My team is undergoing a migration from Coldfusion 8 on Windows Server 2003 and IIS 6 to Coldfusion 10 on Windows Server 2008R2 and IIS 7.5.
In our standard build for the CF10 servers, we've implemented a default value of 100 for the maximum number of POST request parameters. However, my customers are requesting limits raised to upwards of 3000 due to errors in server.log showing:
"Error","ajp-bio-8018-exec-2","06/17/14","10:40:46",,"POST parameters exceeds the maximum limit 100 specified in the server. You can modify the setting in Administrator Server Settings."
I want to increase the limit to appease the customer, but not too high as to effect the stability of the environment of the application and others hosted on the server. What are the ramifications for increasing this setting to 5000 or higher? Isn't there an IIS drawback and limitation as well?
Thank you.
Best Answer
Consider that there was previously no limit. The reason for it now is to address a serious security issue that is relevant to all web programming languages, not just ColdFusion.
It's possible that they have some large forms, which require a higher setting. Rather than picking some arbitrary value, ask them to look into their code base and determine the actual highest number of posted parameters they need, then give a little for padding.
I had to do this at my company and as part of our coding standards, we've implemented a limit to the size of a form. If a new task shows up and needs more than the limit, then it gets redesigned to need less than the limit.
This article explains the HashDos attack, which is the reason for this setting.