Home/ Questions/Q 6385959
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T02:57:51+00:00

We’re using forms authentication in an ASP.Net 3.5 web application under IIS 7.5. We’ve

  • 0

We’re using forms authentication in an ASP.Net 3.5 web application under IIS 7.5. We’ve discovered that when the source page has a query string like this:

http://server/dir/page.aspx?func=add

The redirect from the login page looks sends me to: 

http://server/dir/page.aspx%3ffunc%3dadd

Even though that URL decodes to http://server/dir/page.aspx?func=add IIS complains with

HTTP Error 400.0 - Bad Request
ASP.NET detected invalid characters in the URL.

My Google-fu has failed me on researching this behavior. Does anyone have a solution or a pointer to more information?

Updates:

Answers to questions:

Yes, we are calling FormsAuthentication.RedirectFromLoginPage.

I looked at this article and that appears to be for IIs7 and Win28. When looking at the referenced patched files, my dates were more currect by roughly 3 years. Though I did add the referenced reg-key and rebooted the box; still happens.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    After digging in because I wasn’t finding answers and it had annoyed me enough to step through the code I found the answer.

    As it turns out, I was wrong. Where we are calling FormsAuthentication.RedirectFromLoginPage is dead code and the redirect is handled on the client side after the authentication service tells us the attempt was successful.

    It was this chunk of code that was failing:

    var queryStringParts = window.location.search.split('=');
var targetPath = queryStringParts[1];
targetPath = targetPath.replace(/(%2f)/g,'/'); // <-- Here's where we weren't doing enough

    I’ve since written a utility method to get the query string value and handle it correctly.

    function getQueryStringValue(name, defaultValue) {
    var value = defaultValue;
    var queryString = window.location.search;
    var startPos = queryString.indexOf(name);

    if (startPos > -1) {
        startPos += name.length + 1
        var endPos = queryString.indexOf('&', startPos);
        if (endPos == -1) {
            // Incase there is no ampersand (&) after the query string value 
            // we're after we go to the last index + 1
            endPos = queryString.length;
        }
        value = unescape(queryString.substring(startPos, endPos));
    }
    return value;
}
    • 0