Wednesday, April 04, 2012

ThrowIfMaxHttpCollectionKeysExceeded exception being thrown by an Asp.Net website

One of our Asp.Net websites started throwing an “ThrowIfMaxHttpCollectionKeysExceeded” exception with message that looked like this:

“Operation is not valid due to the current state of the object”

It turns out that in late december (2011), Microsoft put out a patch for a DOS vulnerability. This patch limits many different collections to a value of 1000. (One of them being the number of keys allowed in the HttpCollection).

To fix it, you need to up the limit to a number that’s reasonable for your application, using the following configuration setting:

    <add key="aspnet:MaxHttpCollectionKeys" value="1000" />


Microsoft Security Bulletin MS 11-100:

An ASP.Net request that has lots of form keys… fails with an exception:

No comments: