We run a link redirection service which can handle links thrown at it in various formats. One of these formats is to append the destination URL to the end of the link, for example
http://url.fwd/abcd/http://www.mydomain.com/page.aspx
This was working on a Windows Server 2003 / IIS6 box for the last two years, but now we're trying to move to a Windows Server 2008 / IIS7 setup and its not working anymore.
I've read about the problem with colons in the URL but it doesn't affect pages not ending in '.aspx'. For instance,
http://url.fwd/abcd/http://www.mydomain.com/page.php
would redirect fine.
http://url.fwd/abcd/http//www.mydomain.com/page.aspx
also works fine (note the lack of a second colon). Despite being the wrong URL, it does get handled by our URL forwarding system, which uses a custom 404 page. On the old system, we had a similar problem, so a method was written in Global.asax > Application_Error specifically to handle the '.aspx' case, and it worked fine.
On our new server, the Application_Error never gets thrown in Global.asax. Instead, I get a System.NotSupportedException - "The given path's format is not supported". This System.NotSupportedException is the exact case we handle in the Global.asax page, so it's definitely not being fired.
I've changed the registry keys indicated in several forum posts,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET VerificationCompatibility=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP|Parameters AllowRestrictedChars=1
I've tried changing the Handler Mappings settings for .aspx.
I've tried setting the App pool to use classic mode instead of integrated, but this causes a completely different error where static content such as images and CSS do not display at all. I've checked that static content is enabled in the windows features, and it is.
Under classic mode, the '.aspx' request throws two Bad Request errors with absolutely no information whatsoever. The code of the error page I get is literally
Bad Request<html><body>Bad Request</body></html>
UPDATE: I've changed the static file Handler Mapping to the form found in this page
http://improve.dk/blog/2006/12/11/making-url-rewriting-on-iis7-work-like-iis6
However, as the author rightly points out, this is a hack and not the correct way of doing things under IIS7. It also only fixes the static file problem in classic mode. '.aspx' pages still throw an error under classic mode.
Any thoughts or input would be greatly appreciated at this point.
IIS 7 Solution
The easy solution in IIS 7 is to add a setting in your web.config file to tell IIS to process all requests through your Global.asax events. Just add or change this section in your web.config to enable requests:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
In my case, I was publish my site in production and I miss copy to server App_global.asax.compiled file. For this reason was not fire the Events inside Global.asax.
Hope anyelse help this tips, I lost 8 hours seeking.
Related
Im using N2Cms and am looking in to some issues i have with it. It has a navigation panel on the left hand side that loads via ajax as you expand the tree.
The code that gets the childeren of the node calls an ashx file with some parameters. One parameter is for a path and contains slashes in it. For this reason it has been encoded.
.../cms/Content/Navigation/LoadTree.ashx?target=preview&selected=%252fhome%252fhelp-and-advice%252f
I have had no issues with this on my development server (running iis 7.5) but when deployed to our test server (iis7) the navigation fails to work.
Investigating this has shown that the above url gives a 500 error.
If i decode the url to
.../cms/Content/Navigation/LoadTree.ashx?target=preview&selected=/home/help-and-advice/
it works with no problems.
Unfortunately i cannot change the code that generates this as its a part of the n2cms source code and i am assuming it has been encoded for a good reason.
Does anyone know anything i can do either in my web.config to allow encoded parameters or something i can change on the iis server?
EDIT:
So this link seems to suggest that its doing this on purpose as a security mesure.
http://msdn.microsoft.com/en-us/library/ee656542.aspx
The suggested solution is to upgrade to .net 4.0 and add the following to the web.config
<configuration>
<uri>
<schemeSettings>
<add name="http" genericUriParserOptions="DontUnescapePathDotsAndSlashes"/>
</schemeSettings>
</uri>
</configuration>
Unfortunately this seems to have no effect.
Any Ideas why this doesnt work?
This could be the URLScan utility. URL Scan blocks URL's based on the rules in it's config file. It also has it's own log file, so you can tell for sure by looking at the URLScan log.
Do a google search for URLSCan default location.
It seems your url goes through 2 html encode.
Is there some url rewriting module active on your IIS7 server ?
OK, im getting somewhere with this.
When trying to find the error in the IIS logs and failing, then looking through many posts about failed tracing request and still not getting any errors in iis, i figured that the request was just not getting to IIS.
Looking back at the server error, there was a clue there too.
500 Internal Server Error. The request was rejected by the HTTP filter.
It is the firewall!!
We have disabled the HTTP Filter and now it works :)
I now need to investigate what this HTTP Filter was supposed to be protecting us against and are we secure now we have switched it off.
I think I may have found a problem with ASP.NET MVC and it's event pipeline. In particular, I am finding that Session_Start is being called multiple times, each containing a new SessionID.
