locked
A potentially dangerous Request.Cookies value was detected from the client RRS feed

  • Question

  • User-687931224 posted

    I am new to Webmatrix 3, having coded in Webforms for almost 10 years. I chose Webmatrix for my next project because the learning curve to MVC4 is too steep for me to be productive quickly and the Webmatix code can be more easily converted to MVC in the future.

    I used the template StarterSite to begin and I have been modifing it and adding pages. Yesterday when I left the office my website was running just fine in debug mode. this morning the only change I made was to as a CSS style. I then ran the site in debug mode and got this cryptic message.

    A potentially dangerous Request.Cookies value was detected from the client (ssnInfo="imgBanner=<img src='/images/hd...").

    Huh? Where did that come from? I ran a search through all the files in the website looking for the string ssnInfo="imgBanner=<img src='/images/hd or even parts of that string and the search came up empty. Since I did not recognize that code as somthing I did, I presume it was part of the template. If so, then why can I not find any parts of that string in the search?

    Here is the stack trace:

    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Cookies value was detected from the client (ssnInfo="imgBanner=<img src='/images/hd...").]
       System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9664173
       System.Web.HttpRequest.ValidateCookieCollection(HttpCookieCollection cc) +132
       System.Web.HttpRequest.get_Cookies() +59
       System.Web.Security.FormsAuthenticationModule.ExtractTicketFromCookie(HttpContext context, String name, Boolean& cookielessTicket) +1786
       System.Web.Security.FormsAuthenticationModule.OnAuthenticate(FormsAuthenticationEventArgs e) +107
       System.Web.Security.FormsAuthenticationModule.OnEnter(Object source, EventArgs eventArgs) +80
       System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69


    It looks to be related to the FormsAuthentication module which was part of the template I used...not something I wrote. Can anyone tell me what could be going on?

    Particularly why the site ran fine yesterday, but today with only a CSS style added (which I subsequently removed), it's giving me this error.

    Thanks for any help

    Wednesday, August 21, 2013 10:45 AM

Answers

  • User-821857111 posted

    Presumably you are running the site under localhost? If so, have a look at the cookies you have under the localhost domain and see if any have that HTML as part of a value. If it has, delete it.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 21, 2013 2:13 PM
  • User-821857111 posted

    There is no code in the Webmatrix site (that I created) that calls for opening and reading of cookies.

    You said that you are using the built-in Forms Authentication. That reads cookies.

    As soon as you touch (programmtically speaking) an item in a Request collection that is protected by request validation, the exception is generated if any item in that collection contains what looks like HTML as a value.

    Maybe this would only happen because I am running both if these sites in debug mode on localhost.

    When debugging and testing using localhost, you end up generating a fair number of cookies on that domain over time. Even though they may have been intended for different applications, they are all under the same domain. So any request generated for localhost will include all of the cookies. That's why I suggested looking there.

    Firefox probably needs a good clearout of its cache.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 21, 2013 3:09 PM

All replies

  • User-687931224 posted

    Here is an update, but by no means a solution. Because I needed to get back into developing the site I did some research on Request Validation in .NET 4.0.

    I added the folowing two entries into the web.config...

        <httpRuntime executionTimeout="300" requestValidationMode="2.0" />
        <pages validateRequest="false" ></pages>
    

    By doing so I reverted the request validation to v2.0 and then turned it off. The error no longer prevents me from running the website and therefore I can continue to develop.

    But this does not explain why suddenly with virtually no changes to the website I started receiving the error this morning. I would still like to know where this error is originating from and how I can fix it without turning Request Validation off entirely.

    Again, thanks for any replies.

    Wednesday, August 21, 2013 12:54 PM
  • User281315223 posted

    You could specifically disable Request Validation for a specific area / page of your applicationPage directive : 

    <%@ Page ... ValidateRequest="false" %>

    Typically the ValidateRequest="false" within your Page directive should be working. I might suggest making the following change within your web.config file to see if that makes a difference : 

    <!-- Put this within the <system.web> element --> 
    <httpRuntime requestValidationMode="2.0"/>

    which you could combine with the Pages directive if you wanted to apply it at a large scale : 

    <configuration> 
    <system.web>
    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />
    </system.web>
    </configuration>
    Wednesday, August 21, 2013 1:10 PM
  • User465171450 posted

    Ocassionally a patch, for security reasons, will alter the machine.config for a computer. That means that certain default may be altered to increase security, or certain additional items could be validated. I don't store HTML in cookies so I had not run into this before, but it may be that MS switched it so that cookie items also validate such as form fields do during postback to ensure that an attack has not happened. It would be very simple for an attacking agent to inject HTML into a cookie that would then redirect a user to another site when the cookie contents are displayed so that would be my quess why something may have changed.

