Can't stop firing ASP.NET Module for static content - asp.net

I have a module in an ASP.NET MVC application. The module is working fine, but it's firing for every type of file including static content even though I have:
<modules runAllManagedModulesForAllRequests="false">
<add name="MyModule" ... / >
</modules>
The module hooks AcquireRequestState and PostRequestHandlerExecute events and both show static content firing (.htm, .css, .png etc.).
I was under the impression that runAllManagedModulesForAllRequests="false" should keep modules from firing on non-ASP.NET content.
To clarify:
I can set preCondition="managedHandler" like this:
<add name="MyModule" type="MyApp.MyModule" preCondition="managedHandler" />
and get my module to fire only managed requests.
However, I'm trying to understand why the IIS pipeline in general is firing managed module hits for every request. I think this used to work just fine in older versions where unless runAllManagedModulesForAllRequests="true" it wasn't firing unmanaged content into ASP.NET modules.
Running on IIS8 on Windows 8 64 bit mode, with integrated pipeline mode.
Update:
After some more research it turns out that the following is true:
if runAllManagedModulesForAllRequests="true" all modules - regardless of their preCondition attribute setting fire on all requests. This also true for Application_XXXX events implement on the HttpApplication
runAllManagedModulesForAllRequests="false" has no effect of keeping unmanaged requests from hitting modules, unless preCondition="managedHandler" is set
runAllManagedModulesForAllRequests="false" does affect Application_XXXX events, causing those events to only fire on managed requests then. IOW, Application_XXXX behaves as if the 'module' implementation had a preCondition="managedHandler"
For more detailed information on this I posted a blog entry:
http://www.west-wind.com/weblog/posts/2012/Oct/25/Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78

In IIS7 Microsoft introduced a new way of developing modules and handlers by using managed (.NET) code, not just native code. Problem is switching a request between managed and native code is very expensive, so Microsoft introduced the preCondition="managedHandler". It flags the module as only available for managed content requests (.aspx, .asmx, ...) so IIS avoids firing it for static content.
Now, you can have a situation where you want to modify an static content request, such as minifying JavaScript on the fly. You can write the module using C# and compile it as a managed module, but you want it to be fired for static content, so you simply do not mark it as managedHandler.
Finally, runAllManagedModulesForAllRequests="true" is used to override preCondition="managedHandler" so all of them get fired.
There is more info available at:
http://www.iis.net/learn/get-started/introduction-to-iis/iis-modules-overview#Precondition

Related

<modules runAllManagedModulesForAllRequests="true" /> Meaning

I wanted to know what is the meaning of
<modules runAllManagedModulesForAllRequests="true" />
I am using IIS 7.5 and I have a simple web application. Do I need to write this in my web.config file.
I have also written few http handler for jquery ajax call.
I am using form authentication and asp.net 4.0.
How can I determine which module I have to run and which is not to be?
Modules Preconditions:
The IIS core engine uses preconditions to determine when to enable a particular module. Performance reasons, for example, might determine that you only want to execute managed modules for requests that also go to a managed handler. The precondition in the following example (precondition="managedHandler") only enables the forms authentication module for requests that are also handled by a managed handler, such as requests to .aspx or .asmx files:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
If you remove the attribute precondition="managedHandler", Forms Authentication also applies to content that is not served by managed handlers, such as .html, .jpg, .doc, but also for classic ASP (.asp) or PHP (.php) extensions. See "How to Take Advantage of IIS Integrated Pipeline" for an example of enabling ASP.NET modules to run for all content.
You can also use a shortcut to enable all managed (ASP.NET) modules to run for all requests in your application, regardless of the "managedHandler" precondition.
To enable all managed modules to run for all requests without configuring each module entry to remove the "managedHandler" precondition, use the runAllManagedModulesForAllRequests property in the <modules> section:
<modules runAllManagedModulesForAllRequests="true" />
When you use this property, the "managedHandler" precondition has no effect and all managed modules run for all requests.
Copied from IIS Modules Overview: Preconditions