Here's the step-by-step process:
Open VS2010
File | New Project
ASP.NET MVC 3 Web Application, accept default name, click OK
Select Internet Application (although I don't think it matters really), click OK
When finished creating, edit the Global.asax.cs file
Add the following method (yes it's empty):
protected void Session_Start()
{
}
Set a breakpoint in the method
Debug
Notice that the breakpoint is caught twice before displaying the page. If you watch "Session.SessionID" when the breakpoints are caught, you will see that the session id is new each time.
Once you get to the home page, click on the "Home" or "About" tab link.
Session_Start will be fired again, this time with a new SessionID.
Continue execution, and any subsequent actions will no longer fire Session_Start.
I tried the same thing on a standard ASP.NET Web Application (not MVC), and Session_Start only fired once.
I'm pretty sure I'm not doing something wrong here, as I am using the default project templates, and the only code that is being modified is the Global.asax.cs file, to add the Session_Start method.
I am using IIS Express, but I've repeated the above steps using the "Cassini" web server (Visual Studio Development Server), with the same result.
Any advice?
UPDATE
I decided to use Fiddler to inspect the HTTP traffic during my debug session. It seems that:
The first Session_Start is fired when I am requesting the "/" URL. This seems reasonable. The SessionID generated at that time is then written in the response to the browser. Again, seems reasonable.
Fiddler then shows requests/responses for the *.js and *.css files. All successes. None of those fire off Session_Start. Good so far.
Then Fiddler shows that a request has been made for "/favicon.ico". At this time, Session_Start fires, and generates a new SessionID... I continue.
On Fiddler, it shows that the "/favicon.ico" file was not found (404). The webpage is displayed. I click on the "Home" link.
The URL "/" is requested and response is OK in Fiddler. But then, another "/favicon.ico" file is requested, and again Session_Start fires with a new SessionID... I continue.
All subsequent requests have responses, and the browser stops asking for "/favicon.ico".
I made note of each of the three SessionID's generated, and it seems the one that the browser holds on to is the first one. So when we get to step 6 above, and everything seems to work, it's actually using the very first SessionID that was generated.
So... I decided to host a "favicon.ico" file. I placed the ico file in the root of the project, and started my debug session again. This time, Session_Start only fires once. "/favicon.ico" was served successfully (200).
So... I guess it is working the way it should in a sense... But why do calls to "/favicon.ico" fire off the Session_Start event???? Shouldn't I have the choice to NOT host a favicon?
ASIDE: I tried all the above in an ASP.NET (not mvc) project, and it did not have the same problem, even though there was no favicon.ico file hosted by a default "ASP.NET Web Application" project.
I kinda had this problem for a while, and finally I realised that it was because there was some http/https shenanigans going on... looks like it destroys and recreates your session if you flip the ssl around like that and you have
<sessionState mode="InProc" sqlCommandTimeout="3600" timeout="120" cookieless="false" />
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Possibly a trap for new players or people who are really tired and not paying attention! :)
Just FYI in case this helps anyone...
I think I've come to a point where I have a couple of solutions (albeit both seem 'hacky' to me), so I think I'll accept these and move on.
Got a comment from #Tz_ above that mentioned I should ignore the route for the favicon file. That's essentially what I'll be doing. (kudos #Tz_!)
Came across the following post, (among others). It describes a problem that when the browser requests a "/favicon.ico" file from an ASP.NET MVC site, the MVC stack is mistakingly trying to look for and instantiate a controller. I'm wasn't sure if that was true or not for my situation, but the answer suggested adding the following route entry:
routes.IgnoreRoute("favicon.ico");
I gave it a shot (added the above), and that fixed it!
So, I still don't know why "/favicon.ico" request has a mistaken identity in MVC, but I know how to fix it in my situation. Either:
Host a favicon,
or add an ignore route entry.
Again, both seem like hacks to me, as I think this is something controller factories should be capable of handling gracefully. IMHO
Reason you are getting Session_Start firing each time is because you have <httpCookies requireSSL="true" /> in <system.web> in your Web.Config remove this and you are good to go.
I can't reproduce this problem. I've tested on ASP.NET MVC 3/Tool Update, Win08/R2/SP1 and Win7/SP1 using IIS 7.5, Cassini and IIS Express. I see the 404 favicon request in Fiddler, but the break point is not hit for favicon. I tested with IE9, the current FF and Chrome. Each time I hit the site with a new browser, Session_Start() is called and I see the new session ID. I work for Microsoft so I'd like to know how to reproduce this problem.
This happened to me when I had some <img> in my pages with a wrong "src" attribute. Putting a valid path in "src" solved my problem.
