0 Comments

This is de default of BlogEngine 2.7:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <httpRuntime 
            enableVersionHeader="false" 
            useFullyQualifiedRedirectUrl="true" 
            maxRequestLength="16384" 
            executionTimeout="3600" 
            requestLengthDiskThreshold="16384" 
            requestValidationMode="2.0"/>
        <pages 
            enableSessionState="false" 
            enableViewStateMac="true" 
            enableEventValidation="true" 
            controlRenderingCompatibilityVersion="3.5" 
            clientIDMode="AutoID">
            ...
        </pages>
    </system.web>
</configuration>

And I have used these settings for quite a while. But my application pool keeps crashing after about a week.

I have enabled elmah logging

<elmah>
    <errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/elmahErrors" />
</elmah>

This enabled me to have a better look at what was causing the crashes. Because the elmah page is of course unavailable when BE crashes. The log had several error’s the two most common ones where:

  • A potentially dangerous Request.Path value was detected from the client
  • Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
I have now added:
validateRequest="true"

to my pages section in the web.config and have added:

requestPathInvalidCharacters=""

to the httpRuntime section and my error logging feature stays empty and the BlogEngine application returns a nice 404 when trying some querystring injection and/or XSS attacks.

So this will fix all the thrown exceptions and keeps my application pool from automatically shutting down. I have found this on StackOverflow http://stackoverflow.com/a/6026291/169714 but turning off the validateRequest seems like a bad idea.


Good luck with BlogEngine!

kick it on DotNetKicks.com Shout it

Pin on pinterest Plus on Googleplus Post on LinkedIn