Core: Url length

Created on 25 Jan 2018  Â·  9Comments  Â·  Source: dotnet/core

Is there a way to set a maxUrlLength configuration value in Asp.Net Core? I see how this is done in web.config in earlier versions of the framework.

I am trying to incorporate the url encryption due to which its exceeding 260 charc and in that case it give bad request for url length greater than 260.

Help on this will be much appreciated.

picture rajurh

Most helpful comment

@rajurh And what's the problem with people changing the ID in the browser?

  • If you're trying to hide a resource (from folks putting it's ID a URL in the browser), the right way to do it is through proper access control mechanisms.
  • If you're trying to hide it from man-in-the-middle attacks, just use HTTPS.
picture muratg on 21 Feb 2018
👍4

All 9 comments

@DamianEdwards @muratg

Petermarcu picture Petermarcu on 21 Feb 2018

If you are thinking about encrypting URL parameters, don’t. This is a bad security approach and you shouldn’t do it.

h3smith picture h3smith on 21 Feb 2018

@rajurh I agree with @h3smith, there are probably better ways to do what you want. That being said, I think the answer somewhat depends on your setup. Kestrel/HttpSysServer? Behind IIS/nginx or as an edge server? Azure?

cc @halter73 @Tratcher

muratg picture muratg on 21 Feb 2018

@halter73 If you don't want me to encrypt the url what do you suggest I don't want the url to be tampered like for e.g. xyz.com?requestid=121. If its plain any one can change the id's in the browser.

What is your thoughts on the above scenario if you think the above approach is not good?

rajurh picture rajurh on 21 Feb 2018

@rajurh And what's the problem with people changing the ID in the browser?

  • If you're trying to hide a resource (from folks putting it's ID a URL in the browser), the right way to do it is through proper access control mechanisms.
  • If you're trying to hide it from man-in-the-middle attacks, just use HTTPS.
muratg picture muratg on 21 Feb 2018
👍4

People guessing URL parameters should be mitigated by 1) enduring that the user can access the resource defined in the URL parameter 2) never use primary keys as identifiers you send to the world, use guid / random values.

h3smith picture h3smith on 21 Feb 2018

:+1: about it being a bad idea to encrypt URL parameters. Others have already suggested alternative for that.

If there is some other reason you want to increase Kestrel's allowed URL length, you can do so via KestrelServerLimits.MaxRequestLineSize.

As the MaxRequestLineSize doc comments point out, Kestrel already allows URLs approaching 8KB, so I doubt you're actually running into that limit. You're probably running into a limit enforced by either a proxy (e.g. IIS, nginx) or the client/browser.

halter73 picture halter73 on 23 Feb 2018

@rajurh did you get everything you need from the responses? Can we close this issue?

Petermarcu picture Petermarcu on 11 Mar 2018

Yes please goahead

On Sun, Mar 11, 2018 at 9:49 PM, Peter Marcu notifications@github.com
wrote:

@rajurh https://github.com/rajurh did you get everything you need from
the responses? Can we close this issue?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/dotnet/core/issues/1239#issuecomment-372127542, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AO1LQP4iFxKfUCP1KxDGZ08AWnJvIP04ks5tdU6ogaJpZM4RsN1R
.

rajurh picture rajurh on 12 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wq807319473 picture wq807319473  Â·  3Comments
omerlh picture omerlh  Â·  4Comments
ugurcemozturk picture ugurcemozturk  Â·  3Comments
shanselman picture shanselman  Â·  3Comments
mmacneil picture mmacneil  Â·  3Comments