Scott Forsyth's Blog

Postings on IIS, ASP.NET, SQL Server, Webfarms and general system admin.

Cloud Resources

IIS Resources

Viewing all Server Variables for a Site

I often do development, testing or troubleshooting where I want to see all server variables available to a site.  For example, when using a reverse proxy for load balancing, SERVER_ADDR, HTTP_HOST and other variables can change.

Whenever I run into that situation, I write out a simple script that displays all server variables.  I thought I would share it here.

Create a file on your server called serversvariables.aspx, test.aspx or whatever you want to call it.  Place the following in it:

<%
For Each var as String in Request.ServerVariables
Response.Write(var & " " & Request(var) & "<br>")
Next
%>

Or if you prefer C#, use the following:

<% @ Page Language="C#" %>
<%
foreach (string var in Request.ServerVariables)
{
Response.Write(var + " " + Request[var] + "<br>");
}
%>

Then simply call the page from a web browser and it will list all server variables. 

The top two variables are worth noting.  They are ALL_HTTP and ALL_RAW which contain all server variables and are repeated with the specific server variables.  Since they contain everything, they can clutter up the page.  You can wrap the Response.Write line in an ‘if’ condition to exclude ALL_HTTP and ALL_RAW if you want, but I find for a quick testing page, I don’t bother, and it gives me every server variable.

The output will look something like this:

{ALL_HTTP and ALL_RAW have been removed from this example.}
APPL_MD_PATH: /LM/W3SVC/2/ROOT
APPL_PHYSICAL_PATH: C:\domains\example.com\
AUTH_TYPE: Forms
AUTH_USER: Scott
AUTH_PASSWORD:
LOGON_USER: Scott
REMOTE_USER: Scott
CERT_COOKIE:
CERT_FLAGS:
CERT_ISSUER:
CERT_KEYSIZE:
CERT_SECRETKEYSIZE:
CERT_SERIALNUMBER:
CERT_SERVER_ISSUER:
CERT_SERVER_SUBJECT:
CERT_SUBJECT:
CONTENT_LENGTH: 0
CONTENT_TYPE:
GATEWAY_INTERFACE: CGI/1.1
HTTPS: off
HTTPS_KEYSIZE:
HTTPS_SECRETKEYSIZE:
HTTPS_SERVER_ISSUER:
HTTPS_SERVER_SUBJECT:
INSTANCE_ID: 2
INSTANCE_META_PATH: /LM/W3SVC/2
LOCAL_ADDR: 206.72.119.72
PATH_INFO: /ServerVariables.aspx
PATH_TRANSLATED: C:\domains\example.com\ServerVariables.aspx
QUERY_STRING:
REMOTE_ADDR: 192.168.168.29
REMOTE_HOST: 192.168.168.29
REMOTE_PORT: 60137
REQUEST_METHOD: GET
SCRIPT_NAME: /ServerVariables.aspx
SERVER_NAME: www.example.com
SERVER_PORT: 80
SERVER_PORT_SECURE: 0
SERVER_PROTOCOL: HTTP/1.1
SERVER_SOFTWARE: Microsoft-IIS/7.5
URL: /ServerVariables.aspx
HTTP_CACHE_CONTROL: max-age=0
HTTP_CONNECTION: Keep-Alive
HTTP_ACCEPT: application/xml,application/xhtml+xml,text/html;q=0.9...HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.3
HTTP_ACCEPT_ENCODING: gzip,deflate,sdch
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
HTTP_COOKIE: {removed}
HTTP_HOST: www.example.com
HTTP_MAX_FORWARDS: 10
HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) ...HTTP_X_ORIGINAL_HOST: www.example.com
HTTP_X_ORIGINAL_SERVER_PORT: 80
HTTP_X_ORIGINAL_URL: /ServerVariables.aspx
HTTP_X_FORWARDED_FOR: 192.168.168.29:60137
HTTP_X_ARR_LOG_ID: 3dc509e5-5da8-4b6b-91ee-f084c308e2ce
HTTP_X_SITE_INSTANCE: 01

Hope you find this useful. Happy coding / troubleshooting!

Posted: Mar 09 2010, 08:59 AM by OWScott | with 18 comment(s)
Filed under: ,

Comments

OWScott said:

Thanks Elijah.  Great link with further details for troubleshooting in ASP.NET.

# March 9, 2010 4:21 PM

kamleshrao said:

Hi,

I have already used this in Classic ASP.

This is good for troubleshooting, but considering the Security Risk on Websites, keeping such file on Production environment would raise high level of risk.

Would advice everyone to use this script wisely.

Thanks,

Kamlesh

# March 10, 2010 1:27 AM

OWScott said:

Hey Kamlesh.  Yes, this is not meant for end users to see.  Usually there isn't "very" incriminating information in the server variables, but things like the site path give a potential attacker more information.  This should be placed in a password protected folder to ensure limited access.

# March 10, 2010 9:43 AM

GreenSands said:

This is very useful, but I want to get INSTANCE_META_PATH for a precompiled site and that won't allow simply placing a aspx file on the server. I don't want to have to re-deploy everything. Is there any way to get IIS to give this directly?

# March 11, 2010 10:27 PM

OWScott said:

GreenSands, sure.  This is a bit dated but IIS7 shows the instance ID similar to IIS6: weblogs.asp.net/.../how-to-find-the-siteid-in-iis5-and-iis6.aspx.

INSTANCE_META_PATH will be /LM/W3SVC/{site id}

Also, you can add a page to a precompiled site if you want to temporarily view the server variables.  It won't fight with the precompiled site.

# March 12, 2010 1:19 AM

Edevre said:

This is very useful, but I want to get INSTANCE_META_PATH for a precompiled site and that won't allow simply placing a aspx file on the server. I don't want to have to re-deploy everything. Is there any way to get IIS to give this directly?

# April 18, 2010 1:30 PM

OWScott said:

Edevre, I don't know of a way to do this.  IIS is the engine that static or dynamic code runs off.  It doesn't have a direct feedback mechanism.  You would need to use a http handler or code of some sort to get that back.

# April 18, 2010 8:13 PM

Wynn Smith said:

How do you view Server Variables in a JavaScript loop?  I'm having trouble interlacing my ASP with JavaScript.

# May 30, 2011 7:21 PM

OWScott said:

Hi Wynn.  The server variables don't change so you can statically assign them to the HTML itself.  If you want them as a variable in the JavaScript logic then you can write them in a hidden field in the html and then call them from JavaScript.  They won't change on each iteration of the loop since they are static so whatever it is the first time, it will remain.

# May 31, 2011 10:04 AM

A said:

I see the REMOTE_USER field in my case as empty on IIS7.5. This value has been set by my application through an authorization header.

Any idea why this field is blank?

# March 1, 2012 3:26 AM

OWScott said:

@A The REMOTE_USER is only there if you have an authenticated user.  If you're using anonymous access then that value is blank and is whatever the anonymous user is for your site.

# March 2, 2012 12:20 PM

Billy said:

I have an old ASP application that accepts attachments for Office 97, but not for Office 2003 upwards (docx, xlsx, etc.) Is there a way to add these extensions to the allowable system varaibles for uploading in the application?

Cheers

# October 12, 2012 1:19 AM

OWScott said:

@Billy, the way to do that is by setting the mime types.  Search the internet for mime types of Office in IIS. This appears to be a good list: www.bram.us/.../office-2007-mime-types-for-iis

# October 12, 2012 10:13 AM

Brett said:

If you dont want your server variable value to be replaced by query string or form post variables of the same name you need to use Response.Write(var + " " + Request.ServerVariables[var] + "<br>");

# November 15, 2012 9:42 AM

OWScott said:

Thanks Brett for pointing that out.  If you do have form or query string variables with the same name as the server variables then you can be more specific to ensure that you're calling just the server variables.

# November 17, 2012 10:53 PM

Suchita said:

i have used the same in Classic ASP

# May 21, 2013 6:24 AM

AndyB said:

Good stuff, I'm a bit late to the party, but I cannot get the custom server variables to be returned. My Http_X_fubar variable is not returned by this file. Thanks for anything on 2008 R2 that would stop this from happening. The same rule works on win7 machine.

# June 25, 2013 3:27 PM

OWScott said:

Hi AndyB,

That script should get everything that is available at the page level in ASP.NET (or classic ASP). However, it won't get some rare variables which are available in ARR or at another level of the pipeline but that aren't also at the page level.

Also, if you add HTT_X_fubar to the outgoing request then it won't show up yet on the incoming request. My guess is that it's something like that that is preventing it from being seen. It's probably an order of operations in terms of when it's available.

# July 19, 2013 5:34 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)