hits counter

FormsAuthentication And Query String Parameteres

Today I ran into this strange"feature" of ASP.NET:

When redirecting to the login page, the query string parameters are encoded with the requested URL into the ReturnUrl query string parameter of the request to the login page, but are also in the query string of the request to the login page.

Here is an example:

When requesting:


we are redirected to:


See the test parameter?

As far as I know, this is not documented or overridable.


  • There is a reason for that:


    Raj Kaimal

  • Hi Raj.

    Thanks for the reference. I didn't know that post.

    I already new how it happens.

    I can understand why someone would want it to be like that.

    What I can't understand is the lack of documentation and the fact that I can´t opt out of this "feature".

  • Pablo, you wrote:
    "It's actually an horrible hack."
    Quite the contrary.  Consider a page that depends on a querystring variable to determine the selection of certain controls.  Redirecting to the login page without saving these variables completely tarnishes the user experience when he comes back.
    I humbly disagree with you about it being a "horrible hack" and you should reconsider the thought and reason behind something like that before you start flaming.

  • Eric,

    Let me clarify my opinion.

    I consider "an horrible hack" not the fact that the variables are encoded and saved with the return URL, but the fact that they are not encoded and part of the login request URL and I can't opt out of it.

    Suppose I have an ID for each request/page/whatever. When I request somepage.aspx?ID=1 and my login URL is login.aspx?ID=0, I'm redirected to login.aspx?ID=0&ReturnUrl=%2fsomepage.aspx%3fID%3d1&ID=1, which means a request to login.aspx with 2 values for ID (0 and 1).

Comments have been disabled for this content.