ASP.NET 2.0 maximum URL length?

[Guest]

Using IIS7, Vista x64, ASP.NET 2.0.

I am getting HTTP 400 "Bad Request" for the following URL:
/HTTPVPNWebPortal/62ccc22e-069b-441e-b9f0-83b45e7f4f1e/UdVpnSGFuZGxlcnMvQ292ZXJBcnQuYXNoeD9DJTNhJTVjRG9jdW1lbnRzK2FuZCtTZXR0aW5ncyU1Y011c2hyb29tJTVjTXkrRG9jdW1lbnRzJTVjTXkrTXVzaWMlNWNGcmVuY2glNWNBbWVpbGUlNWNZYW5uK1RpZXJzZW4rLStMYStOb3llZS5tcDM=/SecureTunnel.axd

Here's what makes difference:
- URL length: As soon as I make this URL two chars shorter - HTTP 400 error
goes away. Note that length of the first URL segment - the application name
(HTTPVPNWebPortal) - is irrelevant. App name's length makes no different -
only the rest of the URL does. Also splitting URL into more segments by
adding '/' to it makes no difference either.
- Changing resource extension from .AXD to .HTM makes 400 go away, so looks
like it's an ASP.NET thing. Changing the extension to .ASPX brings error back.

My question is this: is it possible to configure ASP.NET to allow longer
URLs for .ASPX and .AXD resources?

Thank you,

 

[Juan T. Llibre]

re:
!> I am getting HTTP 400 "Bad Request" for the following URL:

Hi, Vlad.

What you're running into is the default 260 character URL limit.

/HTTPVPNWebPortal/62ccc22e-069b-441e-b9f0-83b45e7f4f1e/UdVpnSGFuZGxlcnMvQ292ZXJBcnQuYXNoe
D9DJTNhJTVjRG9jdW1lbnRzK2FuZCtTZXR0aW5ncyU1Y011c2hyb29tJTVjTXkrRG9jdW1lbnRzJTVjTXkrTXV
zaWMlNWNGcmVuY2glNWNBbWVpbGUlNWNZYW5uK1RpZXJzZW4rLStMYStOb3llZS5tcDM=/SecureTunnel.axd

....is exactly 261 characters long.

The way to change that limit depends on which version of IIS you use.

See the section titled "IIS HTTP GET and POST Limits" in this IIS Insider article:
http://www.microsoft.com/technet/community/columns/insider/iisi1205.mspx
....for instructions on how to change that limit in IIS 4.0, 5.0 and 6.0.

 

[Guest]

Juan,

According to the article you linked to MaxUrl value of 260 is limited by
URLScan - an add-on tool I have not installed. Besides, I can make the URL
longer than 260 and not get HTTP 400 as long as I make URL end with .HTML,
not ASPX/AXD, which leads me to the conclusion it is ASP.NET, and not IIS
setting that affects the behavior. Are there ASP.NET settings limiting the
length of the URL?

 

[Juan T. Llibre]

re:
!> According to the article you linked to MaxUrl value of 260 is limited by
!> URLScan - an add-on tool I have not installed.

Install URLScan, then.
It's a recommended install for IIS 4.0 and 5.0, anyway.

Download URLScan 2.5 from :
http://www.microsoft.com/downloads/...37-dd7e-4613-9928-7f94ef1c902a&displaylang=en

MaxUrl specifies the maximum length of the request URL, not including the query string.

If you include the query string, that limit is 2,083 or 2,048 characters, if you're using IE.

The max length including the request Url *and*
the query string, is a browser feature, not a server feature.

re:
!> which leads me to the conclusion it is ASP.NET, and not IIS
!> setting that affects the behavior

It's not an ASP.NET setting. It's an IIS setting.

Btw, many users are wary of gobbledygook URLs like the one you're attempting to implement.

Do you *absolutely* need purposely obfuscated, very long, URLs ?
Hackers make use of long URLs to induce buffer overruns in unpatched clients.

 

[Guest]

I still need an answer to the question:
which setting is limiting URL length to 260 right now, with no URLScan
explicitly installed on my IIS7/Vista system?

Also, if it's IIS setting, why is it applied only to AXD and ASPX URLs, but
not to HTML? I would appreciate the explanation of the difference.

Regarding obfuscated URLs, the application acts as an intermediary and has
to pass through URLs as long as target system demands - the URL length
requirement is not up to this system's spec.

 

[Juan T. Llibre]

For some reason, it didn't register with me that you are using IIS 7.0.
I thought you were using IIS 5 and that's why I suggested URLScan.

Sorry for the confusion.

For IIS 7.0, the MaxUrl property in URLScan was incorporated into its configuration.

See :
http://msdn.microsoft.com/library/d...html/2464898f-f4aa-4955-919e-ed7492ad2b78.asp

re:
!> Also, if it's IIS setting, why is it applied only to AXD and ASPX URLs, but
!> not to HTML? I would appreciate the explanation of the difference.

Maybe the request type ?

ASP.NET uses POST. The default for HTML is GET, unless you're POSTing data.

