URL length with query string parameters

Hello,

I'm trying to make a request (GET) to a page and receive the status Error 404 - File or directory not found.

The URL (example) used has 1207 characters, which for the URL length of a GET request I think be within the limits:

https://mmachado.outsystemscloud.com/Service/SLO.aspx?SAMLRequest=nVNrb5swFP2%2BX4H8dSK8H7ECFSmNRqHNmlezfKkMdoJbAgQbSvLrR5Jl61qpmiZLV%2FLVvefcc3w9uGq3mdCQitEid4DSk4FA8qTANN84YD4biTa4cr8MGNpmagmjYlPUfEJ2NWFc8LtAc8RPrSnnJYOShEnTS2iHQZFIca%2Fk0vX5FvjSNBpPSdXQhPQQK1sgBL4DnvoyXiNL04msaUTRDcWIiaoTSzNlndg66soYq0mQM45y7gBVVvqiooiyOVMsqPWhYvdMw1wBYXHRoR51dMpyBs%2BTO6CuclggRhnM0ZYwyBM49e4i2JXCsip4kRQZcM9C4YmweovwOQBijFRHH4B78SErNjQXP7pBcSmxlMZxkRGeDqS3hBf6%2B44g8IVRUW0R%2F5z5mKFYXJ9KIa9Qzjo6DoQjxkONMrqmpPrzPP82FhCm398BfGgB%2F2WP5%2BHD6vF%2Bv1o%2BtNuw3aVZFO9X6vXc83fxTtLCrL05TG7VWXjnP77Sw4sRkklD1eVSGbGl32QbPk6GlTd%2BtvhXq%2F4x0tfR4pAOk5sUB3Nqkhdl0Ug3REKLbmOS5733rZrb%2FnAUhWRe3xrhq%2BNcTD%2Fb7F6We0rYcXuCHJPWfdJVwzaJrlrrxLBtxcCmrJkKTkzcHcOOf4G8a%2Fud%2FeunuD8B&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=nCIcLvESHO79m0fDnwa3UYP9Q8mK5EbRx6xe%2BgWyfCiHAc7yVL2moJnMj6uqnuz9QZkGyBZq2u%2FKBblafXn%2BSLzYIPptKo5Iy0Q3cyFSIdsKIXm4quys3Mc9zwCD5dGxfugLyS5fVdDrqfQ%2BBCnBB8Olf4Oc1H3XDhmqXcrpkdep%2FUiqFPNck4PU2gkUeqaZBIqybE9%2B9ogTHaQGyIsgQKvMgB8P8TySycOjj2xb2K3AiXBJWOBY%2BaPeU1YbxfChvBjy3%2FXNRiLdNMtdkmqZag2hyYJGhAs0cyl2n2s%2B78IpXDKCEu%2Bgbuhu4tC8eZdBfAxrI9c0uDCxvY0jsYjP0w%3D%3D

However (only for testing) if I cut the length of this URL to 1079 characters I can already access the page:

