Server cannot set status after HTTP headers have been sent IIS7.5
I had the same issue with setting StatusCode
and then Response.End
in HandleUnauthorizedRequest
method of AuthorizeAttribute
var ctx = filterContext.HttpContext;
ctx.Response.StatusCode = (int)HttpStatusCode.Forbidden;
ctx.Response.End();
If you are using .NET 4.5+, add this line before Response.StatusCode
filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
If you are using .NET 4.0, try SuppressFormsAuthenticationRedirectModule.
I'll broadly agree with Vagrant on the cause:
- your action was executing, writing markup to response stream
- the stream was unbuffered forcing the response headers to get written before the markup writing could begin.
- Your view encountered a runtime error
- Exception handler kicks in trying to set the status code to something else non-200
- Fails because the headers have already been sent.
Where I disagree with Vagrant is the "cause no errors in binding" remedy - you could still encounter runtime errors in View binding e.g. null reference exceptions.
A better solution for this is to ensure that Response.BufferOutput = true;
before any bytes are sent to the Response stream. e.g. in your controller action or On_Begin_Request in application. This enables server transfers, cookies/headers to be set etc. right the way up to naturally ending response, or calling end/flush.
Of course also check that buffer isn't being flushed/set to false further down in the stack too.
MSDN Reference: HttpResponse.BufferOutput
The HTTP server doesn't send the response header back to the client until you either specify an error or else you start sending data. If you start sending data back to the client, then the server has to send the response head (which contains the status code) first. Once the header has been sent, you can no longer put a status code in the header, obviously.
Here's the usual problem. You start up the page, and send some initial tags (i.e. <head>
). The server then sends those tags to the client, after first sending the HTTP response header with an assumed SUCCESS status. Now you start working on the meat of the page and discover a problem. You can not send an error at this point because the response header, which would contain the error status, has already been sent.
The solution is this: Before you generate any content at all, check if there are going to be any errors. Only then, when you have assured that there will be no problems, can you then start sending content, like the tag.
In your case, it seems like you have a login page that processes a POST request from a form. You probably throw out some initial HTML, then check if the username and password are valid. Instead, you should authenticate the user/password first, before you generate any HTML at all.
Just to add to the responses above. I had this same issue when i first started using ASP.Net MVC and i was doing a Response.Redirect during a controller action:
Response.Redirect("/blah", true);
Instead of returning a Response.Redirect
action i should have been returning a RedirectAction
:
return Redirect("/blah");