="Set-Cookie"

Content-Type: application/octet-stream

Set-Cookie: ASPXAuth=75DB64291EAB7FE8EEFDC291A205522349681BB08556285BBD1ACD93CA69368; path=/; HttpOnly


Did your eyes spotted the difference. if not look again at bolded text

Cache-Control: private, no-cache="Set-Cookie"


What is  no-cache="Set-Cookie" ?

Seems like it introduced in MS11-100 to address Forms Auth Vulnerablity

Going by old blog by Eric Lawrence (yeah the creator for Fiddler)


If the header values are in this order (Cache-Control: no-storeno-cache) you won’t hit the issue

Bingo! Two ways to fix it

 1)      If your application is hosted on IIS 7.x then you have the option to create a rule using URLRewrite to remove the cache control response header and instead add Cache-Control: no-store, no-cache


2)      Or other option is to modify the headers in streaming code


I preferred the later approach to modify my code to ClearHeaders and then AddHeader("Cache-Control", " no-store, no-cache ")


Response.AddHeader("Cache-Control", " no-store, no-cache ")
Response.ContentType = "application/octet-stream";
Response.AddHeader("Content-Length", stream.Length.ToString());          


Hope this helps!


PayPal — The safer, easier way to pay online. Has this post helped you? Saved you? If you'd like to show your appreciation. Please buy me a coffee or make a small contribution toward blog's maintenance(to keep it Ads free )

Tags: , , , ,

IE 8 | MS11-100

Comments (6) -

GC United States
1/24/2012 12:58:53 PM #

We had this issue:

The fix of changing cache-control to "no-store, no-cache" does not work for us.


Pawan United States
1/24/2012 9:30:32 PM #

Good one Jas


Dan Canada
3/15/2012 7:00:32 AM #

I just wanted to say thanks for this fix.  Works perfectly fo rmy app which started experiencing this exact issue after MS11-100 was installed



3/19/2012 5:23:52 AM #


I'm glad to see this post has helped you!



SimpleScripts United States
7/8/2012 1:32:56 AM #

Appreciate it for this post, I am a big fan of this website would like to keep updated.


Teodoro Francia
Teodoro Francia United States
11/14/2014 10:07:46 PM #

Many thanks for this particular web web site. Sorry for the offtopic inquiry, but would anybody advocate blogEngine more than Wordpress? cause I am thinking about implementing that.


Pingbacks and trackbacks (1)+

Add comment

  Country flag

  • Comment
  • Preview

Tag cloud

Month List


Comment RSS



The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.