InfoPath Forms Services DoS actions per postback - Event 5737 (SharePoint Server 2010)
Applies to: SharePoint Server 2010 Enterprise
Alert Name: InfoPath Forms Services DoS actions per postback
Event ID: 5737
Summary: InfoPath Forms Services forms record every action in a temporary event log that is stored in the browser client. When a server postback is necessary, the recorded log data is sent and the actions are replayed on the server. A postback is triggered when a user updates a form or performs an action that requires a postback, such as running business logic or submitting the form. To prevent InfoPath Forms Services from dedicating too much time to a single postback, a threshold setting for the maximum number of actions per postback is defined on the server. This setting limits the number of actions that can be replayed on the server in a single postback and prevents malicious users from creating their own event logs and bringing down the server.
A user has exceeded the threshold set for the number of form actions allowed per postback. When this occurs, InfoPath Forms Services terminates the user session in order to protect the server.
Symptoms: The following message may appear in the event log: Event ID: 5737 Description: Number of form actions, <integer>, has exceeded <integer>, the maximum allowable value per request. This value is configurable and can be changed by the administrator. (User: <UserName>, Form Name: <FormName>, Request: <https://servername/_layouts/Postback.Formserver.aspx>, Form ID: <FormID>)
Cause: One or more of the following might be the cause:
A user has attempted a denial of service (DoS) attack against a server on which InfoPath Forms Services runs.
The number of actions allowed per postback is too low.
Resolution: Check the Windows event log for signs of a DoS attack
Search the Windows event log for signs of a DoS attack. If this is a DoS attack and if an administrator-approved form template is affected, remove the form template from the site collection or deactivate the form template.
To check the Windows event log:
Open the Windows Event Viewer.
Search for event ID 5737 in the Windows application event log.
In the event description, check the Form ID. If there are multiple events for the same form ID, this might indicate that a malicious user has deployed a form that has many actions per postback in an attempt to bring down the server.
To deactivate a form template from a site collection:
On the SharePoint Central Administration Web site, on the Quick Launch, click General Application Settings and in the InfoPath Forms Services section click Manage form templates.
In the list of form templates click the form template that you want to deactivate, and in the drop-down list click Deactivate from a Site Collection.
On the Deactivate Form Template: <template> page, in the Deactivation Location section, select the site collection and click OK.
To remove a form template completely:
On the Central Administration page, on the Quick Launch, click General Application Settings and in the InfoPath Forms Services section click Manage form templates.
In the list of form templates click the form template that you want, and in the drop-down list click Remove Form.
Resolution: Increase the number of actions allowed per postback
On the Central Administration page, on the Quick Launch, click General Application Settings and in the InfoPath Forms Services section click Configure InfoPath Forms Services.
In the Thresholds section, increase the value for number of postbacks allowed per session.
Note
Increasing the value of this setting can adversely affect server performance and increase the risk of DoS attacks on the server.