Thursday, February 02, 2012

InvalidOperationException in System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded

A Microsoft patch for ASP.Net released on the 29th of December 2011 adds a new functionality that rejects POST http requests with more than 1000 keys and any JSON http request with more than 1000 members. That is pretty huge, and if you have encountered this exception:
Operation is not valid due to the current state of the object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: Operation is not valid due to the current state of the object.

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[InvalidOperationException: Operation is not valid due to the current state of the object.]
System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded() +2692302
System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding) +61
System.Web.HttpRequest.FillInFormCollection() +148

[HttpException (0x80004005): The URL-encoded form data is not valid.]
System.Web.HttpRequest.FillInFormCollection() +206
System.Web.HttpRequest.get_Form() +68
System.Web.HttpRequest.get_HasForm() +8735447
System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
System.Web.UI.Page.DeterminePostBackMode() +63
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +133

then your site has been affected by this patch.

Well, you probably know that something is wrong with the design of a page that sends 1000 POST values, but still, let's assume you are in a situation where you cannot change the design of the application and you just want the site to work. Never fear, use this:

<configuration xmlns=”>
<add key="aspnet:MaxHttpCollectionKeys" value="5000" />
<add key="aspnet:MaxJsonDeserializerMembers" value="5000" />

More details:
Knowledge base article about it
The security advisor for the vulnerability fixed
The entire MS11-100 security update bulletin


Anonymous said...

Brilliant post, thanks very much for this it helped a lot.

It really confused me as it wasn't even getting anywhere near the code behind before giving me this error.

Anonymous said...

Thanks allot, this helped me to resolve my problem too. Great blog.
thanks with regards

Anonymous said...

Great job.

Anonymous said...

You are AWESOME, thanks a lot this helped me solve my error immediatly after spending hours of trouble shooting and debugging I finally managed to find out what the issue was - thank you very much for supplying this valuable piece of information!

kgmail said...

3 days of debugging then found this post. thnx!!

Anonymous said...

Thank you!! Spent the last 4 hours trying to fix this issue and this worked!

Anonymous said...

Thanks alot, it work out
It was putting breakpoints in every code block, but it did not hit any of them

Great Post

Anonymous said...

Thanks a lot. It works

Anonymous said...

Thanks so much for posting the solution!

Kyle said...

Excellent!! Thanks!

Anonymous said...

Thanks a lot for the solution

Anonymous said...


Steve said...

Thanks for posting the solution. It explains why a web page that had been working stopped without having been changed.

Anonymous said...

Apparently there are many people that have problems with pages that send too many keys, myself included.

Dean said...

I'm getting this error on a form that is part of an Intranet SharePoint site. How do I know which web.config file to put this in?

Siderite said...

All of them :) And then remove the setting where you think it might be useful to have this new Microsoft behaviour.

Williams Dhanaraj said...

Thanks for posting this solution. This is awesome it works fine for me ....gr8 site

Williams dhanaraj

Simon said...

Thank you for the posting. It solves my problem

Anonymous said...

Thanks for sharing.

dhkim said...

Thank you so~~~ much.

Goutham said...

Awesome. You made my day. Thank you very much