Anyone who has experience with ASP.NET knows, the FileUpload control is often a savior and can also be an enemy other times. One of the biggest problems with the FileUpload control is getting it to handle large files which are bigger than the default 4MB.
A recent article from Jon Galloway, a Microsoft ASP.NET MVP, gave a nice overview how developers can take advantage of the FileUpload control to allow uploads of virtually any size.
Allow Larger File Uploads
Jon points out uploading large files via the FileUpload control can be tricky. Developers should understand the default maximum file size of 4MB is done not randomly but intentionally to prevent denial of service attacks:
...in which an attacker submitted one or more huge files which overwhelmed server resources. If a user uploads a file larger than 4MB, they'll get an error message: "Maximum request length exceeded."
Increasing the maximum upload file size is not a difficult task but developers need to know the best approach to overriding the default. The default 4MB limit is set in the machine.config file, but can be overriden in the web applications web.config.
For instance, to expand the upload limit to 20MB, you'd do this:
<system.web>
<httpRuntime executionTimeout="240" maxRequestLength="20480" />
</system.web>
There is always drawbacks or things to look out for when overriding the default setting on many items in the machine.config file. The purpose of having a maximum request size limit, is protecting the weib site. It is best practice to override specific directories in the application, not the entire application. Achieving this is simple with the flexibility of the web.config:
That's possible since the web.config allows for cascading overrides. You can add a web.config file to your folder which just contains the above, or you can use the <location> tag in your main web.config to achieve the same effect:
<location path="Upload">
<system.web>
<httpRuntime executionTimeout="110" maxRequestLength="20000" />
</system.web>
</location>
Changing the maximum file upload size is the starting point for is not a complete solution for allowing large file uploads. An article titled The Dark Side of File Uploads reveals some of the more intricate details of reliably getting large files uploaded with IIS.
It gets really interesting if someone uploads a file that is too large. Regardless of what your
maxRequestLengthsetting mandates, IIS has to guzzle it, and then ASP.NET checks its size against your size limit. At this point it throws an exception.
The article explains:
You can trap the exception, but it's trickier than you'd expect. He talks about overriding Page.OnError and checking for HTTP error code 400 when the error is HttpException, which as he says is less than ideal.
Warning Your Users
One sure way to anger users is by misleading them and having the web application perform an action but not let them know what is going on. The value of the file size upload is stored in the web.config, so putting the warning in the web.config too is a good idea.
The best way to do this is to pull back the httpRuntime section as a HttpRuntimeSection object, which isn't too hard given:
System.Configuration.Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
HttpRuntimeSection section = config.GetSection("system.web/httpRuntime") as HttpRuntimeSection;
double maxFileSize = Math.Round(section.MaxRequestLength / 1024.0, 1);
FileSizeLimit.Text = string.Format("Make sure your file is under {0:0.#} MB.", maxFileSize);
The solution is straight forward and implemented in a few lines of code.
Finding a Better Solution
There are commercial options available which are implemented as an HttpHandler to give users feedback via a progress bar and give developers better control over managing file sizes and possible errors.
Here's a summary from a cursory search:
- FileUploader.NET (MediaChase, $310 and up)
- RadUpload (Telerik, $249)
- NeatUpload (Free, LGPL license)
The article suggests the best solution overall is using a Rich Internet Application (RIA), such as those created with ASP.NET and Silverlight.
In most cases, though, I'd recommend replacing the FileUpload component with a Silverlight or Flash based file upload control. In addition to a better upload experience, these controls generally look better than the the generic button displayed for the <input type="file"> element which is rendered by the FileUpload control. The input / file element doesn't allow for CSS formatting, although smart CSS hackers always seem to find a way around these things.
Although there does not appear to be any commercial upload components utilizing Silverlight, a sample is available showing how to upload multiple files with Silverlight.
There are many ways to solve a problem as trivial as uploading a file, the real challenge is weighing the pros and cons of each approach and the amount of time or money willing to be put into the project. Plan carefully and determine the best approach that matches the need of your project.