Reasons for the failure of the authentication mechanism in the ASP. net4.0 framework and Solutions

ASP. NET Request verification feature provides us with ApplicationsProgramTo avoid cross-site scripting attacks. However, in some cases, for example, we need to use online text editors such as ckeditor to allow users to input HTML text in ASP. under the framework of NET 2.0. set validaterequest = "false" in config ". Or in MVC, we can disable it by setting [validaterequest (false)] on the Controller or action. However, in ASP. net 4.0 framework, you will find that even if you do this, you will still be prompted for such an exception "a potentially dangerous request. form value was detected from the client ". What's going on?

Originally ASP. the lifecycle of the net4.0 application has changed in the previous ASP. in the. NET version, request verification is enabled by default, but it is only valid for page requests (requests. and is only verified when the page is requested. However, in ASP. in. Net 4.0, the request verification function is advanced to ihttphandler. before the beginrequest method is requested, this means that all access to ASP. all HTTP requests of the. NET Request channel will be verified for the validity of the request content, including some custom httphandler and WebService requests, you can even use the custom HTTP module to customize the request processing program.

The early result of request verification processing is that we set validaterequest = false in the page or controller, which will invalidate and will not prevent the program from verifying the request input. After this is done, the validators cannot obtain whether the requested page has disabled the authentication request because httphandler has not yet been instantiated. In addition, ASP. net4.0 does not provide me with a place to disable this authentication function. However, for compatibility considerations, Asp. net allows us. configure ASP in config. NET 2.0 request verification behavior: