Exceeding maximum query string length

I am getting a message about a query string being too long. Maybe that is the part in the URL after β€œ?”?

This does NOT seem to be a RequestLength error, which has been more frequently reported.

Below, or attached, is an image with the error message. Any thoughts or suggestions? Thanks.

Yes, the query string is the part of the URL after the β€œ?”. From the error message, it looks like it’s over the default maximum of 2048 bytes. To allow longer query strings, see this StackOverflow Q&A

1 Like

If you take a close look at the error it states that Request Filtering Blocked the request because the query string was too long. You can configure that in IIS under Request Filtering, click Edit Feature Settings.

–
Pete Freitag
Foundeo Inc.

Thanks, folks. I think it is a setting not available via IIS. I made a change in the web.config file as per the StackOverflow article, and will wait to hear back from my user to see if that fixes it; I can not re-create the error myself, since it depends on some user-specific session information.

You can find it in IIS under Request Filtering then click Edit Feature Settings, you will get a popup that looks like this:

1 Like

I would be remiss if I didn’t suggest fixing the root problem in this case - the rather lengthy URL containing both security flaws and a flaw in how CFTOKEN is being generated - instead of simply applying the band-aid of allowing more characters in the query string.

First, CFID and CFTOKEN are not needed in the URL. State is well maintained for sessions via cookies these days and passing it along in the URL is considered bad practice.This style of coding is deprecated and exposing the CFID and CFTOKEN (which is useless in Lucee and always zero, btw) on the URL is a security risk.

If your code is so old that it has dependencies on the CFID being available in the URL, then at least address the other two problems I can see from that URL:

  1. CFTOKEN is being repeatedly appended with CFTOKEN (hence, cftoken = 0,0,0,0,0,0,0,0.....)
  2. the CFID and CFTOKEN are then being repeated in the url with a <cfoutput> and URL encoding

Fixing one or both of those issues would probably eliminate the issue of the query string being too long.

Removing all traces of CFID and CFTOKEN, however, would be the ideal approach to solving this problem. Depending on your code this may require some significant rewrite of how session management is handled, but right now you’re both exposing yourself to potential attack vectors and have a couple errors in the current process that could be eliminated.

HTH

– Denny

Thank you, Denard. Yes, good thoughts. I inherited this code many years ago.
It would be good to eliminate the use of the CFID and CFTOKEN, as you said.

David