Databases
StackOverflow2013
Postsdbo
POWhen users log out using CAS SSO, ASP.NET MVC triggers a HttpRequestValidationException
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhen users log out using CAS SSO, ASP.NET MVC triggers a HttpRequestValidationException
    text
    copied!<p>We're using the <a href="https://wiki.jasig.org/display/CASC/.Net+Cas+Client" rel="nofollow">Jasig .NET CAS Client</a> to interface with our organization's CAS SSO server.</p> <p>However, we've noticed that in ASP.NET MVC 3 (and I would assume this affects ASP.NET WebForms as well) applications, when users log out, we see the following error in our error log:</p> <pre><code>System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (logoutRequest="&lt;samlp:LogoutRequest..."). at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.FillInParamsCollection() at System.Web.HttpRequest.GetParams() at DotNetCasClient.Utils.RequestEvaluator.GetRequestIsCasSingleSignOut() in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Utils\RequestEvaluator.cs:line 292 at DotNetCasClient.CasAuthenticationModule.OnBeginRequest(Object sender, EventArgs e) in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\CasAuthenticationModule.cs:line 93 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) </code></pre> <p>I don't believe this is an error message users are receiving -- it seems to only be seen by the server. As far as the users are concerned, log out is successful.</p> <p>Is there any way I can get ASP.NET MVC to stop trying to validate these types of requests? I know I can disable request validation completely, but that's out of the question. <a href="http://www.experts-exchange.com/Programming/Languages/.NET/Q_26769212.html" rel="nofollow">The site with a hyphen</a> has a good question on this, but not really an acceptable answer:</p> <blockquote> <p>add the following setting to the web.config:</p> <p><code>&lt;httpRuntime requestValidationMode="2.0" /&gt;</code></p> <p>After setting this value, U can disable request validation by setting validateRequest="false"</p> </blockquote> <p>So, <em>is there any way to disable ASP.NET validation for this request without turning it off completely?</em></p> <p><strong>Edit:</strong> This is also tricky to debug because this request is coming from the CAS server, NOT from the user's browser. I think this is the CAS server attempting to notify all running applications that the user has signed out (<em>single sign out</em>). So we're only receiving this error in production, not when testing locally.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload