Session Resets when uploading a file using a flash plugin - asp.net

My session is getting reset after I upload file using a flash plugin. I put some logging into the Session_Start function and I see its called every time I upload a file using the flash plugin. I'm not sure what would be causing this. This is working locally for me in dev environment with the same server and settings.
I'm using
IIS 7 with Windows Server 2008 R2.
My app:
ASP.NET MVC .NET 4.0 (legacy app)
I upload other files on the site without the flash plugin and those work. This functionality worked before. But for some reason now it stopped working.
Any ideas on what could be causing this to occur?

First Microsoft End of support for Windows Server 2008 and Windows Server 2008 R2.
The default server configuration does not allow you to upload files with Flash Uploader.
You could try below settings:
1)Disabling Request Validation:
ASP.NET automatically validates a request or rejects it if there are dangerous fields. However, HTML5/Flash Uploader sends files data in text fields (instead of binary ones) due to Adobe Flash Player limitations. IIS may treat this behavior as potentially dangerous and, thus, you can get the following error during uploading:
A potentially dangerous Request. Form value was detected from the client
use below code to disable the request validation on the page which processes the upload request:
<%# Page Language="C#" ValidateRequest="false" %>
2)Assign permission:
The folder where you are going to save files should have modified permissions.
Assign the iis_iusrs and iusr or application pool identity full permission to the upload folder.
3)Configuring Maximum POST Request Length:
Usually, the limitation for maximum POST request length is specified to reduce the risk of DoS attacks. If the request size exceeds a specific value, it is considered malicious and the upload would be broken.
If you are going to upload files larger than the default limitation, increase the latter.
Go to C:\Windows\System32\inetsrv\config\applicationHost.config and change
<section name="requestFiltering" overrideModeDefault="Deny" />
To
<section name="requestFiltering" overrideModeDefault="Allow" />
add below code in your application web.config file:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength ="2147482624" /> <!-- in bytes -->
</requestFiltering>
</security>
</system.webServer>
<system.web>
<httpRuntime maxRequestLength="2097151"/> <!-- in kilobytes -->
</system.web>
4)Configuring Control to Support Medium Trust Level:
.NET Trust Level in IIS specifies the level of code access security for ASP.NET applications. By default, HTML5/Flash Uploader works under the full trust level. However, if you create a website with the medium trust level on your server, you should configure HTML5/Flash Uploader to support this level as well. To perform this, just set the MediumTrustCompatibility property to true as the snippet below shows:
<aur:ImageUploaderFlash ID="ImageUploaderFlash1" runat="server"
MediumTrustCompatibility="true">
</aur:ImageUploaderFlash>
Setting the MediumTrustCompatibility property to true requires an application's pool to be routed to a single worker process. To perform this run IIS Manager, choose the application pool under which your website works, click Advanced Settings in the Actions panel, and set Maximum Worker Processes to 1:

Related

UNC path in web.config

I created a set of ASP pages which receive HTTP requests. Some of these requests pull data from a database, and few of them open text files to get info. My path to these text files are pretty straight-forward on my web server, and I refer to these in my web.config as below in the appSettings node.
<add key="MasterPath" value="C:\inetpub\wwwroot\VecoXtra\" />
However, my client (who is going to use this) has set up my scripts on their server but wants to use a UNC path to these files, and the process stops when changing it to:
<add key="MasterPath" value="\\10.10.6.2\euro$\INETPUB\VeXtra\StaticFiles\" />
I read somewhere to double up the slashes, but to no avail, as I think there are some permissions issues here. I tried identity in my config and adding my windows administrator login to the application pool but nothing allows me to access these files.
I changed the Applcation Pool AND the setting to load profile to true and it kicked into gear.. thanks for letting me talk it through :)

IIS and Static content?

According to Ultra-Fast ASP.NET: Chapter 3 - Caching:
Files that the browser retrieves from the server should be stored in
the browser’s cache as long as possible to help minimize server
round-trips.
But how does IIS know what a static content actually is and is not?
Is it just images, CSS, JS and not ASPX, ashx...?
Where can I see in IIS what is already considered to be static and what is not ?
What about the scenario where a page has been declared with <%# OutputCache header (without location)? Are the images, CSS and JS source files inside of it also being output cached with the same properties?
As a best practice, I should set one year into the future as the maximum expiration time. I should use that as the default for all static content on the site
So I did this :
But later, after pressing OK, I can't find any summary menu which shows me: to whom I already put a response header (in this case: the css folder).
Currently, in order to see that css folder has been applied with response headers - I have to go to the css folder again --> Http Response Header-->Set Common Headers --> and then I see it. It isn't written in the web.config.
But if I do it for a file (Login.aspx for example): I do see it in web.config:
<configuration>
<location path="Login.aspx">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseExpires" cacheControlMaxAge="1.00:00:00" httpExpires="Fri, 15 Feb 2013 00:00:00 GMT" />
</staticContent>
</system.webServer>
</location>
</configuration>
I understand your situation. Sometime its confusing how IIS handles a file. Its also different for IIS 6 vs IIS 7 and different for Classic App Pools and Integrated mode app pools. My experience is mostly with Integrated App Pools on IIS 7.5, so thats the environment I can comment on most accurately.
First Question
But how does IIS knows what is actually a static content and what is
not?
Is it just images , css , js and not ASPX , ashx...?
Where can I see in the IIS what is already considered to be static and
what not ?
You can inspect the list of file handlers in IIS by navigating to your website and then click 'Handler Mappings'. By default these are inherited from the .Net base web.config which is in a different location depending on your .Net framework version.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config
If a file being requested isn't already explicitly mapped to another handler it falls to a catch all handler (*) as the last option (System.Web.DefaultHttpHandler) which determines if it is a static file or a directory browsing request. So Static files are simply files not bound to another handler already. For example you'll see that *.aspx is already mapped to System.Web.UI.PageHandlerFactory prior to this default handler. So its going to be processed by that handler and not be considered a static file. If you removed that mapping you could technically serve *.aspx as a static file if you really wanted to (just for proof of how it works).
But you can also explicitly list a file type as a static file by adding an entry in your web.config's httpHandlers section mapping the file extensions to System.Web.StaticFileHandler in IIS. For example:
<configuration>
<system.webServer>
<handlers>
<add name="StaticHandler" verb="*" path="*.zip" type="System.Web.StaticFileHandler" preCondition="integratedMode" />
</handlers>
</system.webServer>
</configuration>
This example is using the <system.webServer> config section, so its for an App Pool running in Integrated Mode.
Second Question
What about the scenario where a page has been declared with <%#
OutputCache header(without location) . does the images,css,js src
files inside of it , are also being output cached with the same
properties?
No. Because the page is being server as a separate request (maybe even by a separate handler) it can have totally different cache headers/hints. The host page and the resources it may use are not related from a caching perspective.
In fact you may even want to have a shorter cache period for *.html and a longer cache period for *.jpg or *.png? Something to consider.
Third Question
As a best prcatice , I should set one year into the future as the
maximum expiration time.I should use that as the default for all
static content on the site
Hmm... I might not go as far as one year. How about one month? I would set a global policy like this:
<configuration>
<system.webServer>
<staticContent>
<!-- Set expire headers to 30 days for static content-->
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
This is the same as the sample you showed above, but is not inside a <location> element, instead it is right in the root <configuration> element so it is the default policy. Again this is for an App Pool running in Integrated Mode. Sometimes you also need to turn on:
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<!-- stuff -->
</modules>
</system.webServer>
<system.webServer>
This just makes sure that static files are processed through the managed static file handler which respects the above configuration elements.
Edit to Address Comments
The documentation for the configuration dialog you posted above is located here: Configure the HTTP Expires Response Header (IIS 7)
Apparently these settings are saved in C:\Windows\System32\inetsrv\config\applicationHost.config
I do not have IIS7 and personally develop on IIS 7.5 now. So please post a comment if you can verify this location is accurate!
The static content is the one that IIS is read and send to the browser with out any processing. There you can setup IIS to include some Cache-Control Header to cache it on clients browser computers.
You can do that ether by direct setup IIS, ether by commands on web.config as you say. The commands that you add on web.config and concern the IIS, did not have to do with asp.net it self, but the IIS, and IIS saves his configuration on a different file, so when you change that cache control headers direct on IIS you do not see them on web.config.
Now for the static content like images, CSS, JavaScript, and other similar files they say that you can follow the "never expire" policy by adding 10 years expire.
The issue here is that if you can not change the content of the static file, if for example you cache a javascript file with 10 years, and you make a small change on it, then you need ether to change the file name, ether to add some parameter at the end of it.
Now the <%# OutputCache on a control is referred to the server cache and not to the client, and what is actually do is to cache the render of the control on the server so the next time you ask it to not lose time to renders it again but read it from cache - is still send it to the browser.
And you can also read this answer for some more: What are difference between IIS (Dynamic and Static) cache,OutPutCache and browser cache

Servicing HTTP PUT from .ashx handler in ASP.NET without tweaking file permissions

I've got an .ASHX handler I want to use to process an HTTP PUT to allow me to upload files to the web server--the .ASHX file actually uploaded data and sticks the file elsewhere, so it never actually touches the disk here.
I've set the web.config to allow it to handle HTTP PUT, but IIS won't pass the request to my code unless I set the ACLs on the .ASHX files themselves to be writable--Which is kinda silly, since we're not actually going to write to those files.
If I set the ACLs, it works fine, but I'd like to be able to process the file without having to set the ACLs at all (I'm sure there's an appropriate way to make IIS just pass the HTTP PUT to the .ASHX file without checking the permissions on the file itself.
This is on Win2008 R2 (actually, it's on Azure's 2008 R2, but should be the same), using .NET 4.0
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
There are several roadblocks to getting PUT (and DELETE) working with ASP.NET. Since you mention Win2008 R2 (IIS 7.5) I would check to see if the errors you are seeing mention the WebDAV module or handler.
WebDAV is enabled by default as of IIS 7.5. It will interfere with HTTP PUT and DELETE verbs on ASP.NET handlers and modules. If you're implementing a RESTful service you likely don't even utilize this functionality. Disable it via your web.config.
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
Some other solutions are mentioned in this forum post entitled HTTP Error 405 With ASP.Net MVC and HTTP PUT on IIS 7.5.

