130

enter image description here
I have a MVC3 site in C#, I have a particular view being fed query parameters from a JavaScript function, the function redirects to the site via

window.location.href = "../ActionName?" + query_string;

query_string being the dynamic query parameters string built by the JavaScript function.

The reason for this weirdness is that sometimes the same function passes the URL to an ASP.Net webform due to it having to use the reportviewer control, the alternate action is to save some parameters in this case it passes to the view. (Can elaborate more if that does not make sense)

The whole thing works fine until I introduce [Authorize] to the action method. Breaks if it is in place, works fine without, and [Authorize] works fine on all the other methods.

The whole URL in this case is 966 chars long, after research it seems that the maxQueryStringLength value is 2048 by default but can overridden to any value of type integer, so just for grins I added the 

<security>
  <requestFiltering>
    <requestLimits maxQueryString="2048"></requestLimits>
  </requestFiltering>
</security>

key to the web config file under the key.

No joy there, so I got ridiculous and made it 4096, still no joy.

Now with the whole URL being 966 chars long, the authorize attribute cannot seriously be adding another 1082-3130 chars, so how can I determine what the error actually is, or why the setting is not taking effect.

VS2010 Pro SP1

nempoBu4
  • 6,521
  • 8
  • 35
  • 40
Sabre
  • 2,350
  • 2
  • 18
  • 25

4 Answers4

236

In the root web.config for your project, under the system.web node:

<system.web>
    <httpRuntime maxUrlLength="10999" maxQueryStringLength="2097151" />
...

In addition, I had to add this under the system.webServer node or I got a security error for my long query strings:

<system.webServer>
    <security>
      <requestFiltering>
        <requestLimits maxUrl="10999" maxQueryString="2097151" />
      </requestFiltering>
    </security>
...
theJerm
  • 4,482
  • 2
  • 30
  • 23
  • 2
    Does opening this up create any serious security flaws? What negatives is there to setting maxurl and maxquery to 2097151? – Brian Sep 10 '12 at 20:50
  • 1
    Brian, that's a fine question - I can't see any security flaws unless somehow putting something longer on the query string besides a browser limit can be harmful. Do browser max length query strings take precedence over this value is another question I don't have the answer to. Thanks for asking though, maybe someone on here can shed more light on this. – theJerm Sep 21 '12 at 17:20
  • I guess there is a potential DOS vulnerability but that depends on how you actually handle the request. I ran into this while trying to add 100 users in one request. Not something I want to happen anyway. – Martin Nov 20 '12 at 10:16
  • 4
    This resolved my issue immediately, as I was having the same issue on an MVC 4 project. Adding both of the above resolved my error. Thank you so much!! – Ed DeGagne Dec 18 '12 at 19:53
  • @EdDeGagne No problem - I had your same problem quite a few months ago and pulled my hair out trying to solve it - glad it is working for you. – theJerm Dec 20 '12 at 22:04
  • not working. see this http://stackoverflow.com/questions/31624710/mvc-website-bad-request-invalid-url-http-error-400-the-request-url-is-inval – Jitendra Pancholi Jul 25 '15 at 10:00
  • 10
    Mind that `maxQueryString` is the length in *bytes* as uint with a max value of 4294967295 and `maxQueryStringLength` is the length in *characters* as int but with a range of 0-2097151. – marsze Aug 13 '18 at 10:28
  • Does this work only for web api or website as well? – Avi Kenjale Mar 11 '19 at 20:31
  • 1
    I'm having a similar issue but only locally on my IISexpress... Please advice how do i tackle it? – singhswat Jun 21 '19 at 10:40
71

When an unauthorized request comes in, the entire request is URL encoded, and added as a query string to the request to the authorization form, so I can see where this may result in a problem given your situation.

According to MSDN, the correct element to modify to reset maxQueryStringLength in web.config is the <httpRuntime> element inside the <system.web> element, see httpRuntime Element (ASP.NET Settings Schema). Try modifying that element.

Eat at Joes
  • 4,937
  • 1
  • 40
  • 40
counsellorben
  • 10,924
  • 3
  • 40
  • 38
  • 1
    Alas, putting it in the correct place seems to be the trick, intersting enough intellisense guides me to the same key in the location I originally posted it in as well. – Sabre Nov 16 '11 at 22:36
  • 8
    Also good to know is the max value for this param is 2097151 -- at first I tried to use the Int32.MaxValue, but the exception that was thrown at runtime pointed me to use a value between 0 and 2097151. – TimDog Jan 04 '12 at 21:26
  • not working see this. http://stackoverflow.com/questions/31624710/mvc-website-bad-request-invalid-url-http-error-400-the-request-url-is-inval – Jitendra Pancholi Jul 25 '15 at 10:00
  • 1
    I believe that although you can set the max value for this param to 2097151, there are other params that affect the maximum query length accepted. I had a query string much shorter than this max that was not accepted - it was 3,393 characters long. Another query which was 3,200 characters long worked fine. – markthewizard1234 Nov 03 '15 at 09:45
  • @markthewizard1234: Agreed: I have increased mine from 2048 to 4096. This *has* had some effect, as the original error message with 404.something for the overlong query string doesn't appear anymore. But now, another error message with code 400 is returned, *also* indicating an overlong query string. – O. R. Mapper Apr 16 '20 at 12:53
6

i have this error using datatables.net

i fixed changing the default ajax Get to POST in te properties of the DataTable()

"ajax": {
        "url": "../ControllerName/MethodJson",
        "type": "POST"
    },
Ruben Bartelink
  • 59,778
  • 26
  • 187
  • 249
elblogdelbeto
  • 116
  • 1
  • 5
  • I was using datatables as well, and after unsuccessfully trying suggestions above, this trick did it. – AidaM Oct 13 '16 at 01:08
5

For anyone else that may encounter this problem and it is not solved by either of the options above, this is what worked for me. 

1. Click on the website in IIS
2. Double Click on Authentication under IIS
3. Enable Anonymous Authentication

I had disabled this because we were using our own Auth, but that lead to this same problem and the accepted answer did not help in any way.

dball
  • 374
  • 2
  • 10