ASP.NET web application returns different content to users from different clients.

  • Article

 

This is an ASP.NET web site. The problem is some users can see correct page in IE while some others see same pages in an incorrect format.

By compare the trace for both good and bad clients, we found the problem related to length of user agent. User agent contains information included in HTTP request header send to server. Server application can use this information to get a lot of valuable information like: which browser used by client, the version of the browser, CLR version installed on client computer and customized information. The content of user agent is stored in registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\

Due to security consideration, ASP.NET limited the length of user agent to 256 characters. For example, malicious users may conduct a DOS attack by send requests with huge user agent. However, with more and more information added into user agent, this limit is not very hard to be reached. In case of this, the user agent may be truncated by ASP.NET and result in wrong information. For example, server application may get the wrong CLR version installed on client machine. Customer’s application may have problem as well if it depends on customized information in user agent.

A Known Issue:

There is a known problem for .Net Framework related to user agent. When installing service packs for .Net framework, the new CLR version information was created without remove the old one. For example, 3.5.21022 is .Net 3.5, but 3.5.30729 is .Net 3.5 SP1, so we can safely remove 3.5.21022. Below is a sample for your reference.

Original one:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729

Equivalent, but removed duplicated .net CLR version

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729

For more information about .Net version installed on your computer, please refer to follow article

How to determine which versions of the .NET Framework are installed and whether service packs have been applied

https://msdn.microsoft.com/en-us/kb/kb00318785.aspx

Client Side Solutions:

At client side, the solution is removing the duplicated user agents for .Net CLR.

Server Side Solutions:

ASP.NET released a fix extended the user agent length from 256 to 512.

FIX: You may not successfully browse an ASP.NET Web site if the User-Agent string contains more than 256 characters

https://support.microsoft.com/kb/962204

See you next time.

Zhao Wei