Static files causing new sessions to be created

Why does a request for a .gif image cause the session_start event to fire in my asp.net application?
In my local IIS I tried setting up a module mapping for *.gif pointing to StaticFileModule thinking that would prevent IIS from routing the request through asp.net, but for some reason my session start event is still firing when just requesting this single image.
Can anyone advise what needs to be set in IIS to prevent this from happening?
Thanks
I think you may also have to disable Session State for those folders:
https://serverfault.com/questions/77852/is-it-possible-to-set-a-folder-as-cookieless-in-iis7
Do you have a modules section within your web.config which has runAllManagedModulesForAllRequests set to true? This causes all requests (including .gif, .jpg, etc) to go through asp.net, not just managed ones.
Anything like this:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
Or alternatively, have you defined any custom <httpHandlers> within your web.config?
It sounds like your CRM might be causing the asp.net runtime to handle the request (is it a seperate .NET app? and if so, what about it's web.config?)

Executing a managed module for a rewritten URL in IIS7 Integrated Mode

In my ASP.NET app, I have two HTTP modules. One of them is used for rewriting URLs, the other is used for app-specific stuff (custom authentication .. etc). The URL-Rewriting module is executed for all requests, while the other module is only executed for managed file extensions, like .aspx
Here's how the modules are defined in web.config (note that preCondition is blank for UrlRewriteModule. This cause it to get executed for all requests):
<system.webServer>
<modules>
<add name="UrlRewriteModule" type="MySite.UrlRewriteModule" preCondition="" />
<add name="SiteModule" type="MySite.SiteModule" preCondition="managedHandler" />
</modules>
</system.webServer>
In UrlRewriteModule I use RewritePath() to rewrite some URLs (directory-like) into files with query strings. For example, from "/p/5/some-thoughts-about-the-future/" to "/post.aspx?id=5"
Now, I was under the impression that when a URL gets rewritten, IIS7 executes the managed module (SiteModule in this case) if the new URL is for a managed extension (like .aspx). But, this doesn't seem to be the case. I noticed that SiteModule doesn't get executed for any rewritten URLs.
Am I missing something (or doing something wrong) or is this the normal behavior in IIS7?
I came across Server.TransferRequest() which actually solves the problem (behind the scence, it involves creating a new child request). But, this can also cause a lot of overhead esp. under server load, and I generally prefer to avoid it.
So, is there a way to get SiteModule to execute whenever a URL gets rewritten without using Server.TransferRequest()?
Thanks!

Basic authentication in asp.net avoided if runAllManagedModulesForAllRequests="True"

We have one module which does internal redirection to real aspx pages. He is also in charge for directly serving cached/compressed HTML/txt/cs/js output to client.
Here is how web.config looks like for modules section:
<modules runAllManagedModulesForAllRequests="True">
<remove name="RequestInterceptor" />
<add type="Lib.Request.RequestInterceptor" name="RequestInterceptor" />
<remove name="Session" />
<add type="System.Web.SessionState.SessionStateModule" name="Session" />
</modules>
Basic authentication is turned on on IIS7. When first visitor comes to site login popup shows and he is correctly authenticated, and then pages which he visits get cached.
When next visitor comes authentication pop up doesn't show up, unless he visits a page which was not visited by previous visitor (page that is not cached). Once the cache has expired, authentication works again until the page content gets cached, and so on.
Is there a way to force authentication for every visitor? Maybe we need to add basic authentication module to module section of web.config (how to do that)?
Thanks in advance.
Cheers
While searching for an answer to a related question I came across this post:
Don't use runAllManagedModulesForAllRequests="true" when getting your MVC routing to work
It seems to be common advice to make your modules section of your
web.config say . In
fact this is quite a drastic thing to do to solve the routing problem
and has global effects that could CAUSE ERRORS. ... This highly
recommended fix can cause other problems. These problems come in the
form of making all your registered HTTP modules run on every request,
not just managed requests (e.g. .aspx). This means modules will run on
ever .jpg .gif .css .html .pdf etc.
And, while I'm not using MVC in my WCF REST Service, it did fix my (other) problem and this advice against inappropriate or overuse of runAllManagedModulesForAllRequests may be warranted.
Because httpmodule intercepts each request, server is not able to map appropriate handler for static files, dynamic files, and among others secuirty authentication.