ASPX page within a .aspx page with iframe throws 500.23 error

I'm trying to embed a ChartModule.aspx page within a Default.aspx page using an iframe.
The ChartModule has a button event which updates a chart. The ChartModule has its own ChartsModule.cs.
I'm getting this error:
HTTP Error 500.23 - Internal Server Error An ASP.NET setting has been
detected that does not apply in Integrated managed pipeline mode.Most
likely causes:
•This application defines configuration in the system.web/httpHandlers
section. Things you can try: •Migrate the configuration to the
system.webServer/handlers section. You can do so manually or by using
AppCmd from the command line. For example, from the IIS Express
install directory, run appcmd migrate config "Default Web Site/".
Using AppCmd to migrate your application will enable it to work in
Integrated mode. It will continue to work in Classic mode and on
previous versions of IIS. •If you are certain that it is OK to ignore
this error, it can be disabled by setting
system.webServer/validation#validateIntegratedModeConfiguration to
false. •Alternatively, switch the application to a Classic mode
application pool. For example, from the IIS Express install directory,
run appcmd set app "Default Web Site/"
/applicationPool:"Clr4ClassicAppPool". Only do this if you are unable
to migrate your application.
Detailed Error Information: Module ConfigurationValidationModule
Notification BeginRequest Handler
PageHandlerFactory-Integrated-4.0 Error Code 0x80070032 Requested
URL http://localhost:4161/Default.aspx Physical Path
C:\Documents and
Settings\singhm\Desktop\Temp\Trial2\Trial2\Default.aspx Logon Method
Not yet determined Logon User Not yet determined Request Tracing
Directory
Why is this?
While this may not answer your question directly, here is a thought:
If you have the option, consider turning ChartModule.aspx into a UserControl (ascx), which acts just like another "page" (same lifecycle, its own codebehind file, etc) but integrates more cleanly into an existing aspx page. The above link should be a good introduction to creating and using UserControls.
The error message contains a clue to the solution:
setting system.webServer/validation#validateIntegratedModeConfiguration to false
So make sure the following is present in your web.config:
<validation validateIntegratedModeConfiguration="false"/>
For example:
<configuration>
<!-- your existing settings -->
<system.webServer>
<!-- Add this to here.... -->
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
</configuration>
IIS 7 and ASP.NET are quite helpful these days with regard to to error messages and hints contained therein so you should take the time to read them.
I would really recommend using a usercontrol page instead of iframes in asp.net this way you can bind that usercontrol by doing
public override DataBind()
in that you can pass anything into that usercontrol page like refresh data, load certain data, etc..

How do you set handler mapping to a directory in IIS 6.0?

I have IIS 7.0 on my development machine and IIS 6.0 on my server. On my development machine I was able to set a handler map on a directory within my site called /ViewHtml/ and I mapped it to asp.net. In my global.asax I check the request sent to asp.net for /ViewHtml/ and I serve the appropriate html file(html version of a Doc, Power Point, or Excel file) located outside this apps virtual directory. I am doing it this way because all files are permission protected, we didn't want to put these files in are database due to scalability, and I need to hide the path to these file on the server. This all works in IIS 7.0 exactly how I would like it to. Although I have not been able to get my IIS 6.0 server configured to map all requests to that directory to asp.net.
Any ideas? Thanks Guys?
I set up a web application using the same configuration you're using and I'm also getting the 404. I don't know why it works in IIS 7, but here's what I had to do to fix it.
Create a class that implements the System.Web.IHttpHandler class. move the the code from Application_BeginRequest to your implementation of IHttpHandler.ProcessRequest.
Now you just have to register your HTTP handler with ASP.NET. To do so add an entry in your Web.config at /configuration/system.web/httphandlers.
Web.config Example:
...
<httpHandlers>
<clear />
<add verb="*" path="*" type="namespace.classname, assemblyname" />
</httpHandlers>
...
That entry is telling ASP.NET to handle HTTP requests with any extension and any HTTP method by running the code in your HTTP hander. Note that I'm also clearing all the previously definded handlers (defined in the machine's web.config).
Note that you will still need the Application Mapping configured in IIS.
If I understand the problem correctly, it sounds like you need add a "Wildcard Application Mapping" for your virtual directory. In other words, you want to forward all requests to any file extension to ASP.NET's ISAPI extension.
To do so, open the properties of your virtual directory. On the Virtual Directory tab (Home Directory tab if it's a web site), click the Configuration... button. Click the Insert... button next to the bottom list box in the dialog that shows up. In this dialog, choose "%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" as the executable and make sure to un-check "Verify that file exists" checkbox, since the files to be requested don't live in your virtual directory.
I hope this helps!
i think your problem is all about access policy , you have to make sure that the access policy is Read and not None , cz with None you have no permission to even read files from your website

Resources