Developer forum

Forum » Development » A potentially dangerous Request.Cookies value was detected from the client (Dynamicweb.SessionVisitor="...rDynamics=")

A potentially dangerous Request.Cookies value was detected from the client (Dynamicweb.SessionVisitor="...rDynamics=")

E-mail notifications
Mikkel Høst
Reply
Posted on 07/09/2015 11:46:42

We have a problem with the cookie "Dynamicweb.SessionVisitor" cookie. The problem is related to IE 10 and 11.

We have a subdomain on our clients DW website. This subdomains is an external system running a stand alone .net application. For some odd reason IE 10 or 11 will resend the cookies from the main domain to the subdomain. The application on the suddomain runs with "<httpRuntime requestValidationMode="4.0" /"> and canno't be changed to 2.0

This throws an error because the cookie contains a XML element and this i not allowed. "=<dynamics />")." 

We need to figure out a solution and i hope someone can help.

1. Can we change the invalid cookie value?

2. Could we somehow delete the cookies or force the browser not to send them to the subdomain?

Any ideas?

 


Replies

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 07/09/2015 22:47:34
Reply

You could write a .NET handler or some other code that runs early in the pipeline and remove the offending cookies or change their value. Would that work?

Imar

 
Mikkel Høst
Posted on 08/09/2015 09:18:11
Reply

Hi Imar.

We could do that. But i don't want to losse the stats or what ever this cookie gives us. But you actualy gave me an idea. I could write a redirect handler that removes the cookies and then use this as a middle man when linking. Then we only have a problem when people are going straight to the site. The application on the subdomain can't remove the cookie because it doesn't belong to the subdomain.

Thanks mate.

 

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 08/09/2015 10:05:42
Reply

My idea was to add the handler to the sub domain. Apparently, that domain receives the cookies so you should be able to remove them from the Request.Cookies collection, no?

Imar

 
Mikkel Høst
Posted on 08/09/2015 13:38:10
Reply

I don't think you can when you use requestValidationMode=4.0 

https://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode(v=vs.110).aspx

This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. 

But the documentation is not really clear about it and i can't seem to find where in the page life cycle the requestValidationMode is triggered. But i will create a test and see if i can get accessto the cokkies somewhere before the application fails.

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 08/09/2015 14:59:24
Reply
This post has been marked as an answer

It runs before BeginRequest: http://weblog.west-wind.com/posts/2010/Aug/19/RequestValidation-Changes-in-ASPNET-40

It also seems that 4.5 (if you can use that) allows a more flexible solution: http://weblogs.asp.net/sreejukg/new-request-validation-features-in-asp-net-4-5 Not sure if this'll help you though.

Imar

Votes for this answer: 1
 
Mikkel Høst
Posted on 09/09/2015 20:51:37
Reply

Hi Imar.

I did a test.

4.5 is the way to go it only fails when you request the malformed cookie eg "HttpContext.Current.Request.Cookies["Cookie"].Value;" And there should be no differnece in the security from 4.0 - so i can't see any reason not to change it on their side.

Thank you for the help. 

 

 

 

You must be logged in to post in the forum