I posted a query for 301-redirect using ASP.NET 3.5 here:
Redirecting default.aspx to root virtual directory
Based on the replies I got there, I realized there might be a bug in ASP.NET's Request.RawUrl method which is unable to return the actual raw url (without /default.aspx) when being used in a sub-directory, i.e. the /default.aspx page is inside a subdirectory.
Can someone please shed some light on this possible bug?
Thanks,
Asif
i found a good explanation here
http://codeasp.net/blogs/vivek_iit/microsoft-net/873/301-redirect-from-default-aspx-to-site-root
Thanks
If you suspect this is a bug, then the place to go is Microsoft Connect, where you can report and discuss the bug directly with Microsoft.
Edit: I was able to reproduce the look per your comments.
I was unable to reproduce the infinite loop, however. I injected code into the Global.asax Application_BeginRequest handler of a web application and got the expected behavior of a single redirect.
There are other, and IMO much better, options for handling global redirect rules. On IIS7, I use the URL Rewrite module to configure rewrite rules in IIS. You can read more about it and download it here: http://www.iis.net/download/urlrewrite. The appeal of a solution such as this is that you can customize and update your rewrite rules without recompiling the application.
Edit: I was able to retrieve the raw URL without the default.aspx (after the redirect) by using instead:
Request.ServerVariables["CACHE_URL"]
It's worth a shot.
Have you looked at the IIS settings for your virtual directory? If there is a default document set to default.aspx then this will explain the infinite loop that you are experiencing. You are telling the website to redirect to the virtual directory without the "default.aspx" and IIS is detecting this on the next request and putting it back in ad infinitum.
Right click your virtual directory, select Properties and then the Documents tab. If default.aspx is in the list then that is what you will get. The Url of the request will be passed to the ASP.NET worker process as /folder/default.aspx rather than /folder/
This is not a bug. If IIS didn't do this, you would get a page not found error.
Sounds to me like you need to investigate URL rewriting: http://msdn.microsoft.com/en-us/library/ms972974.aspx
Platform: IIS 6, ASP.Net 2.0 (.Net 3.5), Server 2003.
I'm building an application that accepts files from a user, processes them, and returns a result. The file is uploaded using HTTP POST to an ASP.Net web form. The application is expecting some large files (hundreds of MB).
I'm using SWFUpload to accomplish the upload with a nice progress bar, but that's not contributing to the issue, because when I bypass it using a standard HTML form pointing at my upload accepter page, I get the exact same error. When using the progress bar, the upload continues to 100%, then fails. With a standard form, the behavior appears to be the same.
I'm having a problem right now uploading a file that's about 150MB. I've changed every settings I can find, but still no luck.
Here's a summary of what I've changed so far:
In Web.config:
Added this inside system.web:
<httpRuntime executionTimeout="3600" maxRequestLength="1536000"/>
In machine.config:
Inside system.web, changed:
<processModel autoConfig="true" />
to:
<processModel autoConfig="true" responseDeadlockInterval="00:30:00" responseRestartDeadlockInterval="00:30:00" />
and in MetaBase.xml:
Changed:
AspMaxRequestEntityAllowed="204800"
to:
AspMaxRequestEntityAllowed="200000000"
When the upload fails, I get a 404 error from IIS. My web form does not begin processing, or at least, it doesn't make it to the Page_Load event. I threw an exception at the beginning of that handler, and it doesn't execute at all on large files.
Everything works fine with smaller files (I've tested up to about 5.5MB). I'm not exactly sure what file size is the limit, but I know that my limit needs to be higher than 150MB, since this is not the largest file that the client will need to upload.
Can anyone help?
Urlscan was active on all websites, and has it's own request entity length limit. I wasn't aware that Urlscan was running on our server because it was a global ISAPI filter, not running on my individual website.
Note: to locate global ISAPI filters, right click on the Web Sites folder in IIS Admin and click Properties, then on the ISAPI Filters tab.
(A note for googlers):
For IIS7 add below to web.config (I added above <system.serviceModel>):
<system.webServer>
<security>
<requestFiltering><requestLimits maxAllowedContentLength="262144000" /></requestFiltering> <!-- maxAllowedContentLength is in bytes. Defaults to 30,000,000 -->
</security>
</system.webServer>
When we ran into this issue we had to increase the buffer size limit according to this KB article:
http://support.microsoft.com/kb/944886/en-us
I know this mentions ASP, but I believe it worked for ASP.NET as well.
Edit: Here is a link that might be more relevant to your issue and provide other options:
http://weblogs.asp.net/jgalloway/archive/2008/01/08/large-file-uploads-in-asp-net.aspx
404 and missing Page_Load: IIS can only process the request once the complete POST is on the server. Therefore, if the POST fails (due to its size), it cannot fire the page's events.
You might try NeatUpload http://www.brettle.com/neatupload.
