Yesterday a few of us at the office had to track down a frustrating
bug/feature that prevented ASP.NET 1.1 Framework web application from running on
Internet Information Server 7 (IIS7) and Windows Server 2008 (Windows 2008).
Situation:
We host several client sites on our public hosting server. We migrated the
1.1 Framework Applications to Windows 2008 / IIS7 running the pool pipeline in
‘classic mode’. One site appeared to work fine, except that a button on a
particular page did now work. It appeared as if the asp:button, which is
generated in the HTML as a Submit button, did not post back to the server. The
button did work on the Windows Server 2003 / IIS6 environment.
Problem:
We finally determined, after several hours, that the problem was due to:
- non-standard coding practices of using a ‘get’ action type in a ASP.NET
form
- a very large dropdownlist (more than 2000 records)
- 2.0 Framework security in IIS7 adding a hidden form element called
“__EVENTVALIDATION”.
The combination of these factors together caused an extremely large URL to be
created during the ‘get’ request. Large URL’s use to cause buffer overflow
issues, so the IIS7 team wisely has added a security feature to reject large URL
requests. II7 security rejected our request with a 403 (or possibly a 404) Http
error code.
Solutions:
1. You can set your @Page directive to disable event
validation for that page - EnableEventValidation = “false”
<%@ Page Language=”vb” AutoEventWireup=”false”
Codebehind=”yourpage.aspx.vb” Inherits=”namespace.yourpage”
EnableViewState=”false” EnableEventValidation=”false”
%>
2. You can set your web.config to disable event validation
for that page
<location path="yourpage.aspx">
<system> </system></location>
<pages enableeventvalidation="false"></pages>
Note: these solutions are not compatible with II6 and
Windows Server 2003!! I do not know of a solution that would be forward and
backwards compatible.
A little more about Event Validation from MSDN:
The EnableEventValidation attribute
indicates whether event validation should be performed. The default value is
true. A
Web application can optionally disable event validation to revert to .NET
Framework version 1.0 behavior.
Event validation reduces the risk of unauthorized postback requests and
callbacks. It instructs ASP.NET to validate only those events that can be raised
in the control during a postback request or callback. With this model, a control
registers its events during rendering and then validates the events during the
post-back or callback handling. All event-driven controls in ASP.NET use this
feature by default.
When event validation is enabled a hidden input field is appended on to the
bottom of your HTML form like the following:
<input type=”hidden” name=”__EVENTVALIDATION” id=”__EVENTVALIDATION”
value=”/wEWigsCgoLO0gICm7n0HQLngYvWCQLogc…”/>
Depending on the size of the content within your controls this may be several
hundred or several thousand characters long.