Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Magnus Rahl
Nov 18, 2010
(1 votes)

Today’s gotcha: Beware of Response.End()

For various reasons related to a SSO scenario I have a custom handler which the client calls when loading a page. The handler was basically three lines of code. This post is about the third line. Which is no longer in there.

Page loading time: 115 seconds

So the client hits my handler and receives a redirect script after which it nicely requests the page redirected to. Then it yawns for almost two minutes before the page loads. Subsequent requests are nice and quick. What is going on?

The application and page lifecycle

Something every ASP.NET developer should know is the Page lifecycle. But it is also useful to know something about the Application lifecycle.

I could quickly determine that the delay didn’t occur in the Page handler because not even Page_PreInit got hit until just before the request returned. Digging into the application events i started making handlers for nearly every one in my Global.asax.cs file. A lot of breakpoints later it was clear where the application stopped.

Session state locks

The application passed Application_PostMapRequestHandler but was then delayed before entering Application_AcquireRequestState. Then it dawned on me: The session state was locked! ASP.NET locks the session state, basically blocking parallell requests in the same session to prevent race conditions between a client’s requests. A request was apparently not releasing this lock.

The culprit

For some reason I had put a call to the HttpResponse.End() method in my custom handler. I never did it before, I just wanted this handler to return its short script line as quickly as possible. Somewhere I had probably seen the use of Response.End() and just threw it in there. Big mistake. Apparently this prevents the application from releasing the lock on the session state.

Nov 18, 2010


Please login to comment.
Latest blogs
Join the Work Smarter Webinar: Working with the Power of Configured Commerce (B2B) Customer Segmentation December 7th

Join this webinar and learn about customer segmentation – how to best utilize it, how to use personalization to differentiate segmentation and how...

Karen McDougall | Dec 1, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Creating Content Pages

The blog post discusses the creation of additional page types with Next.js and Optimizely SaaS Core. It provides a step-by-step guide on how to...

Francisco Quintanilla | Dec 1, 2023 | Syndicated blog

Stop Managing Humans in Your CMS

Too many times, a content management system becomes a people management system. Meaning, an organization uses the CMS to manage all the information...

Deane Barker | Nov 30, 2023

A day in the life of an Optimizely Developer - Optimizely CMS 12: The advantages and considerations when exploring an upgrade

GRAHAM CARR - LEAD .NET DEVELOPER, 28 Nov 2023 In 2022, Optimizely released CMS 12 as part of its ongoing evolution of the platform to help provide...

Graham Carr | Nov 28, 2023