UrlRewriting.Net Module + IIS7 Equals Page.User == null?

I've used the UrlRewriting.Net module for a couple years now without any problems in Windows XP and Windows 2003. I just recently upgraded my home PC to Windows 7 and started developing a new website.
The plan was to use .html extensions and rewrite them to their .aspx counterparts using the UrlRewriting.Net module. Everything works flawlessly in VWD 2008, but when I try running it through IIS7 it is a different story.
When I try to access a page via the .html rewrite I can no longer access Page.User; it keeps returning null. If I hit the page using it's .aspx extension, Page.User is correctly populated. I should also mention that I have a LoginView controller in my Master Page and it suffers from the same symptoms: When accessing via .html extension it shows the AnonyousTemplate; When using .aspx extension it properly shows the LoggedInTemplate. I'm guessing the two are related.
[Note: I've also tried extensionless URLs and they exhibit the same problem]
The only way I've gotten it to work is to switch the application pool to Classic, which then requires me to add an ASP.Net ddl handler for the .html extension [otherwise it is handled by the StaticFileHandler and comes up as a 404 error]. However, I'd like my web app to run properly for people without having to fiddle around with IIS.
So I am left with several questions:
Does anyone have ideas as to why Page.User always equals null for .html => .aspx rewritten pages?
Why does it work in VWD 2008, but not IIS7?
What changed from IIS6 => IIS7 that could have caused this?
Any other thoughts on workarounds?
[Note: I just tried a .aspx => .aspx rewrite and it did not exhibit the problem. Not really what I want, but thought I should mention it.]
Just had a breakthrough with the UrlRewriting.Net module. This makes it work in Integrated Mode in IIS7:
<modules runAllManagedModulesForAllRequests="true">
After figuring it out I did a search on "runAllManagedModulesForAllRequests" and the first thing that popped up was Scott Guthrie's blog which actually talks about using it for this purpose.
Another approach that seems to work is to remove the Session module and readd it leaving the "Invoke only for requests to ASP.NET applications or managed handlers" checkbox unchecked. It looks like this in the web.config file:
<system.webServer>
<modules>
<remove name="Session" />
<add name="SessionManualAdd" type="System.Web.SessionState.SessionStateModule, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</modules>
</system.webServer>
It seems the problem is that the Session module doesn't execute for say '*.htm' files when HttpContext.RewritePath is used, but removing and readding the module in this fashion causes the Session handler to be executed for the request.
This solution was suggested on the thread below. Unfortunately Microsoft chose not to explain the reasoning behind this behavior fully:
http://connect.microsoft.com/VisualStudio/feedback/details/357248/context-rewritepath-disables-session-module-in-iis7
Microsoft included a fix for this issue (at least for extensionless urls) in Service Pack 1 for Win7 and Windows Server 2008 R2:
http://www.microsoft.com/download/en/details.aspx?id=5842
Also available as a hotfix: http://support.microsoft.com/kb/980368
After this patch is applied, ASP.NET 4 applications can handle requests for extensionless URLs. Therefore, managed HttpModules that run prior to handler execution will run. In some cases, the HttpModules can return errors for extensionless URLs. For example, an HttpModule that was written to expect only .aspx requests may now return errors when it tries to access the HttpContext.Session property.
After applying SP1 or the hotfix, no web.config changes are needed to make the session and forms auth work for extensionless URLs rewritten to asp.net pages/handlers/etc.
I don't know if this fixes anything for rewrites to static file extensions like .htm. My guess is, probably not. I would try to avoid setting runAllManagedModulesForAllRequests="true" in production environments, because it adds unnecessary overhead on static file requests.

Resources