Maximum request length exceeded, IIS 8.5 [duplicate] - web-config

I am getting the error Maximum request length exceeded when I am trying to upload a video in my site.
How do I fix this?

If you are using IIS for hosting your application, then the default upload file size is 4MB. To increase it, please use this below section in your web.config -
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
For IIS7 and above, you also need to add the lines below:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
Note:
maxRequestLength is measured in kilobytes
maxAllowedContentLength is measured in bytes
which is why the values differ in this config example. (Both are equivalent to 1 GB.)

I don't think it's been mentioned here, but to get this working, I had to supply both of these values in the web.config:
In system.web
<httpRuntime maxRequestLength="1048576" executionTimeout="3600" />
And in system.webServer
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
IMPORTANT : Both of these values must match. In this case, my max upload is 1024 megabytes.
maxRequestLength has 1048576 KILOBYTES, and maxAllowedContentLength has 1073741824 BYTES.
I know it's obvious, but it's easy to overlook.

It may be worth noting that you may want to limit this change to the URL you expect to be used for the upload rather then your entire site.
<location path="Documents/Upload">
<system.web>
<!-- 50MB in kilobytes, default is 4096 or 4MB-->
<httpRuntime maxRequestLength="51200" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<!-- 50MB in bytes, default is 30000000 or approx. 28.6102 Mb-->
<requestLimits maxAllowedContentLength="52428800" />
</requestFiltering>
</security>
</system.webServer>
</location>

And just in case someone's looking for a way to handle this exception and show a meaningful explanation to the user (something like "You're uploading a file that is too big"):
//Global.asax
private void Application_Error(object sender, EventArgs e)
{
var ex = Server.GetLastError();
var httpException = ex as HttpException ?? ex.InnerException as HttpException;
if(httpException == null) return;
if (((System.Web.HttpException)httpException.InnerException).WebEventCode == System.Web.Management.WebEventCodes.RuntimeErrorPostTooLarge)
{
//handle the error
Response.Write("Too big a file, dude"); //for example
}
}
(ASP.NET 4 or later required)

The maximum request size is, by default, 4MB (4096 KB)
This is explained here.
The above article also explains how to fix this issue :)

If you can't update configuration files but control the code that handles file uploads use HttpContext.Current.Request.GetBufferlessInputStream(true).
The true value for disableMaxRequestLength parameter tells the framework to ignore configured request limits.
For detailed description visit https://msdn.microsoft.com/en-us/library/hh195568(v=vs.110).aspx

There's an element in web.config to configure the max size of the uploaded file:
<httpRuntime
maxRequestLength="1048576"
/>

To summarize all the answers in a single place:
<system.web>
<httpRuntime targetFramework="4.5.2" maxRequestLength="1048576"/>
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
Rules:
maxRequestLength (expressed in kb) value must match
maxAllowedContentLength (expressed in bytes).
most of the time your system.web section may already contains an "httpRuntime". set your targetFramework to the version of your .net used.
Notes:
default value for maxRequestLength is 4096 (4mb). max value is 2,147,483,647
default value for maxAllowedContentLength is 30,000,000 (around 30mb). max value is 4,294,967,295
more info MSDN

maxRequestLength (length in KB) Here as ex. I took 1024 (1MB) maxAllowedContentLength (length in Bytes) should be same as your maxRequestLength (1048576 bytes = 1MB).
<system.web>
<httpRuntime maxRequestLength="1024" executionTimeout="3600" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1048576"/>
</requestFiltering>
</security>
</system.webServer>

It bothered me for days too.
I modified the Web.config file but it didn't work.
It turned out that there are two Web.config file in my project,
and I should modified the one in the ROOT directory, not the others.
Hope this would be helpful.

If you have a request going to an application in the site, make sure you set maxRequestLength in the root web.config. The maxRequestLength in the applications's web.config appears to be ignored.

I was tripped up by the fact that our web.config file has multiple system.web sections: it worked when I added < httpRuntime maxRequestLength="1048576" /> to the system.web section that at the configuration level.

I had to edit the C:\Windows\System32\inetsrv\config\applicationHost.config file and add <requestLimits maxAllowedContentLength="1073741824" /> to the end of the...
<configuration>
<system.webServer>
<security>
<requestFiltering>
section.
As per This Microsoft Support Article

I was dealing with same error and after spending time solved it by adding below lines in web.config file
<system.web>
<httpRuntime targetFramework="4.7.1" maxRequestLength="1048576"/>
</system.web>
and
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>

I can add to config web uncompiled
<system.web>
<httpRuntime maxRequestLength="1024" executionTimeout="3600" />
<compilation debug="true"/>
</system.web>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1048576"/>
</requestFiltering>
</security>

Related

how passing parameter ?id=x inside location path web.config

I'm trying to redirect from web.config using this structure:
<location path="name-page.asp?id=1">
<system.webServer>
<httpRedirect enabled="true" destination="new-page.asp" httpResponseStatus="Permanent" />
</system.webServer>
</location>
But I get an error in name-page.asp?Id=1 because you can't use the "?" parameter, at least i think. How can I get around?