https://mmachado.outsystemscloud.com/Service/SLO.aspx?SAMLRequest=nVNrb5swFP2%2BX4H8dSK8H7ECFSmNRqHNmlezfKkMdoJbAgQbSvLrR5Jl61qpmiZLV%2FLVvefcc3w9uGq3mdCQitEid4DSk4FA8qTANN84YD4biTa4cr8MGNpmagmjYlPUfEJ2NWFc8LtAc8RPrSnnJYOShEnTS2iHQZFIca%2Fk0vX5FvjSNBpPSdXQhPQQK1sgBL4DnvoyXiNL04msaUTRDcWIiaoTSzNlndg66soYq0mQM45y7gBVVvqiooiyOVMsqPWhYvdMw1wBYXHRoR51dMpyBs%2BTO6CuclggRhnM0ZYwyBM49e4i2JXCsip4kRQZcM9C4YmweovwOQBijFRHH4B78SErNjQXP7pBcSmxlMZxkRGeDqS3hBf6%2B44g8IVRUW0R%2F5z5mKFYXJ9KIa9Qzjo6DoQjxkONMrqmpPrzPP82FhCm398BfGgB%2F2WP5%2BHD6vF%2Bv1o%2BtNuw3aVZFO9X6vXc83fxTtLCrL05TG7VWXjnP77Sw4sRkklD1eVSGbGl32QbPk6GlTd%2BtvhXq%2F4x0tfR4pAOk5sUB3Nqkhdl0Ug3REKLbmOS5733rZrb%2FnAUhWRe3xrhq%2BNcTD%2Fb7F6We0rYcXuCHJPWfdJVwzaJrlrrxLBtxcCmrJkKTkzcHcOOf4G8a%2Fud%2FeunuD8B&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=nCIcLvESHO79m0fDnwa3UYP9Q8mK5EbRx6xe%2BgWyfCiHAc7yVL2moJnMj6uqnuz9QZkGyBZq2u%2FKBblafXn%2BSLzYIPptKo5Iy0Q3cyFSIdsKIXm4quys3Mc9zwCD5dGxfugLyS5fVdDrqfQ%2BBCnBB8Olf4Oc1H3XDhmqXcrpkdep%2FUiqFPNck4PU2gkUeqaZBIqybE9%2B9ogTHaQGyIsgQKvMgB8P8TySycOj

What is the reason to a URL with 1207 characters not work and a URL with 1079 characters work?

Please see in attach the Service.oml module that simulates this situation.

I'm using Outsystems Service Studio 11.6.6 (build 4872) and Platform version is 11.0.424.0 .

How can I fix this?

Thanks in advance.

Mauro Machado

The reason is that IIS does indeed limit the size of the URLs in the requests, and returns a 404 error to the client if the URL exceeds this size. The maximum size IIS allows is 2048 bytes, but lower values can be configured, and I guess this is what OutSystems does.

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/requestlimits/

A workaround for this is to use post requests, which will move the parameters from the URL to the header, but note that even then IIS still limits to the header size to 16384 bytes, and will also return a 404 error to the client if you exceed this limit. Also, as for URLs, the maximum header size can be configured to less than the IIS limit.

Hi all,

May I know how to configure the [IDP] forge or ADFS to send SAMLRepsonse by POST method?

Thank in advance.

In order to increase the max query string in Outsystems, you can use the Factory Configuration component to create a shared configuration and apply it to the module that has the screen that needed to receive the larger URL.

You can find below the shared configuration template:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" 
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:output method="xml" indent="yes" encoding="UTF-8"/>
    <xsl:template match="@*|node()">
        <xsl:copy>
            <xsl:apply-templates select="@*|node()"/>
        </xsl:copy>
    </xsl:template>
    <xsl:template match="/configuration/system.webServer/security/requestFiltering">
        <xsl:copy>
            <xsl:apply-templates select="@*|node()"/>
            <requestLimits maxUrl="3000" maxQueryString="3000"/>
        </xsl:copy>
    </xsl:template>
</xsl:stylesheet>

On the example, I'm using 3000 chars for the maxURL and 3000 for the QueryString. Feel free to adjust as per your requirements.

Regards,

Mauro Machado wrote:

It is absolutely the configuration of server, there are some ways to fix it

1. increase the request length in configuration on server. but if your data is larger, u will get the same error
2. try to use POST and specify data in body
3. can make a weird GET api which accept header, url and body

If I was in this case, I will choose option 2, it makes 

• my url clean and keep user away from nonsense data on the address bar
• I can stay safe from the data length

I also want to use POST method. However, I don't how to configure ADFS to response logout in POST method.

Any ideas?

In our case, we were getting error in maxQueryStringLength parameter.

"The length of the query string for this request exceeds the configured maxQueryStringLength value"

So we had to change the httpruntime settings in shared configuration under Factory Configuration.

<xsl:template match="/configuration/system.web/httpRuntime">
<xsl:copy>
<xsl:attribute name="maxQueryStringLength">REPLACE_WITH_VALUE_HERE</xsl:attribute>
<xsl:attribute name="maxUrlLength">REPLACE_WITH_VALUE_HERE</xsl:attribute>
</xsl:copy>
</xsl:template>

Thank for your information.

It's solved