System.Web.HttpRequestValidationException : A potentially dangerous Request.Cookies value was detected from the client

Solution:
Entry need to made in web.config


Complete details are mentioned here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;821343

Error details:
1. This application is using ASP.NET 1.1.4 version.
2. is enabled in "web.config" file.
3. .NET running under ASP.NET user account.
4. We got following error during Perf duration on application :
" System.Web.HttpRequestValidationException : A potentially dangerous Request.Cookies value was detected from the client (SMSESSION="...d74c2ihfD7oNQ==")"

What is ValidateRequest is a nice feature that tells ASP.NET whether to examine all data from the browser for potentially malicious input — particularly anything that looks like HTML or scripting that form the basis for many types of attacks, such as cross-site scripting. By introducing validateRequest and setting it to true by default, Microsoft has very effectively put a halt to some of the most common Web site attacks. But with such efficiency comes some costs.

Problem with validateRequest
1). You’ll get an exception of “A potentially dangerous Request.Form value was detected from the client” when it detects unencoded input.
2). Another problem with validateRequest set to true is that it is a rather broad and stupid protection, erring on the side of catching too much rather than letting something dangerous slide by.
How to disable validateRequest
1). You can do this for a single page by setting it to false in the page directive:
<%@ Page ... validateRequest="false" %>

2). You can also set it to false for the entire application by including it in the pages element in the section of your web.config file:




Aftermath Of Disabling ValidateRequest
Setting validateRequest to false stops the “potentially dangerous” message, but opens your apps to attacks. If you take this step, you must take responsibility for protecting your app from attack. There are several ways to accomplish this:

· HTML encode all input from the browser. This is pretty easy to accomplish, because the Server object has HtmlEncode and HtmlDecode methods. Encode all text input because it’s quite easy to send bogus HTTP posts and gets.
· Use ASP.NET server validation controls rigorously. In particular, use the regular expression validator to prevent illegal characters wherever you can. Be careful, however, of trying to prevent only characters known to be used in attacks, such as <>, because then you won’t be protected against new attacks.
· Don’t use only client-side validation. Again, it is far too easy to send bogus data, bypassing those client-side protections.
· Always encode tests that you display back to the user. This will help prevent cross-site scripting attacks.

Solution of Aftermath
Request Validation - Preventing Script Attacks
http://www.asp.net/learn/whitepapers/request-validation/#2

Reference:
1. Article on Net
2. Article from MS - http://support.microsoft.com/default.aspx?scid=kb;en-us;821343
3. http://forums.asp.net/p/389708/389721.aspx