Thursday, November 02, 2006

.NET : A Potentially Dangerous Request.Cookie (HttpRequestValidationException)

Had an interesting problem today.  While working on an ASP.NET web service that worked fine the other day, I suddenly start getting this error, immediately upon hitting my code, about "A potentially dangerous Request.Cookie".  Just this past week I installed our main product on my laptop and hit it via localhost, therefore dropping a cookie.  In other words, a cookie that we're dropping is considered "potentially dangerous" by .Net.   It's annoying, since I can't really ignore it (you can't try/catch it, because all attempts to access the Request object throw it), and I can't go and change the product at the drop of a hat, either.  I know that it's not a malicious cookie.

Turns out there's a simple solution.  To your @Page directive, add ValidateRequest="false".


The more I think about this, it's an interesting error.  If my .Net code can only read cookies from my own domain, does that imply that it thinks I'm sending malicious cookies to myself?  Or that somebody is actually going into their own cookie file and modifying the cookie before sending it back?  Not really sure what this is protecting against, since it runs on the server, not the client.  That implies that the client is trying to be malicious toward the server, rather than the other way around.  That's a new one on me.


Technorati tags: , , ,

1 comment:

Pradeep Kumar said...

Beaware that if you set @Page ValidateRequest="false", you are opening your page to attacks.
If you decide to do so anyway, you should validate all inputs yourself.
That's a whole new pandora's box of troubles in itself.