Menu
I have an ASP.NET Web Site running in Visual Studio dev-fabric (azure project) and am using ACS and WIF. My authentication process isn't working because after I login I get this:
A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
The documentation states that I need to add
<pages validateRequest="false" />
and
<httpRuntime requestValidationMode="2.0" />
And I did - but I'm still getting the error. I've also added validateRequest="false" at the page level. But nada - still getting the same error.
These steps seem to have fixed the issue for other posters - is it something to do with running in dev-fabric perhaps?
842
You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
As you know, ValidateRequest is a security feature which has been available since . NET Framework 2.0 in WebForms. This feature prevents users from entering html content in input fields to keep the application away from different kind of XSS injection attacks.
I hadn't realised, but I'd accidentally added these settings within a location tag created by WIF:
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<!-- wrong! -->
</system.web>
</location>
<system.web>
<!-- right! -->
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With