Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m using the standard asp:Login control, and we have a user who recently changed her password to include an angular bracket. When she tries to login, she gets an error message, and I get the standard ‘dangerous request’ exception.
I know I can set ValidateRequest=”false” on the page to negate this, but I was hoping someone knew of a better way.
Thanks!
Solution
We made her change her password to remove the bracket. Pragmatic wins out again. Thanks for the replies.
Unfortunately I don’t think that there is a better way. Perhaps preventing users from being able to enter any of the characters/character patterns that are considered malicious as their password might be the pragmatic option.
Turning the request validation off may potentially open up bigger holes than the minor inconvenience of one user not being able to use
<or>in their password.You may want to look at something like the Web Protection Library and the Security runtime engine for additional web application security.