MS11-100 Puts the Breaks On Page Output Caching

UPDATE: The SharePoint Foundation 2010 April 2012 has a fix for this issue. Check out for more information.

Back in December Microsoft released a patch they called MS11-100 which addressed a vulnerability in the .Net Framework. In addition to correcting the original issue it introduced a regression which breaks SharePoint’s Page Output Caching. As mentioned in my previous post while SharePoint puts all the constructs in place for Page Output Caching its really ASP.Net which actually stores and manages the Page Output Cache on SharePoint’s behalf. As ASP.Net decides what to cache for SharePoint it looks at the HttpResponse’s Cookies collection and if any new cookies are being set/sent back to the client the page content will not be cached. As a result the next request for the same page which matches the varyby parameters set to SharePoint will result in a cache miss and the page processing again will occur.

After installing MS11-100 you may notice your cache hit rate drop to zero. If you dig a little deeper and run a Fiddler trace you may notice something odd – your SharePoint site will send back the WSS_KeepSessionAuthenticated cookie for each aspx page request even though the client already has the cookie. As you will note in the image below the same cookie is being sent from the client in the Request headers and again sent back in the Response Headers. Whenever the ASP.Net Output Caching modules sees cookies being set it will not cache the page for SharePoint.


After removing MS11-100 you may notice the cookies are no longer sent in the response and your Page Output Caching starts to work again and your Cache Hit ratio starts to climb again.

The obvious fix here is to remove MS11-100 and while that may work for some organizations its likely not going to make your security folks very happy. Another alternative is to use the bit of code below (deploying code found off the Internet is likely not to make your security folks happy either) and compile this into an assembly and add a reference into your “modules” like so:

<add name="FixSPModule" type="SharePointTrends.Fix.SpCookieFixModule, SharePointTrends.Fix" preCondition="integratedMode"/>


The module is really trivial – it basically detects if the WSS Keep Session Authenticated cookie is present in the response and in the request and removes it out of the response. This is why it is important to pay attention to the order in which you add this module into your modules list; ensure you add this entry at the bottom of all other modules, especially below the SharePoint Module.


using System;
using System.Globalization;
using System.Web;

namespace SharePointTreands.Fix
    public class SpCookieFixModule : IHttpModule
        private const string CookieWssKeepSessionAuthenticated = "WSS_KeepSessionAuthenticated";

        public void Init(HttpApplication context)
            context.PostAuthenticateRequest += PostAuthenticateRequestHandler;

        private static void PostAuthenticateRequestHandler(object sender, EventArgs e)
            var context = HttpContext.Current;

            if (context == null)

            var reqCookie = context.Request.Cookies[CookieWssKeepSessionAuthenticated];
            var respCookie = context.Response.Cookies[CookieWssKeepSessionAuthenticated];

            if (respCookie != null && reqCookie != null
                && String.Compare(reqCookie.Value, respCookie.Value, true, CultureInfo.InvariantCulture) == 0)
                //we have already sent this cookie to the client

        public void Dispose()


This regression is being reported to Microsoft today and the module provided here has been tested and confirmed to correct the issue when MS11-100 is installed.

Post to Twitter Post to Facebook Post to LinkedIn Post to Delicious Post to Digg

3 thoughts on “MS11-100 Puts the Breaks On Page Output Caching”

  1. Thank you for posting this information. This post is great. I really enjoy to read and follow this blog. Thank you very much

Comments are closed.