5

History:
Due to security considerations, our organization wants to disable caching by adding HTTP Headers to IIS.

Expires: -1
Pragma: no-cache
Cache Control: No-cache, No-store

Adding these headers cause MIME "application/vnd.ms-excel" response types to fail over SSL in IE6. Microsoft ackowledges this is as a bug (http://support.microsoft.com/kb/323308) and their solution also works. However, this solution has to pushed as a patch throughout the entire organization and that faces resistance from higher management.

Problem:
Meanwhile, we are trying to find alternatives by overriding IIS set HTTP headers for pages that have MIME type "application/vnd.ms-excel" using HTTPModules on PreSendRequestHeaders() function 

//this is just a sample code
public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);

        }
protected void context_PreSendRequestHeaders(object sender, EventArgs e) 
        {
            HttpApplication application = (HttpApplication)sender;
            if(application.Response.ContentType == "application/vnd.ms-excel; name=DataExport.xls")
            {
                application.Response.ClearHeaders();
                application.Response.ContentType = "application/vnd.ms-excel; name=DataExport.xls";
                application.Response.AddHeader("Content-Transfer", "Encoding: base64");
                application.Response.AddHeader("Content-Disposition", "attachment;filename=DataExport.xls");
                application.Response.AddHeader("cache-control","private");
            }
        }

Even after clearing headers using ClearHeaders(), IIS still appends Cache Headers before sending the response.

Questions:
Is this approach of using ClearHeaders() in PreSendRequestHeaders() function wrong? Are they any alternatives to override cache headers(Expires,Pragma,cache-control) using libraries available in ASP.NET 1.1?

Misc:
We are using
Browser : IE6 SP 3
Server : IIS 6
Platform : .NET 1.1

Antony Thomas
  • 3,576
  • 2
  • 34
  • 40

2 Answers2

2

This becomes easier with IIS 7.5+ using using the URL Rewrite extention and adding an outbound rule to strip off the "no-store" value in the Cache-Control header, and the Pragma header. This rule set would do the trick:

<outboundRules>
    <rule name="Always Remove Pragma Header">
        <match serverVariable="RESPONSE_Pragma" pattern="(.*)" />
        <action type="Rewrite" value="" />
    </rule>
    <rule name="Remove No-Store for Attachments">
        <conditions>
            <add input="{RESPONSE_Content-Disposition}" pattern="attachment" />
        </conditions>
        <match serverVariable="RESPONSE_Cache-Control" pattern="no-store" />
        <action type="Rewrite" value="max-age=0" />
    </rule>
</outboundRules>
Geoffrey McGrath
  • 1,663
  • 1
  • 14
  • 35
1

Please see:

Cache-control: no-store, must-revalidate not sent to client browser in IIS7 + ASP.NET MVC

You must use the following sequence of calls inside your PreSendRequestHeaders handler to correctly set the no-cache headers, otherwise the Cache-Control header gets overwritten later:

Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.AppendCacheExtension("no-store, must-revalidate"); Response.AppendHeader("Pragma", "no-cache"); Response.AppendHeader("Expires", "0");

Community
  • 1
  • 1
Ashar
  • 176
  • 1
  • 7