0

The Issue: We have a .aspx aka WebForms page that enables users to download the displayed report as an MS-Excel download. This page is served as part of a web-application as well as inside a browser frame (ieframe) in a Desktop app.

  1. The download works fine over HTTP on all browsers as well as inside the browser frame
  2. When we switch to HTTPS (in the production environment) the download refuses to work

This SO Question details the problem and the cause in detail.

As the solution involved stripping off Cache-control: no-cache and Pragma: no-cache, I wrote an Http module to achieve this.

The Proposed Solution:

The HttpModule is basically doing this using the PreSendRequestHeaders event:

private void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            if (null == _httpApplication)
            {
                return;
            }

            if (_httpApplication.Context != null)
            {
                var response = _httpApplication.Response;
                if (_httpApplication.Request.Url.AbsoluteUri.ToLowerInvariant().Contains("mypage.aspx"))
                {
                    HeadersToCloak.ForEach(header => response.Headers.Remove(header));
                    response.Headers.Add("Cache-Control", "private, max-age=15");
                }
            }
        }

The bone-of-contention: During code-review, I've been told that this would not be a good solution as my custom module would run for all requests and would thus have performance implications. The web.config for the application has runAllManagedModulesForAllRequests="true" under system.webServer node and this is required for other functionality required by the application.

What I have tried:

  1. Tried placing the code to remove and add header on the ASPX page itself inside several events (one-by-one) including RenderComplete but when I examine the response in Fiddler, the troublesome headers are still there (not replaced with intended headers)
  2. I've looked up the preCondition tag as explained HERE but since we run under integrated pipeline mode and have runAllManagedModulesForAllRequests="true", the preCondition would be meaningless

Questions requiring help:

Q1) Given that the module will run for all requests including static files and that I'm doing actual work only if the requested URI is for the page in question, how much of a performance impact does running this module have?

Q2) How can I otherwise remove and set headers only for one page?

Q3) Given the constraints, is it possible to only run this module for managed requests only or for my page only (don't think the latter is possible)?

Community
  • 1
  • 1
Sudhanshu Mishra
  • 6,523
  • 2
  • 59
  • 76

1 Answers1

0

The solution agreed upon is as follows:

1) Move the set of pages for which the functionality to strip-headers is required into their own separate folder under the root application

2) Place a web.config in this folder with the following settings under system.webServer:

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <remove name="HeaderStripModule" />
      <add name="HeaderStripModule" type="Com.Reports.HeaderStripModule" />
    </modules>
  </system.webServer>

In the root web.config, placed this setting:

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <remove name="HeaderStripModule" />          
    </modules>
  </system.webServer>

After these changes, I verfied through fiddler and found that the module (expectedly) only runs for the pages within the folder (which is set as an application under IIS).

Sudhanshu Mishra
  • 6,523
  • 2
  • 59
  • 76
  • Turns out, this configuration requires your folder to be an application in IIS and that comes with additional issues when trying to load assemblies. A better solution is documented in this SO answer:http://stackoverflow.com/questions/2378586/asp-net-httpmodule-in-directory-level-web-config [See my Comment on the accepted answer] – Sudhanshu Mishra Jan 22 '14 at 10:28