If your web site allows users to upload files (such as images or documents), there’s a good chance that one of your users is eventually going to try uploading a file larger than four megabytes. When they do, ASP.NET throws an error.
Key Technologies and Concepts |
Uploading Files to a Web Server |
The text of the error message you get can vary depending upon what version of IIS and the .NET Framework you are running. For example, I got "The connection to the server was reset while the page was loading" when I exceeded the request limit while running in Visual Studio against the ASP.NET Development Server or IIS 5.0. Outside of Visual Studio, you might also see something like "The page cannot be displayed. Cannot find server or DNS error." If you are really lucky, you’ll see a message that actually makes sense and says that the request exceeds the maximum request length (I don’t have the exact text for that one).
Setting the Maximum Request Length
The problem is that the file your user is trying to upload becomes part of the HTTP request to the server, and the resulting length of that request exceeds the maximum your site is configured to allow. By default, the maximum request length is four megabytes.
Why have a maximum at all? Well, two reasons, actually: to prevent one type of Denial of Service attack, and to conserve server memory.
Allowing very large file uploads makes it easier for a hacker to post multiple massive uploads, bogging down your web server in the process, which is a form of Denial of Service.
The other issue is one of server memory. When you upload a file to the Web server through the FileUpload control, the entire file must be loaded into memory before it is handed over to the application. Partly for this reason, Microsoft recommends that you keep the maximum request length down at 10 to 20 MB. If you allow too large a file, you can actually cause the ASP.NET worker process to recycle, which kills the request with a memory error. You can get around the recycle problem to some degree by tweaking the memoryLimit attribute of the processModel element in machine.config, but regardless of the tweaking you do to the ASP.NET configuration, the absolute maximum file size you can upload is something less than 1 GB.
Okay, so how do you increase the maximum allowed request length?
The key is to set the maxRequestLength property of the httpRuntime element in the system.web configuration section. The value is expressed in KB, so the example below shows a setting of ten megabytes:
<configuration> <system.web> <httpRuntime maxRequestLength="10240"/> </system.web> </configuration>
Configuring the Machine, Site, or Page
Like many ASP.NET configuration settings, you can set maxRequestLength in the machine.config, Web.config, or even at the page level using a location element.
I would recommend that you avoid setting maxRequestLength in the machine.config for a couple of reasons. For one thing, overriding the default configuration for all of the sites on the server is rarely necessary or advisable. For another, if you do exceed the request length based on a machine.config override, ASP.NET cannot redirect the error to a custom error page.
In most cases, you should set maxRequestLength at the site or page level. To set it at the site level, just insert the httpRuntime element into your site’s Web.config at the appropriate location as shown above.
To set maxRequestLength at the page level, use a location element as shown below:
<configuration> <location path="UploadPage.aspx"> <system.web> <httpRuntime maxRequestLength="10240"/> </system.web> </location> </configuration>
Performance Considerations
When you increase the max request length for your Web application, you reduce its scalability. How much that affects you depends upon the server resources available to your application and the number of concurrent users you have. Just keep in mind that larger requests mean you use more server memory per session and those larger files will consume more disk space. If you plan to be the next MySpace or Facebook, you’ll need some serious server power.
As an example, I had to override the max request length for one application that allowed users to upload photos. With today’s inexpensive and high-resolution digital cameras, users upload some pretty big files. There was no way to avoid the memory hit, since the whole file has to be uploaded before the application can access it, but I was able to save a lot of disk space by [link]resizing the photos on-the-fly[/link] before storing them on the server.
Conclusion
If your application needs to support large file uploads, you can override the default maximum request length for a specific page or the entire site using the maxRequestLength configuration property. Try to keep it below 20MB (a value of "20480") to avoid potential server memory problems.