This is de default of BlogEngine 2.7:
<?xml version="1.0"?> <configuration> <system.web> <httpRuntime enableVersionHeader="false" useFullyQualifiedRedirectUrl="true" maxRequestLength="16384" executionTimeout="3600" requestLengthDiskThreshold="16384" requestValidationMode="2.0"/> <pages enableSessionState="false" enableViewStateMac="true" enableEventValidation="true" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"> ... </pages> </system.web> </configuration>
And I have used these settings for quite a while. But my application pool keeps crashing after about a week.
I have enabled elmah logging
<elmah> <errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/elmahErrors" /> </elmah>
This enabled me to have a better look at what was causing the crashes. Because the elmah page is of course unavailable when BE crashes. The log had several error’s the two most common ones where:
- A potentially dangerous Request.Path value was detected from the client
- Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
to my pages section in the web.config and have added:
to the httpRuntime section and my error logging feature stays empty and the BlogEngine application returns a nice 404 when trying some querystring injection and/or XSS attacks.
So this will fix all the thrown exceptions and keeps my application pool from automatically shutting down. I have found this on StackOverflow http://stackoverflow.com/a/6026291/169714 but turning off the validateRequest seems like a bad idea.
Good luck with BlogEngine!