Large file uploads in ASP.NET

Large file uploads in ASP.NET

Uploading files via the FileUpload control gets tricky with big files. The default maximum filesize is 4MB – this is done to prevent denial of service attacks in which an attacker submitted one or more huge files which overwhelmed server resources. If a user uploads a file larger than 4MB, they’ll get an error message: “Maximum request length exceeded.”

Increasing the Maximum Upload Size

The 4MB default is set in machine.config, but you can override it in you web.config. For instance, to expand the upload limit to 20MB, you’d do this:

<system.web>
<httpRuntime executionTimeout="240" maxRequestLength="20480" />
</system.web>

Since the maximum request size limit is there to protect your site, it’s best to expand the file-size limit for specific directories rather than your entire application. That’s possible since the web.config allows for cascading overrides. You can add a web.config file to your folder which just contains the above, or you can use the tag in your main web.config to achieve the same effect:

<location path="Upload">
<system.web>
<httpRuntime executionTimeout="110" maxRequestLength="20000" />
</system.web>
</location>

What Happens When I Upload A File That’s Too Big?

While expanding the upload restriction is a start, it’s not a full solution for large file uploads. Milan explains one of the biggest problems with large file uploads in

The Dark Side Of File Uploads:

It gets really interesting if someone uploads a file that is too large. Regardless of what your maxRequestLength setting mandates, IIS has to guzzle it, and then ASP.NET checks its size against your size limit. At this point it throws an exception.

As Milan explains,

you can trap the exception, but it’s trickier than you’d expect. He talks about overriding Page.OnError and checking for HTTP error code 400 when the error is HttpException, which as he says is less than ideal.

At Least Give Me A Warning

If we’ve got a set limit on file upload sizes, we should at least tell our users what it is. Since this is a configurable value which we may change later, the best is to make our file size warning read directly from web.config setting. The best way to do this is to pull back the httpRuntime section as a HttpRuntimeSection object, which isn’t too hard given:

System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
HttpRuntimeSection section = config.GetSection("system.web/httpRuntime") as HttpRuntimeSection;
double maxFileSize = Math.Round(section.MaxRequestLength / 1024.0, 1);
FileSizeLimit.Text = string.Format("Make sure your file is under {0:0.#} MB.", maxFileSize);