Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reasons not to increase maxQueryStringLength?

Tags:

asp.net-mvc

asp.net-mvc-3

Every now and then I get myself into a position where I need to send quite large ajax GET requests from my java script client to my asp.net-mvc application (running IIS 7). If the URL is longer than 2048 characters you get an exception by default. The easy workaround for this has been to increase the maxQueryStringLength using web.config.

My question is if there are any good reasons why you should NOT go down this path, and if it is in fact is considered a hack? I have read something about different browsers limiting the number of characters in the address field, but if you're only using ajax, that may not be a a problem worth considering?

I know that you should in many cases consider using POST instead when you want to pass large amounts of data in the request, but sometimes that is not an option. For instance when your URL is returning a file for the user to download.

One specific example of where I have had to increase the maxQueryStringLength is: The user requests some locations in a map that are restricted by a polygon. If you want to send this polygon in the URL you will easily exceed the max URL length.

like image 353
Knut Marius Avatar asked Aug 12 '13 09:08

Knut Marius

3 Answers

Among other things it is a security measure...

Another point is that not all clients (i.e. browsers) supports lengths above 2048.

For a very detailed explanation see https://stackoverflow.com/a/417184/847363

IF you are in an Intranet situation AND have control over clients (browsers+versions) and server THEN it might be ok... for an application "in the wild" I would strongly recommend to use POST instead.

like image 51
Yahia Avatar answered Nov 15 '22 13:11

Yahia

maxQueryStringLength is (probably) being used as safeguard against DDoS/buffer exhaustion attacks.

like image 33
juhan_h Avatar answered Nov 15 '22 13:11

juhan_h

I don't see how this would immediately compromise on security in a big way. Why should 2047 be safe and 2049 be unsafe? IIS and ASP.NET are of course programmed to not overrun their memory buffers because that would be a security problem. Managed code is also immune to buffer overruns.

As most applications don't need such large URLs 2048 is a wise default in my opinion.

You can probably increase the limit without consequences.

like image 31
usr Avatar answered Nov 15 '22 12:11

usr
Sign in to Comment

Related questions

Composition Root in ASP.NET MVC DDD application
When I submit HTML characters in my form, why does ASP.NET throw an internal server (500) error?
Is there a way to compare multiple values in a linq expression to a generic list?
Adding custom attributes to MSBuild Task
How to set a number range validation in html.textboxfor in cshtml view page in mvc4?
Nested Partial view passing sub object issue
Return model from Partial View issue
Get [Display] attribute value from resource in MVC
Entity Framework 5 performance concerns
If Entity Framework / DbContext is the DAL / Repository, where does it fit within 3-tier architecture?
can not map a route for a specific controller in mvc 4
Getting a web application's URI during startup
MVC sort list before showing it in view by name
CDN path is not working in js bundling in MVC
Unobtrusive client validation data attributes are not rendered for nested property rules
Html.ActionLink to call an action from a different controller that's in a different folder
Capturing image with webcam
Asp.Net MVC Dynamic Model Binding Prefix
Getting the file path from HttpPostedFileBase
Alternate names for querystring parameters

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!