Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-7645-9698-8
12345678910
The character length and byte size restrictions enforced by http.sys can be modified by adding DWORD
values underneath the following Registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
The specific Registry settings that govern the behavior just discussed are listed in the following table.
Also, a server reboot is required after you change any of the following settings.
Registry Setting Value Name Description
MaxFieldLength By default, an individual header can be up to 16KB in size.
Change this setting to limit the size of any individual HTTP
header. A request URL, including query string information, is
also restricted in size by this setting. The allowed range of
values is 64–65534 bytes.
MaxRequestBytes By default, the combined size of the request URL, including
query string, plus its associated HTTP headers cannot exceed
16KB. The allowed range of values is 256–16777216 bytes.
UrlSegmentMaxCount By default, no more than 255 path segments are allowed in a
URL. The allowed range of values is 0–16383 segments.
UrlSegmentMaxLength By default, an individual path segment cannot be longer than
260 characters. The slashes that delimit each path segment
are not included when computing a path segment’s character
length. The allowed range of values is 0–32766 characters.
In earlier versions of IIS, the URLScan security tool (available by searching
microsoft.com/tech-
net
) provides similar protections for restricting URLs. Most of the security functionality of URLScan
was incorporated into
http.sys and IIS6. There are a few small features that are only available with
URLScan though, the most interesting one being URLScan’s ability to remove the server identification
header that IIS sends back in HTTP responses.
aspnet_filter.dll
After http.sys is satisfied that the request is potentially valid, it passes the request to the appropriate
worker process. In IIS6 multiple application pools can be running simultaneously, with each application
essentially acting as a self-contained world running inside of an executable (
w3wp.exe). Within each
worker process, IIS carries out a number of processing steps based on the ISAPI extensibility mecha-
nism. Even though ASP.NET is a managed code execution environment, it still depends on the ISAPI
mechanism for some initial processing.
When ASP.NET is installed on a web server, it registers an ISAPI filter with IIS. This filter (
aspnet_
filter.dll
) is responsible for two primary tasks:
Managing cookieless tickets by converting them into HTTP headers
Preventing access over the Web to protected ASP.NET directories
5
Initial Phases of a Web Request
04_596985 ch01.qxp 12/14/05 7:46 PM Page 5