On Dec 29, 2011,   Microsoft released a security update KB2656356 / MS11-100 for ASP.NET to address a potential Denial of Service vulnerability.  In the update, Microsoft introduced a limit to the number of data elements on an ASP.NET form.   The default limit is 1000 data elements.   Exceeding the limit will cause a ThrowIfMaxHttpCollectionKeysExceeded error.

After applying the patch to your webserver, forms that exceed the limit will generate the following error when posting:

System.Web.HttpException: The URL-encoded form data is not valid. —> System.InvalidOperationException: Operation is not valid due to the current state of the object.

at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()

at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)

at System.Web.HttpRequest.FillInFormCollection()

To change the default MaxHttpCollectionKeys limit, add the following to your web.config file in the appSettings section and put a large value.  If it isn’t big enough, make it bigger:


<add key=”aspnet:MaxHttpCollectionKeys” value=”2000″></add>



Microsoft KB Article

December 2011 Out-Of-Band Security Bulletin Webcast Q&A

Stackoverflow Post


.net dotnet appSettings asp.net ASP.NET

See our .Net Development Page for information on .net development consulting and outsourcing.