Run this script. It will tell you what IIS 7.0's current default settings are.

Tinker with the settings until you have the length you want.

' Connect to the WMI WebAdministration namespace.
Set objWMIService = GetObject("winmgmts:root\WebAdministration")

' Get the RequestFilteringSection.
Set oRequestFilteringSection = objWMIService.Get( _
"RequestFilteringSection.Path='MACHINE/WEBROOT/APPHOST',Location=''")

' Set a variable to the RequestFilteringSection.RequestLimits property,
' which contains an array of RequestLimitsElement objects.
Set oRequestLimitsElement = oRequestFilteringSection.RequestLimits

' Display the path and list the non-array RequestLimitsElement properties.
WScript.Echo "[Request Limits]"
WScript.Echo "Path: " & oRequestFilteringSection.Path
WScript.Echo "maxAllowedContentLength: " & _
oRequestLimitsElement.maxAllowedContentLength
WScript.Echo "maxUrl: " & oRequestLimitsElement.maxUrl
WScript.Echo "maxQueryString: " & oRequestLimitsElement.maxQueryString
WScript.Echo

' List the contents of the RequestLimitsElement.HeaderLimits.HeaderLimits
' property, which contains an array of HeaderLimitsElement instances.
WScript.Echo vbtab & "[Header Limits]"
For Each oHeaderLimit In oRequestLimitsElement.HeaderLimits.HeaderLimits
WScript.Echo vbtab & "Header: " & oHeaderLimit.Header
WScript.Echo vbtab & "Header size limit: " & oHeaderLimit.sizeLimit
WScript.Echo
Next

For your IIS 7.0 questions, the IIS 7.0 Forums would be a good place to post them.

http://forums.iis.net/default.aspx?GroupID=41

All the IIS 7.0 MVPs hang out there.

 

[Guest]

Juan,
thank you for the script. It reported maxUrl set to 4096, not 260.

Regarding difference between the behavior of the HTML URL and ASPX URL, both
were GET requests. I used Fiddler to check whether tweaking headers would
change the outcome, and found that with headers or no headers the result is
the same: HTTP 400 for ASP.NET requests and no "bad request" for HTML
requests. URL and URL only, not type of request or headers, determines
whether I get HTTP 400.

I think these two factors prove conclusively that this is not an IIS
settings limiting the lenght of the URL but some ASP.NET setting, just like I
stated in my initial post. Any ideas?

 

[Juan T. Llibre]

re:

Any ideas?

Fresh out of ideas. Have you posted the question to the IIS 7.0 forums ?

http://forums.iis.net/default.aspx?GroupID=41

All the IIS 7.0 MVPs hang out there.

 

[Juan T. Llibre]

re:
!>> thank you for the script. It reported maxUrl set to 4096, not 260.

There's something odd in this.

The msdn documentation has two pages with the same setting for maxUrl.

http://msdn2.microsoft.com/en-us/library/ms691401.aspx
....says that the default for maxUrl is 260 bytes.

http://msdn.microsoft.com/library/d...html/ad0f126f-9538-318d-dee0-c77a72fba0c5.asp
also says that the default for maxUrl is 260 bytes.

However, the Technet IIS 7.0 SDK docs say that it's 16K:
http://msdn.microsoft.com/library/e...html/2464898f-f4aa-4955-919e-ed7492ad2b78.asp

Now, the script tells us that your setting is 4K, so something's fishy.

One more thing:

The ms691401 page says that the info in it is specific to the .NET Framework 3.0,
however, http://msdn2.microsoft.com/en-us/library/ms691401(vs.90).aspx
( which is Orcas-specific, i.e. .Net Framework 3.5 ) has the same info as ms691401.

All in all, your best bet is to raise the issue in the IIS 7.0 Forums.

http://forums.iis.net/default.aspx?GroupID=41

All IIS MVPs and some of the guys in the IIS 7.0 Development Team patrol that newsgroup.
Hopefully, one of them will have an answer, or can file a bug report.

re:

Any ideas?

Fresh out of ideas. Have you posted the question to the IIS 7.0 forums ?

http://forums.iis.net/default.aspx?GroupID=41

All the IIS 7.0 MVPs hang out there.

 

[Guest]

Juan, thanks for the info. I noticed that Teched IIS7 article is for the Beta
of IIS7 so it may be obsolete. I don't know how to reconcile supposed maxUrl
default of 260 with my 4K.

I posted the question to IIS7 forum at
https://forums.iis.net/thread/1689747.aspx.

Thank you,
Vlad.

 

[Guest]

For those interested,

"The .Net Framework has a restriction of MAX_PATH (260) characters on
physical path
and so asp.net has a similar restriction on urls - there is no way to get
around this restriction.
--------------------------------------------------------------------------------
Anil Ruia
Software Design Engineer
IIS Core Server"

http://forums.iis.net/ShowThread.aspx?PostID=1689855&PermaPostID=1689855#1689855

 

[Juan T. Llibre]

Well, you didn't get your problem solved, but at least you know know why.

;-)