Wednesday, April 04, 2012

ThrowIfMaxHttpCollectionKeysExceeded exception being thrown by an Asp.Net website

One of our Asp.Net websites started throwing an “ThrowIfMaxHttpCollectionKeysExceeded” exception with message that looked like this:

“Operation is not valid due to the current state of the object”

It turns out that in late december (2011), Microsoft put out a patch for a DOS vulnerability. This patch limits many different collections to a value of 1000. (One of them being the number of keys allowed in the HttpCollection).

To fix it, you need to up the limit to a number that’s reasonable for your application, using the following configuration setting:

<configuration>
  <appSettings>
    <add key="aspnet:MaxHttpCollectionKeys" value="1000" />
  </appSettings>
</configuration>

Notes:

Microsoft Security Bulletin MS 11-100: http://technet.microsoft.com/en-us/security/bulletin/ms11-100

An ASP.Net request that has lots of form keys… fails with an exception: http://support.microsoft.com/kb/2661403

No comments: