I am new to Webmatrix 3, having coded in Webforms for almost 10 years. I chose Webmatrix for my next project because the learning curve to MVC4 is too steep for me to be productive quickly and the Webmatix code can be more easily converted to MVC in the
future.
I used the template StarterSite to begin and I have been modifing it and adding pages. Yesterday when I left the office my website was running just fine in debug mode. this morning the only change I made was to as a CSS style. I then ran the site in debug
mode and got this cryptic message.
A potentially dangerous Request.Cookies value was detected from the client (ssnInfo="imgBanner=<img src='/images/hd...").
Huh? Where did that come from? I ran a search through all the files in the website looking for the string
ssnInfo="imgBanner=<img src='/images/hd or even parts of that string and the search came up empty. Since I did not recognize that code as somthing I did, I presume it was part of the template. If so, then why can I not find any parts of that string in
the search?
Here is the stack trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Cookies value was detected from the client (ssnInfo="imgBanner=<img src='/images/hd...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9664173
System.Web.HttpRequest.ValidateCookieCollection(HttpCookieCollection cc) +132
System.Web.HttpRequest.get_Cookies() +59
System.Web.Security.FormsAuthenticationModule.ExtractTicketFromCookie(HttpContext context, String name, Boolean& cookielessTicket) +1786
System.Web.Security.FormsAuthenticationModule.OnAuthenticate(FormsAuthenticationEventArgs e) +107
System.Web.Security.FormsAuthenticationModule.OnEnter(Object source, EventArgs eventArgs) +80
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
It looks to be related to the FormsAuthentication module which was part of the template I used...not something I wrote. Can anyone tell me what could be going on?
Particularly why the site ran fine yesterday, but today with only a CSS style added (which I subsequently removed), it's giving me this error.
Here is an update, but by no means a solution. Because I needed to get back into developing the site I did some research on Request Validation in .NET 4.0.
I added the folowing two entries into the web.config...
By doing so I reverted the request validation to v2.0 and then turned it off. The error no longer prevents me from running the website and therefore I can continue to develop.
But this does not explain why suddenly with virtually no changes to the website I started receiving the error this morning. I would still like to know where this error is originating from and how I can fix it without turning Request Validation off entirely.
You could specifically disable Request Validation for a specific area / page of your applicationPage directive :
<%@ Page ... ValidateRequest="false" %>
Typically the ValidateRequest="false" within your Page directive should be working. I might suggest making the following change within your web.config file to see if that makes a difference :
<!-- Put this within the <system.web> element --> <httpRuntimerequestValidationMode="2.0"/>
which you could combine with the Pages directive if you wanted to apply it at a large scale :
Ocassionally a patch, for security reasons, will alter the machine.config for a computer. That means that certain default may be altered to increase security, or certain additional items could be validated. I don't store HTML in cookies so I had not run
into this before, but it may be that MS switched it so that cookie items also validate such as form fields do during postback to ensure that an attack has not happened. It would be very simple for an attacking agent to inject HTML into a cookie that would
then redirect a user to another site when the cookie contents are displayed so that would be my quess why something may have changed.
Don't forget to mark useful responses as Answer if they helped you towards a solution.
Presumably you are running the site under localhost? If so, have a look at the cookies you have under the localhost domain and see if any have that HTML as part of a value. If it has, delete it.
You could specifically disable Request Validation for a specific area / page of your applicationPage directive :
<%@ Page ... ValidateRequest="false" %>
Well I think I found the source for the error and this is REALLY bizarre. I thought that parts of the error message looked vaguely familiar even if I knew that the code string displayed by the error message was NOT a part of this Webmatrix website.
I have source code from 8 years of developing with ASP.NET Webforms on my development machine. Many of those applications are still in production at our customers sites. Well yesterday I had to fix a problem in a web app that I developed a couple of years
ago. So I opened Visual Studio 2008 which I had used to develop that app. I ran the app in debug mode to see if my fixes worked. Note that I had both VS2008 and Webmatrix both open at the same time.
