- Posted in:
- BlogEngine.NET
- Blog
This is de default of BlogEngine 2.7:
<?xml version="1.0"?>
<configuration>
<system.web>
<httpRuntime
enableVersionHeader="false"
useFullyQualifiedRedirectUrl="true"
maxRequestLength="16384"
executionTimeout="3600"
requestLengthDiskThreshold="16384"
requestValidationMode="2.0"/>
<pages
enableSessionState="false"
enableViewStateMac="true"
enableEventValidation="true"
controlRenderingCompatibilityVersion="3.5"
clientIDMode="AutoID">
...
</pages>
</system.web>
</configuration>
And I have used these settings for quite a while. But my application pool keeps crashing after about a week.
I have enabled elmah logging
<elmah>
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/elmahErrors" />
</elmah>
This enabled me to have a better look at what was causing the crashes. Because the elmah page is of course unavailable when BE crashes. The log had several error’s the two most common ones where:
- A potentially dangerous Request.Path value was detected from the client
- Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
validateRequest="true"
to my pages section in the web.config and have added:
requestPathInvalidCharacters=""
to the httpRuntime section and my error logging feature stays empty and the BlogEngine application returns a nice 404 when trying some querystring injection and/or XSS attacks.
So this will fix all the thrown exceptions and keeps my application pool from automatically shutting down. I have found this on StackOverflow http://stackoverflow.com/a/6026291/169714 but turning off the validateRequest seems like a bad idea.
Good luck with BlogEngine!
