Paulo Morgado

.NET Development & Architecture

Recent Articles

view all

Events

Projects

Recent Readers

Visitor Locations

Visitor Locations

Disclaimer

The opinions and viewpoints expressed in this site are mine and do not necessarily reflect those of Microsoft, my employer or any community that I belong to. Any code or opinions are offered as is. Products or services mentioned are purchased by me, made available to me by my employer or the manufacturer/vendor which doesn't influence my opinion in any way.

FormsAuthentication And Query String Parameteres

Today I ran into this strange"feature" of ASP.NET:

When redirecting to the login page, the query string parameters are encoded with the requested URL into the ReturnUrl query string parameter of the request to the login page, but are also in the query string of the request to the login page.

Here is an example:

When requesting:

http://localhost:5014/FormsAuthentication/default.aspx?test=true

we are redirected to:

http://localhost:5014/FormsAuthentication/login.aspx?ReturnUrl=%2fFormsAuthentication%2fdefault.aspx%3ftest%3dtrue&test=true

See the test parameter?

As far as I know, this is not documented or overridable.

Comments

rajbk said:

# February 14, 2008 8:13 PM

Paulo Morgado said:

Hi Raj.

Thanks for the reference. I didn't know that post.

I already new how it happens.

I can understand why someone would want it to be like that.

What I can't understand is the lack of documentation and the fact that I can´t opt out of this "feature".

# February 15, 2008 3:55 AM

Eric Newton said:

Pablo, you wrote:

"It's actually an horrible hack."

Quite the contrary.  Consider a page that depends on a querystring variable to determine the selection of certain controls.  Redirecting to the login page without saving these variables completely tarnishes the user experience when he comes back.

I humbly disagree with you about it being a "horrible hack" and you should reconsider the thought and reason behind something like that before you start flaming.

# February 15, 2008 9:46 AM

Paulo Morgado said:

Eric,

Let me clarify my opinion.

I consider "an horrible hack" not the fact that the variables are encoded and saved with the return URL, but the fact that they are not encoded and part of the login request URL and I can't opt out of it.

Suppose I have an ID for each request/page/whatever. When I request somepage.aspx?ID=1 and my login URL is login.aspx?ID=0, I'm redirected to login.aspx?ID=0&ReturnUrl=%2fsomepage.aspx%3fID%3d1&ID=1, which means a request to login.aspx with 2 values for ID (0 and 1).

# February 15, 2008 11:35 AM