    Wednesday, August 21, 2013 1:24 PM
  • User-821857111 posted

    Presumably you are running the site under localhost? If so, have a look at the cookies you have under the localhost domain and see if any have that HTML as part of a value. If it has, delete it.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 21, 2013 2:13 PM
  • User-821857111 posted

    You could specifically disable Request Validation for a specific area / page of your applicationPage directive : 
    <%@ Page ... ValidateRequest="false" %>

    That won't work in ASP.NET Web Pages :o)

    Wednesday, August 21, 2013 2:16 PM
  • User281315223 posted

    Doh!

    I didn't notice this was specifically for Web Pages / WebMatrix. I'll leave this one to you then Mike ;)

    Wednesday, August 21, 2013 2:19 PM
  • User-687931224 posted

    Thank you markfitzme and Rion for your replies,

    Well I think I found the source for the error and this is REALLY bizarre. I thought that parts of the error message looked vaguely familiar even if I knew that the code string displayed by the error message was NOT a part of this Webmatrix website.

    I have source code from 8 years of developing with ASP.NET Webforms on my development machine. Many of those applications are still in production at our customers sites. Well yesterday I had to fix a problem in a web app that I developed a couple of years ago. So I opened Visual Studio 2008 which I had used to develop that app. I ran the app in debug mode to see if my fixes worked. Note that I had both VS2008 and Webmatrix both open at the same time.

    Well wouldn't you know it, in the old project (NOT AT ALL connected to my Webmatrix website) there were indeed cookies that referenced imgBanner. For some strange reason apparently my Webmatrix site is reading the cookies from that very old app. There is no code in the Webmatrix site (that I created) that calls for opening and reading of cookies.

    Maybe this would only happen because I am running both if these sites in debug mode on localhost. Could it be that there is some Built-in Security Code supplied by Microsoft in the Webmatrix template that is causing the website to open and inspect all site cookies as a precaution even if I did not create any code like that myself? Because I am testing both sites  on localhost the app is assuming that these cookies are part of my Webmatrix project?

    Wow! That's pretty wild. I am going to try to delete all cookies and see what happens.

    Well I cleared the cache in Firefox and Chrome and IE. The site now runs on IE and Chrome but still refuses to run on Firefox. It appears I am getting closer. But this is indeed strange behavior.

    Wednesday, August 21, 2013 3:00 PM
  • User-687931224 posted

    Mike you are a star indeed!

    I had found the cookies from an old VS project that referenced the imgBanner and was writing my reply to post while you were posting your reply. You are dead on!

    Now if I can just get the project to run again in FireFox all would be well.

    Thanks a bunch!

    P.S. The only way I know to deal with cookies is though the individual browser interfaces. Can I get to LocalHost domain and clear it though IIS Manger?

    Wednesday, August 21, 2013 3:06 PM
  • User-821857111 posted

    There is no code in the Webmatrix site (that I created) that calls for opening and reading of cookies.

    You said that you are using the built-in Forms Authentication. That reads cookies.

    As soon as you touch (programmtically speaking) an item in a Request collection that is protected by request validation, the exception is generated if any item in that collection contains what looks like HTML as a value.

    Maybe this would only happen because I am running both if these sites in debug mode on localhost.

    When debugging and testing using localhost, you end up generating a fair number of cookies on that domain over time. Even though they may have been intended for different applications, they are all under the same domain. So any request generated for localhost will include all of the cookies. That's why I suggested looking there.

    Firefox probably needs a good clearout of its cache.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 21, 2013 3:09 PM
  • User-821857111 posted

    The only way I know to deal with cookies is though the individual browser interfaces. Can I get to LocalHost domain and clear it though IIS Manger?

    No. They belong to the browser not the web server. You have to continue doing what you currently do.

    Wednesday, August 21, 2013 3:11 PM