ASP.NET Error - ThrowIfMaxHttpCollectionKeysExceeded

Submitted 3/14/2012 by Support


On Dec 29, 2011,   Microsoft released a security update KB2656356 / MS11-100 for ASP.NET to address a potential Denial of Service vulnerability.  In the update, Microsoft introduced a limit to the number of data elements on an ASP.NET form. The default limit is 1000 data elements which may cause a problem on the "Text Management" admin section on some sites.   Exceeding the limit will cause a ThrowIfMaxHttpCollectionKeysExceeded error.

After applying the patch to your webserver, forms that exceed the limit will generate the following error when posting:

System.Web.HttpException: The URL-encoded form data is not valid. ---> System.InvalidOperationException: Operation is not valid due to the current state of the object.
   at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()
   at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)
   at System.Web.HttpRequest.FillInFormCollection()

To change the default MaxHttpCollectionKeys limit, add the following to your web.config file in the appSettings section and put a large value.  If it isn't big enough, make it bigger:

   <add key="aspnet:MaxHttpCollectionKeys" value="2000"></add>