123
votes

enter image description here
I have a MVC3 site in C#, I have a particular view being fed query parameters from a JavaScript function, the function redirects to the site via

window.location.href = "../ActionName?" + query_string;

query_string being the dynamic query parameters string built by the JavaScript function.

The reason for this weirdness is that sometimes the same function passes the URL to an ASP.Net webform due to it having to use the reportviewer control, the alternate action is to save some parameters in this case it passes to the view. (Can elaborate more if that does not make sense)

The whole thing works fine until I introduce [Authorize] to the action method. Breaks if it is in place, works fine without, and [Authorize] works fine on all the other methods.

The whole URL in this case is 966 chars long, after research it seems that the maxQueryStringLength value is 2048 by default but can overridden to any value of type integer, so just for grins I added the

<security>
  <requestFiltering>
    <requestLimits maxQueryString="2048"></requestLimits>
  </requestFiltering>
</security>

key to the web config file under the key.

No joy there, so I got ridiculous and made it 4096, still no joy.

Now with the whole URL being 966 chars long, the authorize attribute cannot seriously be adding another 1082-3130 chars, so how can I determine what the error actually is, or why the setting is not taking effect.

VS2010 Pro SP1

4
Please add the detailed error message you are receiving.counsellorben

4 Answers

71
votes

When an unauthorized request comes in, the entire request is URL encoded, and added as a query string to the request to the authorization form, so I can see where this may result in a problem given your situation.

According to MSDN, the correct element to modify to reset maxQueryStringLength in web.config is the <httpRuntime> element inside the <system.web> element, see httpRuntime Element (ASP.NET Settings Schema). Try modifying that element.

220
votes

In the root web.config for your project, under the system.web node:

<system.web>
    <httpRuntime maxUrlLength="10999" maxQueryStringLength="2097151" />
...

In addition, I had to add this under the system.webServer node or I got a security error for my long query strings:

<system.webServer>
    <security>
      <requestFiltering>
        <requestLimits maxUrl="10999" maxQueryString="2097151" />
      </requestFiltering>
    </security>
...
5
votes

For anyone else that may encounter this problem and it is not solved by either of the options above, this is what worked for me.

1. Click on the website in IIS
2. Double Click on Authentication under IIS
3. Enable Anonymous Authentication

I had disabled this because we were using our own Auth, but that lead to this same problem and the accepted answer did not help in any way.

4
votes

i have this error using datatables.net

i fixed changing the default ajax Get to POST in te properties of the DataTable()

"ajax": {
        "url": "../ControllerName/MethodJson",
        "type": "POST"
    },