MaxReceivedMessageSize property not registering

I am receiving the following error when running my site:
System.ServiceModel.QuotaExceededException: The maximum message size quota for incoming messages (50000000) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
So I increased this property in my client and server web.config files.
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxReceivedMessageSize="250000000"></binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
As you see I increased it to "250000000". However, when running I still get the exact same message saying that the message size is only "50000000". Is there something else I am missing to change the size of the maxReceivedMessageSize property?
You are not targeting the correct binding. You should be mentioning it by name.
Example of this:
<basicHttpBinding>
<binding name="Binding1" maxReceivedMessageSize = "1000000">
<security mode="None" />
</binding>
</basicHttpBinding>
Details here.

How to configure SymbolSource Server Basic

I have SymbolSource Server Basic installed and running, following the instructions in Xavier Decosters blog entry.
I have set up Visual Studio as recommended by SymbolSource
The problem is that the Symbol Server returns 404's for all the url's that Visual Studio asks for.
Visual Studio accesses the following urls when trying to load the pdb:
http.../WinDbg/pdb/MightyLittleGeodesy.pdb/82A03D09EC754F5893C3806CDA329EC92/MightyLittleGeodesy.pdb
http.../WinDbg/pdb/MightyLittleGeodesy.pdb/82A03D09EC754F5893C3806CDA329EC92/MightyLittleGeodesy.pd_
http.../WinDbg/pdb/MightyLittleGeodesy.pdb/82A03D09EC754F5893C3806CDA329EC92/file.ptr
The SymbolServer website has the following:
\...\Data\MightyLittleGeodesy\1.0.0.0\Binaries\MightyLittleGeodesy\82A03D09EC754F5893C3806CDA329EC92\MightyLittleGeodesy.pdb
I have tried a large number of url variations in a browser, and I cannot get the Symbol server to return anything other than a 404 for any of them.
Does anyone know what to do here?
Thanks - Cedd
For any errors refer http://localhost/%your_app%/elmah.axd
If you faced with 404.* errors then you should check the following conditions:
Add write permissions onto 'Data' directory of application for IIS_IUSRS group
Create separate AppPool for application and enable 32bit option
Add MIME types for both .pdb (application/octet-stream) and .cs (text/plain) file types
Edit web.config and add the following lines:
<location path="Data">
<system.webServer>
<handlers>
<clear />
<add name="Deny" verb="*" path="*.config" type="System.Web.HttpForbiddenHandler" />
<add name="Allow" verb="GET,HEAD" path="*" type="System.Web.StaticFileHandler" />
</handlers>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<clear />
<add fileExtension=".cs" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
<location path="WinDbg/pdbsrc">
<system.webServer>
<handlers>
<clear />
<add name="Deny" verb="*" path="*.config" type="System.Web.HttpForbiddenHandler" />
<add name="Allow" verb="GET,HEAD" path="*" type="System.Web.StaticFileHandler" />
</handlers>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<clear />
<add fileExtension=".cs" allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
My version of SymbolSource is 1.3.3

Web config transform on microsoft.identityModel - 'http://schemas.microsoft.com/XML-Document-Transform' attribute is not declared

I have got a Web.Release.config that is successfully transforming a connection string.
When I add a microsoft.identityModel section I get a warning saying
The 'http://schemas.microsoft.com/XML-Document-Transform' attribute is
not declared
And the transform doesnt work on that section.
What am I missing to get the transform to work?
Complete Web.Release.config here
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<connectionStrings>
<add name="MYNAME"
connectionString="metadata=res://*/Models.MYCOMPANY-Sales-Demo.csdl|res://*/Models.MYCOMPANY-Sales-Demo.ssdl|res://*/Models.MYCOMPANY-Sales-Demo.msl;provider=System.Data.SqlClient;provider connection string="data source=.;initial catalog=MYCOMPANYDemo;UID=MYCOMPANYDBUser;Password=********;multipleactiveresultsets=True;App=EntityFramework""
xdt:Transform="SetAttributes" xdt:Locator="Match(name)" />
</connectionStrings>
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
</system.web>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://MYCOMPANY-sales-demo.cloudapp.net/" xdt:Transform="Replace"/>
</audienceUris>
<federatedAuthentication>
<wsFederation realm="http://MYCOMPANY-sales-demo.cloudapp.net/" xdt:Transform="SetAttributes(realm)" />
</federatedAuthentication>
</service>
</microsoft.identityModel>
</configuration>
I've run into this also but have gotten it to work. What I did was a "RemoveAll" and an "Insert" instead of a replace/match:
<audienceUris>
<add xdt:Transform="RemoveAll" />
<add value="http://example.com/" xdt:Transform="Insert" />
</audienceUris>
When I do it that way I get the desired transform and output config file.
This appears to be working now with Visual Studio 2012 (v4.5.50709). I still get the 'attribute is not declared' warning in the editor, but the xdt:Transform="Replace" directive is working for me.

How can I set the Secure flag on an ASP.NET Session Cookie?

How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>
See here and here for MSDN documentation of these elements.
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
<authentication>
<forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
</authentication>
</system.web>
That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.
Building upon #Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.
To that end you'd setup your web.Release.config as:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
</system.web>
</configuration>
If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<authentication>
<forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
</authentication>
</system.web>
</configuration>
Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889
Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)
secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.