Well wouldn't you know it, in the old project (NOT AT ALL connected to my Webmatrix website) there were indeed cookies that referenced
imgBanner. For some strange reason apparently my Webmatrix site is reading the cookies from that very old app. There is no code in the Webmatrix site (that I created) that calls for opening and reading of cookies.
Maybe this would only happen because I am running both if these sites in debug mode on localhost. Could it be that there is some
Built-in Security Code supplied by Microsoft in the Webmatrix template that is causing the website to open and inspect all site cookies as a precaution even if I did not create any code like that myself? Because I am testing both sites on
localhost the app is assuming that these cookies are part of my Webmatrix project?
Wow! That's pretty wild. I am going to try to delete all cookies and see what happens.
Well I cleared the cache in Firefox and Chrome and IE. The site now runs on IE and Chrome but still refuses to run on Firefox. It appears I am getting closer. But this is indeed strange behavior.
I had found the cookies from an old VS project that referenced the imgBanner and was writing my reply to post while you were posting your reply. You are dead on!
Now if I can just get the project to run again in FireFox all would be well.
Thanks a bunch!
P.S. The only way I know to deal with cookies is though the individual browser interfaces. Can I get to LocalHost domain and clear it though IIS Manger?
There is no code in the Webmatrix site (that I created) that calls for opening and reading of cookies.
You said that you are using the built-in Forms Authentication. That reads cookies.
As soon as you touch (programmtically speaking) an item in a Request collection that is protected by request validation, the exception is generated if
any item in that collection contains what looks like HTML as a value.
jkotuby
Maybe this would only happen because I am running both if these sites in debug mode on localhost.
When debugging and testing using localhost, you end up generating a fair number of cookies on that domain over time. Even though they may have been intended for different applications, they are all under the same domain. So any request generated for localhost
will include all of the cookies. That's why I suggested looking there.
Firefox probably needs a good clearout of its cache.
Member
11 Points
49 Posts
A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 10:45 AM|jkotuby|LINK
I am new to Webmatrix 3, having coded in Webforms for almost 10 years. I chose Webmatrix for my next project because the learning curve to MVC4 is too steep for me to be productive quickly and the Webmatix code can be more easily converted to MVC in the future.
I used the template StarterSite to begin and I have been modifing it and adding pages. Yesterday when I left the office my website was running just fine in debug mode. this morning the only change I made was to as a CSS style. I then ran the site in debug mode and got this cryptic message.
A potentially dangerous Request.Cookies value was detected from the client (ssnInfo="imgBanner=<img src='/images/hd...").
Huh? Where did that come from? I ran a search through all the files in the website looking for the string ssnInfo="imgBanner=<img src='/images/hd or even parts of that string and the search came up empty. Since I did not recognize that code as somthing I did, I presume it was part of the template. If so, then why can I not find any parts of that string in the search?
Here is the stack trace:
It looks to be related to the FormsAuthentication module which was part of the template I used...not something I wrote. Can anyone tell me what could be going on?
Particularly why the site ran fine yesterday, but today with only a CSS style added (which I subsequently removed), it's giving me this error.
Thanks for any help
Member
11 Points
49 Posts
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 12:54 PM|jkotuby|LINK
Here is an update, but by no means a solution. Because I needed to get back into developing the site I did some research on Request Validation in .NET 4.0.
I added the folowing two entries into the web.config...
By doing so I reverted the request validation to v2.0 and then turned it off. The error no longer prevents me from running the website and therefore I can continue to develop.
But this does not explain why suddenly with virtually no changes to the website I started receiving the error this morning. I would still like to know where this error is originating from and how I can fix it without turning Request Validation off entirely.
Again, thanks for any replies.
All-Star
114593 Points
18503 Posts
MVP
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 01:10 PM|Rion Williams|LINK
You could specifically disable Request Validation for a specific area / page of your applicationPage directive :
Typically the ValidateRequest="false" within your Page directive should be working. I might suggest making the following change within your web.config file to see if that makes a difference :
which you could combine with the Pages directive if you wanted to apply it at a large scale :
All-Star
26071 Points
5892 Posts
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 01:24 PM|markfitzme|LINK
Ocassionally a patch, for security reasons, will alter the machine.config for a computer. That means that certain default may be altered to increase security, or certain additional items could be validated. I don't store HTML in cookies so I had not run into this before, but it may be that MS switched it so that cookie items also validate such as form fields do during postback to ensure that an attack has not happened. It would be very simple for an attacking agent to inject HTML into a cookie that would then redirect a user to another site when the cookie contents are displayed so that would be my quess why something may have changed.
All-Star
193993 Points
28025 Posts
Moderator
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 02:13 PM|Mikesdotnetting|LINK
Presumably you are running the site under localhost? If so, have a look at the cookies you have under the localhost domain and see if any have that HTML as part of a value. If it has, delete it.
All-Star
193993 Points
28025 Posts
Moderator
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 02:16 PM|Mikesdotnetting|LINK
That won't work in ASP.NET Web Pages :o)
All-Star
114593 Points
18503 Posts
MVP
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 02:19 PM|Rion Williams|LINK
Doh!
I didn't notice this was specifically for Web Pages / WebMatrix. I'll leave this one to you then Mike ;)
Member
11 Points
49 Posts
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 03:00 PM|jkotuby|LINK
Thank you markfitzme and Rion for your replies,
Well I think I found the source for the error and this is REALLY bizarre. I thought that parts of the error message looked vaguely familiar even if I knew that the code string displayed by the error message was NOT a part of this Webmatrix website.
I have source code from 8 years of developing with ASP.NET Webforms on my development machine. Many of those applications are still in production at our customers sites. Well yesterday I had to fix a problem in a web app that I developed a couple of years ago. So I opened Visual Studio 2008 which I had used to develop that app. I ran the app in debug mode to see if my fixes worked. Note that I had both VS2008 and Webmatrix both open at the same time.
Well wouldn't you know it, in the old project (NOT AT ALL connected to my Webmatrix website) there were indeed cookies that referenced imgBanner. For some strange reason apparently my Webmatrix site is reading the cookies from that very old app. There is no code in the Webmatrix site (that I created) that calls for opening and reading of cookies.
Maybe this would only happen because I am running both if these sites in debug mode on localhost. Could it be that there is some Built-in Security Code supplied by Microsoft in the Webmatrix template that is causing the website to open and inspect all site cookies as a precaution even if I did not create any code like that myself? Because I am testing both sites on localhost the app is assuming that these cookies are part of my Webmatrix project?
Wow! That's pretty wild. I am going to try to delete all cookies and see what happens.
Well I cleared the cache in Firefox and Chrome and IE. The site now runs on IE and Chrome but still refuses to run on Firefox. It appears I am getting closer. But this is indeed strange behavior.
Member
11 Points
49 Posts
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 03:06 PM|jkotuby|LINK
Mike you are a star indeed!
I had found the cookies from an old VS project that referenced the imgBanner and was writing my reply to post while you were posting your reply. You are dead on!
Now if I can just get the project to run again in FireFox all would be well.
Thanks a bunch!
P.S. The only way I know to deal with cookies is though the individual browser interfaces. Can I get to LocalHost domain and clear it though IIS Manger?
All-Star
193993 Points
28025 Posts
Moderator
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 03:09 PM|Mikesdotnetting|LINK
You said that you are using the built-in Forms Authentication. That reads cookies.
As soon as you touch (programmtically speaking) an item in a Request collection that is protected by request validation, the exception is generated if any item in that collection contains what looks like HTML as a value.
When debugging and testing using localhost, you end up generating a fair number of cookies on that domain over time. Even though they may have been intended for different applications, they are all under the same domain. So any request generated for localhost will include all of the cookies. That's why I suggested looking there.
Firefox probably needs a good clearout of its cache.
All-Star
193993 Points
28025 Posts
Moderator
Re: A potentially dangerous Request.Cookies value was detected from the client
Aug 21, 2013 03:11 PM|Mikesdotnetting|LINK
No. They belong to the browser not the web server. You have to continue doing what you currently do.