I faced a problem.
When you add multiple Set-Cookie headers to the response
headers.Add("Set-Cookie", "a=b;Path=/;");
headers.Add("Set-Cookie", "c=d;Path=/;");
actually they are combined and only one header is sent with comma-separated cookies
Set-Cookie: a=b;Path=/;,c=d;Path=/;
According to RFC2109 it is a valid syntax.
But it is not according to RFC6265, which deprecates RFC2109
Moreover latest browsers does not support this comma-separated syntax as well. Tested on IE9, Firefox 13 and Google Chrome 20.
All of these browsers took first cookie only.
Please see the sample project below
https://github.com/mnaoumov/cookie-bug/
I want to find some workaround.
I expect to have two different Set-Cookie headers.
I tried to write some MessageInspector to rewrite HTTP headers. I could not find how to access that headers.
Any ideas?
P.S. Used technology: Web API
According to answer on codeplex (http://aspnetwebstack.codeplex.com/workitem/288) this issue is known issue and related to WCF self-hosting and should be fixed by moving to IIS hosting.
This is WCF 4 issue which marked as won't fix.
Found another question with the same outcome WCF 4.0 Cookie Only First is Recorded by Browser.
You can use the HttpContext.Current.Response.SetCookie
using System.Web;
HttpCookie foo = new HttpCookie("foo", "true");
HttpContext.Current.Response.Cookies.Add(foo);
HttpCookie bar = new HttpCookie("bar", "true");
HttpContext.Current.Response.Cookies.Add(bar);
This will add multiple set-cookies header in the response.
Edit: also, you should add the
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
in your web.config
Related
I am asked to remove all powered-by response headers from an IIS/ARR hosted website. As always I followed the instructions from this article. I applied the required registry configuration , this is the only option worked for me before. The other options does not seem to be a solution for me because the second option is deprecated and the third option does not completely remove the header. I used this solution (Using the Registry key) successfully in the past on other IIS based websites but now it is not working in this case.Any Idea about how can I debug the problem or another potential solution is highly appreciated.
You can find 2 "X-powered-By" headers if you use the arr.
One is X-powered-By: ASP.NET .To disable this, remove it from Response Headers module from both arr server , back-end server ,server level and website level.
Second is X-powered-by: ARR/3.0 .To disable this ,open the arr_scheme.xml file in ARR server.
C:\Windows\System32\inetsrv\Config\Schema\arr_schema.xml
Find this attribute arrResponseHeader and change the defaultValue to false.
Save to file and restart the server, all "X-powered-by" header disappear.
This is test result:
I am trying to add the attribute X-Content-Type-Options:nosniff to my HTTP response.
But I can't add this attribute, just modify if it exists. (www.google.de for example)
I used Chrome and tried several plugins like HeadersModify, ModHeader or Requestly: Redirect Url, Modify Headers.
Sven
Most probably, you are seeing a Chrome developer tools bug/limitation:-
Any modification in response headers is not visible in Chrome developer tools
In Requestly, You can setup a header rule like this:
In Requestly, you can also apply this rule to selective requests. I have left the field empty which applies the rule to all requests. Please modify it according to your use case.
Feel free to reach out to requestly.extension#gmail.com for any issues.
I recently scanned my application for the vulnerability, got minor fixes but for one of them I tried hard still not able to fix. For some operation my site throws 500 error and when I check header of that error, it is having server header named IIS 7.5. I have already used URL rewrite rule,registry fix,URL scan thing, but seems to be nothing is working.How to fix that ?
If you mean the Server HTTP header, which will probably be set to something along the lines of Microsoft-IIS/7.5 then the easiest way is to overwrite it with a blank or custom value in IIS. You can remove it completely by creating your own HTTP module. The following link discusses the manifold methods you can try:
http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
I'm trying to set up my IIS server as an origin server for a CDN. I have solved some issues already for example that IIS doesn't give gziped content to proxies (if they have the via header) and also that frequentHitThreshold problem.
My CDN supplier pointed out that another problem with IIS is that it doesn't return a "Vary" header if the client doesn't request the content gziped. According to them the problem is that if for some reason the first client that request the content doesn't want the content gziped the CDN then doesn't request a new version of the file since the Vary header doesn't indicate that it should return two different files depending on "Accept-Encoding".
My only solution so far is to add "Vary: Accept-Encoding" as a custom header but since IIS automatically add this vary header when gziped is requested so i end up with multiple values like "Vary: Accept-Encoding, Accept-Encoding".
Anyone have any solution to this? Or can confirm that it's a real issue.
This is a real issue. IIS gzip module overwrites existing Vary headers. Please vote on this MS Connect issue. Related article here.
This issue is now addressed by an official patch to IIS. To download and further info, visit http://support.microsoft.com/kb/2877816
Erez Benari, IIS PM
I'm trying to implement a page that allows Excel users to use the data it provides via the Web Query feature provided by Excel.
It's all working out pretty nicely, as long as I use HTTP (even BASIC user authentication works).
As soon as I switch that over to HTTPS Excel won't download the data anymore (it's even a fully official SSL certificate, so it's not a problem with a self-signed one).
This Microsoft knowledge base article pretty much describes the problem.
Now the part that makes me wonder is this:
This issue occurs when Excel cannot initiate a connection because of the settings on the secure Web server.
This seems to imply that there is some way to get this working, but there's not even a hint at the direction I need to look at.
Should the "because of the settings on the secure Web server" be taken at face value, or is it just a Microsoft way of saying "this won't work unless you buy the right software from us"?
It seems I've found the problem:
MS Excel seems to be unable to use the data on the page if the HTTP headers of the page specify that it should not be cache and it is transfered via HTTPS (the same headers sent via HTTP seem to get ignored).
So by not sending these headers, Excel was suddenly able to access the data:
Pragma: no-cache
Cache-Control: no-cache
Joachim's answer solved the problem for me. The server-side web framework (PHP5 / Expression Engine 1.6.7) was sending a Pragma: no-cache on every request (even though my web-query results page set Pragma: public, I guess the framework overrode it). Once I removed it, everything started working.
IE and Office behavior for Pragma: no-cache is similar to that described in MS KB Article: Internet Explorer is unable to open Office documents from an SSL Web site
See also this caching tutorial's Warning: Pragma no-cache Deprecated. With this in mind I set Expression Engine' Output and Debugging > Generate HTTP Page Headers? option to No. (Other frameworks have similar config options). But some of the other automatically sent headers were needed for successfully caching the rest of the site, so I opted for commenting out the Pragma: no-cache lines in the framework source code.
If you do not have the option of modifying the HTTP headers sent by your web server / framework, the only MS-Office-client-side-only option will be to use VBA macros to automate an Internet Explorer component to get around Office's caching behavior. See Different Ways of Using Web Queries in Microsoft Office Excel 2003 as a starting point.