From the Manual: "By default, NeatUpload does not directly limit the size of uploads."
You can also try Velodoc XP Edition which has several advantages over NeatUpload including the fact that it uses ASP.NET Ajax extensions. See also the Velodoc web site for more information.
You say:
But 1536000 is only 1.5MB?
Why when I access an aspx (e.g., http://www.example.com/foo.aspx - not the real site) through IE6 would I get a 404 Error (i.e., "The page cannot be found") in IIS6
I've got scripts enabled for the website and I've tried with executables enabled as well.
Here is the full error:
The page cannot be found
The page you are looking for might have been removed, had its name changed, or
is temporarily unavailable.
------------------------------------------------------------------------------
Please try the following:
Make sure that the Web site address displayed in the address bar of your
browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site
administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
------------------------------------------------------------------------------
Technical Information (for support personnel)
Go to Microsoft Product Support Services and perform a title search for the
words HTTP and 404.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for
topics titled Web Site Setup, Common Administrative Tasks, and About Custom
Error Messages.
I can get to Default.htm in the same directory, so I know the path is right. I've opened it up to everyone (temporarily) so I know the permissions are right.
It could be a lot of things. I had this issue today because .NET had not been re-initialized after installing IIS (aspnet_regiis -i -enable or equivalent).
Check that the anonymous user under which the site runs has read access to the file foo.aspx.
IIS6 and later uses a 404 response, thereby not letting an attacker know whether such a file even exists.
I just happened to find another culprit for this issue. My foo.aspx page referenced a particular master page that had a <%# Register %> directive to a user control that did not exist. Removing the reference to the non-existent user control caused my foo.aspx to load instead of 404.
I found a solution here.
The real catch was using this:
Response.TrySkipIisCustomErrors = true;
The site is pointing to a different directory where the page is not.
It could be permissions, however I would think you would get an access error instead.
I'm assuming you are running IIS.
Check that www.example.com is going to the site that you think it is.
If you are hosting multiple sites on the same IP using host headers you may want to double check the name you are using is going to the site you think it is.
Ray and Joe probably have it. In order to serve any file type, IIS has to have a mapping for it. Aspx files require that they be mapped to the AspNet ISAPI dll, which the .Net installation normally takes care of. If you install IIS after .Net (and I'm sure there are other situations), you have to initiate this yourself by running aspnet_regiis.
ALTERNATE SOLUTION (same error perhaps different cause).
I had installed Visual Studio 2008 Pro without SQL Express it, and it caused this same error. Reinstallation of VS2008 with sql express included seemed to have corrected the problem, or perhaps the install took other actions. I did try to register ASP.net numerous times prior but no luck however it is definitely the most probable cause Just posting my experience for those pulling their hair as I was..
Thanks
If you register the .NET 4 version of IIS, you may find it's grabbed the registration of the aspx extension. If ASP.NET v4 is prohibited then 404 will be returned
I had this issue where some customers were reporting the 404.0 and some didn't have the problem at all(same page). I was able to navigate to any of the pages with no problems from my machine. Some customers would refresh and it would go away. I am using .Net 4.5.2 and IIS 7.5.
Looking at the IIS log file I would see:
sc-status sc-substatus sc-win32-status
404 0 2
sc-status.sc-substatus: 404.0 - Not Found
sc-win32-status: 2 - ERROR_FILE_NOT_FOUND
https://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx
https://en.wikipedia.org/wiki/HTTP_404
I found the problem was I had deployed a new version of the website in which the old version of the website had RouteConfig.cs/FriendlyUrlSetting setup by creating a project using the web forms template. The new version was created using an empty template. So obvious to me now.. no URL routing. Customers had a cache issue with certain pages on their machine(no .aspx extension) and having them clear browser data ultimately fixed the problem.
I got this issue when I tried using a different drive to host my apps. I ended up moving them to the wwwroot folder because it was working there and I did not have to time figure out why it is not working on the E:\ drive.
I had bin\roslyn compiler missing. Adding that all worked fine.
Check for double quote errors. I started getting a 404 on a single page because I accidentally had this:
<asp:TemplateField HeaderText="ImageURL"">
instead of this:
<asp:TemplateField HeaderText="ImageURL">
For an aspx page, error 404 can be quite misleading! I have seen all the answers and they presuppose assuming various issues with the file, page, path, etc. but the simplest issues is the fact that if there is an error in your asp page (i.e bad format, improper usage of control, etc. asp will think the page does not exist and will post a 404 when in all actuality, it is easy to ascertain if there is a bad format by simply clicking on design mode. If the page does not render no need to do anything else but look at what is causing the render error, fix and viola'! Your page shows since it was never missing or can't be found, but it simple did not know how to display! Too often people go looking for the wrong solutions and waste so much time! Hope this helps somone. :-)