Reasons for the failure of the authentication mechanism in the asp. net4.0 framework and Solutions

Source: Internet
Author: User

The ASP. NET Request verification feature ensures application security and prevents cross-site scripting attacks on websites. However, in some cases, for example, we need to use online text editors such as Ckeditor to allow users to input HTML text in ASP. under the framework of NET 2.0. set validateRequest = "false" in config ". Or in MVC, we can disable it by setting [ValidateRequest (false)] on the Controller or Action. However, in ASP. NET 4.0 framework, you will find that even if you do this, you will still be prompted for such an exception "A potentially dangerous Request. form value was detected from the client ". What's going on?

Originally asp. the lifecycle of the net4.0 application has changed in the previous ASP. in the. NET version, request verification is enabled by default, but it is only valid for page requests (requests. and is only verified when the page is requested. However, in ASP. in. NET 4.0, the request verification function is advanced to IHttpHandler. before the BeginRequest method is requested, this means that all access to ASP. all HTTP requests of the. NET Request channel will be verified for the validity of the request content, including some custom HttpHandler and WebService requests, you can even use the custom Http Module to customize the request processing program.

The early result of request verification processing is that we set ValidateRequest = false in the page or Controller, which will invalidate and will not prevent the program from verifying the request input. After this is done, the validators cannot obtain whether the requested page has disabled the authentication request because HttpHandler has not yet been instantiated. In addition, ASP. NET4.0 does not provide me with a place to disable this authentication function. However, for compatibility considerations, ASP. NET allows us. configure ASP in config. NET 2.0 request verification behavior:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.