After updating our systems with the recently released asp.net vulnerability patch ms11-100, we found that some of our pages started failing with the exception "[HttpException (0x80004005): The URL-encoded form data is not valid.]" This is covered in the asp.net forums here:

http://forums.asp.net/t/1754512.aspx/1?Microsoft+security+bulletin+MS11+100+breaking+our+site

and on stackoverflow here:

ASP.NET MS11-100: how can I change the limit on the maximum number of posted form values?

What I tried to attempt is to limit the changes suggested thereby the attack area to the specific page by moving that page to it's own folder, so that I can have a specific web.config in that folder with the setting of aspnet:MaxHttpCollectionKeys having a value larger than the default of 1000.

I found that unless I specify this setting in the web.config in the root folder, this setting did not take effect. It seemed like asp.net just ignored the setting when it was in the web.config in the new folder for the page.

Is there something else I need to do to make this happen? Or is it not possible at all because of the nature of the setting?

Based on my understanding how that stuff works - I have some doubts that you can change that settings with folder level web.config. Looks like MaxHttpCollectionKeys belongs to app-pool level, so to alter base value - you should make another app-pool.

I also tried to put this in a subfolder without luck. As soon as I instead put it in the root web.config it worked.