Developer forum

Forum » CMS - Standard features » Dangerous Request.Cookies

Dangerous Request.Cookies

E-mail notifications
Manon Wekking
Reply
Posted on 05/09/2018 15:51:23

Hi, 

At several websites our customers get Dangerous RequestCookies error in the backend. This is gone when you empty your cookies ofcourse. But it scares our customers. Is there a way to prevent this error?

Hope to hear from you. 

BR, 

Manon

Dangerous_cookie_error.PNG

Replies

 
Morten Bengtson Dynamicweb Employee
Morten Bengtson
Posted on 05/09/2018 16:55:45
Reply

Hi Manon,

Are you using a custom web.config file? Then try to use the one provided by us (recommended) OR make sure validation is configured like this in web.config...

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />
  </system.web>
</configuration>
 
Hans Kloppenborg
Posted on 20/09/2018 17:24:03
Reply

Hello Morten,

I was sent to this post from an issue in our Jira, but it seems that the recommended web.config lines you give in your comment are not how we get them when we install the admin using NuGet, although the settings you do mention are in there (besides a lot more):

  <system.web>
    <httpHandlers>
      <add path="*.less" verb="GET" type="dotless.Core.LessCssHttpHandler, dotless.Core" />
    </httpHandlers>
    <machineKey validation="HMACSHA512" />
    <authentication mode="Windows" />
    <compilation targetFramework="4.6">
      <expressionBuilders>
        <add expressionPrefix="GS" type="Dynamicweb.Controls.Design.GlobalSettingsExpressionBuilder, Dynamicweb.Controls" />
      </expressionBuilders>
    </compilation>
    <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
    <httpRuntime executionTimeout="600" maxRequestLength="512000" useFullyQualifiedRedirectUrl="false" minFreeThreads="8" minLocalRequestFreeThreads="4" appRequestQueueLimit="100" enableVersionHeader="false" requestValidationMode="2.0" requestPathInvalidCharacters="&lt;,&gt;,*,%,:,\,?" maxUrlLength="2000" relaxedUrlToFileSystemMapping="true" />
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" fileEncoding="utf-8" />
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false" />
    <xhtmlConformance mode="Transitional" />
    <customErrors mode="Off" />
  </system.web>

Can you take another look to see if there can be another solution? It has happend to me also, and I fix it then by clearing the cookies for the domain. It looks like some cookie gets set with illegal content.

Greets Hans

 

 
Hans Kloppenborg
Posted on 01/10/2018 17:08:03
Reply

Hi Morten,

Any progress with this issue?

Greets Hans

 
Nicolai Pedersen
Posted on 01/10/2018 17:31:19
Reply

Hi Hans

Nope - except making sure those 2 attibutes are set in your web.config. As I see it, the transfrom DW webconfig adds those information as they should.

BR Nicolai

 
Sander
Posted on 14/11/2018 09:38:20
Reply

We've have these 2 lines in the web.config:

  <system.web>
    <httpRuntime targetFramework="4.6.1" executionTimeout="600" maxRequestLength="512000" useFullyQualifiedRedirectUrl="false" minFreeThreads="8" minLocalRequestFreeThreads="4" appRequestQueueLimit="100" enableVersionHeader="false" requestValidationMode="2.0" requestPathInvalidCharacters="&lt;,&gt;,*,%,:,\,?" maxUrlLength="2000" relaxedUrlToFileSystemMapping="true" />
    ...
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false" />
  </system.web>

The problem however still remains:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Cookies value was detected from the client (Login="<wop>").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9932588
   System.Web.HttpRequest.<ValidateCookieCollection>b__281_0(String key, String value) +16
   System.Web.HttpCookieCollection.EnsureKeyValidated(String key, String value) +9831771
   System.Web.HttpCookieCollection.Get(Int32 index) +173
   System.Web.HttpValueCollection.Add(HttpCookieCollection c) +9864299
   System.Web.HttpRequest.FillInParamsCollection() +69
   System.Web.HttpRequest.GetParams() +81
   System.Web.HttpRequest.get_Params() +31
   System.Web.HttpRequestWrapper.get_Params() +14
   Dynamicweb.Management.Dashboards.DashboardController.Index(String areaName, String path) +31
   lambda_method(Closure , ControllerBase , Object[] ) +147
   System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +157
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
   System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22
   System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
   System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +50
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +228
   System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
   System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26
   System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
   System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36
   System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +22
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
   System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
   System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9873789
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +48
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +159

I've tested this by simply changing the content of a cookie to a random html-like tag (<wop>).

Note that this only happens at the dashboard; maybe somewhere where Dynamicweb is loading the dashboard widgets?

 
Nicolai Pedersen
Posted on 14/11/2018 18:13:28
Reply

And what happens if you change your web.config to use

    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />
 
Sander
Posted on 15/11/2018 10:36:13
Reply

No difference.

 
Nicolai Pedersen
Posted on 15/11/2018 15:37:28
Reply

Search the entire folder structure for web.config files and see if there are any - seen that from time to time in custom solutions.

If any found, delete them.

This must somehow be a solution specific problem since we do not have that in other solutions. Do you have a link we can get?

 
Martin Bakken Rickmann
Posted on 21/11/2018 12:11:12
Reply

Hi,

We are also seeing this issue. Version is 9.5. Our web.config looks like this: 

<httpRuntime executionTimeout="600" maxRequestLength="512000" useFullyQualifiedRedirectUrl="false" minFreeThreads="8" minLocalRequestFreeThreads="4" appRequestQueueLimit="100" enableVersionHeader="false" requestValidationMode="2.0" requestPathInvalidCharacters="&lt;,&gt;,*,%,:,\,?" maxUrlLength="2000" relaxedUrlToFileSystemMapping="true"/>

<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"/>

 

Best regards,

Martin

 
Nicolai Pedersen
Posted on 21/11/2018 15:26:33
Reply

Did you search your subfolders for web.configs?

 

You must be logged in to post in the forum