Forms Authentication duplicating querystring parameters

M

mohaaron

Hello all,

I'm having a problem using the ReturnUrl parameter while using
FormsAuthentication. If I already have some querystring parameters in
the url like this.

NonSecurePage.aspx?param1=value1&param2=value2

I now click a link to a secure page and I get redirected by
FormsAuthentication to the login page and I get this.

Login.aspx?ReturnUrl=/NonSecurePage.aspx?param1=value1&param2=value2&param1=value1&param2=value2

Where this causes the first problem is in my BasePage class where I
have the following public properties.

public string Param1
{
get { this.param1 = this.Request.QueryString["param1"]; }
}

public string Param2
{
get { this.param2 = this.Request.QueryString["param2"]; }
}

With the duplicate parameters in the querystring the returned value for
each of the above variables is duplicated with a comma between the
values. This is very annoying at the least to deal with and in some
cases really causes problems.

The second problem that happens with this is that the value returned
from Request.QueryString["ReturnUrl"] looks like this.

NonSecurePage.aspx?param1=value1

So when the redirect is done the second parameter is missing.

Does anyone have any experience with this and how I might fix it? I
have done quite a bit of searching the web for solutions and haven't
found anyone else with this problem.

What do I do?
 
Y

ytkaczyk

Joined
Aug 20, 2008
Messages
2
Reaction score
0
Solution to the issue

I found a fix to the issue at:
http://knowledgebaseworld.blogspot.com/2008/05/duplicate-keyvalue-pair-in-querystring.html
I tweaked the code slightly as:


Code: 
 private const string kReturnUrl = "ReturnUrl";
  void Application_EndRequest(Object sender, EventArgs e)
  {
       if (null!=Response.RedirectLocation && Response.RedirectLocation.Contains(kReturnUrl))
    { 
      Response.RedirectLocation = 
        string.Format(
          "{0}{2}={1}",
          Response.RedirectLocation.Remove(Response.RedirectLocation.IndexOf(kReturnUrl)),
          Microsoft.Security.Application.AntiXss.UrlEncode(
            Request.RawUrl.Contains(kReturnUrl)?
            Request.RawUrl.Substring(Request.RawUrl.IndexOf(kReturnUrl) + kReturnUrl.Length+1):
            Request.RawUrl),
          kReturnUrl); 
    }
  }

If you are not using the Microsoft AntiXss library, you can use the plain Asp.Net UrlEncode.

Regards,

Yves
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Encrypt URL parameters(querystring) 1
Python point location of intersect between two lines 0
Forms authentication duplicating ReturnURL 0
Technique for centralized web service authentication, logging, etc. 0
Handling and managing URL 1
parameter cant past after authentication page 0
regex help 2
Freeing memory allocated by another function 6

Members online

Total: 67 (members: 2, guests: 65)
Robots: 393

Forum statistics

Threads
473,994
Messages
2,570,223
Members
46,813
Latest member
lawrwtwinkle111

Latest Threads

Top