BUG: Expired Authentication Cookie Increases QueryString Size in Visual C# .NET (317269)
The information in this article applies to:
- Microsoft Mobile Internet Toolkit (MMIT)
- Microsoft Visual C# .NET (2003)
- Microsoft Visual C# .NET (2002)
This article was previously published under Q317269 SYMPTOMS
You may notice that QueryString property values are lost or truncated under the following circumstances:
- You use Mobile Forms Authentication.
-and-
- The Mobile Forms Authentication cookie expires.
-and-
- The user logs back on to a Microsoft Mobile Internet Toolkit (MMIT) site.
CAUSE
Mobile Forms Authentication creates an encrypted authentication cookie that is appended to the URL request for a Microsoft Mobile Internet Toolkit page. The client browser is redirected to the login page if a request is made to a page after the authentication cookie has expired.
When this redirection occurs, the Mobile Forms Authentication feature creates a ReturnUrl parameter in the QueryString. The ReturnUrl parameter contains both the page that was originally requested and the authentication cookie. A duplicate authentication cookie is also appended to the QueryString so that the login page can access the values of the QueryString property. As a result, the QueryString is larger because it contains duplicate information. When a mobile device reaches a QueryString limit, the device may truncate the information.
RESOLUTION
To work around this problem, use the AuthenticateRequest and the EndRequest methods of the HttpApplication class in the Global.asax file. To do this, follow these steps:
- Use the AuthenticateRequest event of the HttpApplication class to determine if the authentication cookie has expired.
- Create an HttpContext class, which you can use as a flag if the authentication cookie has expired.
- In the Application_EndRequest event of the HttpApplication class, look for the HttpContext flag.
- Store the Request.URL.AbsolutePath property in a string variable. If the flag exists, remove the QueryString.
- After you remove the QueryString, add an HTTP Location header with a simulated Mobile Forms Authentication redirect location to the AbsolutePath property that is saved.
The following Visual C# code uses the AuthenticateRequest and the EndRequest methods of the HttpApplication class to do this:
protected void Application_EndRequest(Object sender, EventArgs e)
{
// Fires when you try to authenticate the user
string strReturnPath=Request.Url.AbsolutePath;
string strClearCookieFlag;
strClearCookieFlag = (string)HttpContext.Current.Items["ClearCookie"];
if(strClearCookieFlag!=null)
{
if("1"==strClearCookieFlag)
{
// Create a fresh query string with no cookie
// and send it to the login page
Response.AddHeader("Location","login.aspx?ReturnUrl=" + Server.UrlEncode(strReturnPath));
}
}
}
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
string strAuthTicket;
FormsAuthenticationTicket objAuthTicket;
strAuthTicket = Request.QueryString[FormsAuthentication.FormsCookieName];
if(strAuthTicket!=null)
{
objAuthTicket = FormsAuthentication.Decrypt(strAuthTicket);
if(objAuthTicket.Expired)
HttpContext.Current.Items["ClearCookie"]="1";
}
}
NOTE: For this code to work, you must add the following line of code to the top of your Global.asax file:
using System.Web.Security;
STATUSMicrosoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. REFERENCESFor additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
310634 PRB: QueryString Is Truncated When You Use MobileFormsAuthentication
Modification Type: | Major | Last Reviewed: | 4/4/2003 |
---|
Keywords: | kbbug kbpending kbSecurity KB317269 |
---|
|