Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-7645-9698-8
12345678910
Http.sys
When an HTTP request is first received by Windows Server 2003, the initial handling is actually performed
by the kernel-mode HTTP driver:
http.sys. The kernel mode driver has several Registry switches that
control the amount of information allowed in a request URL. By default the combined size of the request
URL and associated headers any query string information on the URL, and individual headers sent
along with the request, such as cookie headers must not exceed 16KB.
Furthermore, no individual header may exceed 16KB. So, for example, a user agent could not attempt to
send a cookie that is larger than 16KB (although for other reasons, a 16KB cookie would be rejected by
ASP.NET anyway). Under normal circumstances the restrictions on headers and on the total combined
size of the request URL and headers is not a problem for ASP.NET applications. However, if your appli-
cation depends on placing large amounts of information in the URL perhaps for HTTP-based .asmx
Web Services then the length limit enforced by
http.sys may come into play.
Any application that depends on excessively long request URLs or request headers should, if at all possi-
ble, have its logic changed to transmit the information through other mechanisms. For a Web Service,
this means using Simple Object Access Protocol (SOAP) headers to encapsulate additional request data.
For a website, information needs to be sent using a
POST verb, rather than a GET verb.
The kernel mode driver restricts the number of path segments in a URL and the maximum length for
any individual path segment. Examine the following URL:
http://yoursite/application1/subdirectory2/resource.aspx
The values application1, subdirectory2, and resource.aspx represent individual path segments. By
default, http.sys disallows URLs that have more than 255 path segments and URLs where the length of any
single path segment exceeds 260 characters. These constraints are actually pretty generous, because in prac-
tice developers normally do not need large number of path segments, even for applications with a fair
amount of directory nesting. The requested page in the previous example,
resource.aspx, is considered a
path segment and is subject to the same length restrictions as any portion of the URL. However, if there
were query string variables after
resource.aspx, the length of the query string variables would apply
only against the overall 16KB size restriction on the combined size of URL plus headers. As a result, you
can have query string variables with values that are greater than 260 characters in length.
One reason for these size limits is that a number of hack attacks against web servers involve encoding
the URL with different character representations. For example, an attacker may attempt to bypass direc-
tory traversal restrictions by encoding periods like this:
http://yoursite/somevirtualdirectory/%2E%2E/%2E%2E/%2E%2E/boot.ini
As you can see, encoding characters bloats the size of the URL, so it is reasonable to assume that exces-
sively long URLs are likely due to hacker attempts.
To give you a concrete example of
http.sys blocking a URL, consider a request of the following form:
http://localhost/123456789012345678901234567890etc.../foo.htm
3
Initial Phases of a Web Request
04_596985 ch01.qxp 12/14/05 7:46 PM Page 3