FIX: An expired authentication cookie increases the QueryString size in Visual Basic .NET 2002 (318403)
The information in this article applies to:
- Microsoft Mobile Internet Toolkit (MMIT)
- Microsoft Visual Basic .NET (2002)
This article was previously published under Q318403
For a Microsoft Visual C# .NET version of this article, see 317269.
SYMPTOMSYou may notice that QueryString property values are lost or truncated under the following
circumstances:
- You use Mobile Forms Authentication.
-and- - The Mobile Forms Authentication cookie expires.
-and- - You log on back to a Microsoft Mobile Internet Toolkit
(MMIT) Web site.
CAUSEMobile Forms Authentication creates an encrypted
authentication cookie that is appended to the URL request for a Microsoft
Mobile Internet Toolkit Web page. When you request to view a page after the
authentication cookie has expired, the client browser is redirected to the
logon Web page.
When the browser is redirected, the Mobile Forms
Authentication feature creates a ReturnUrl parameter in the QueryString. The ReturnUrl parameter contains both the Web page that was
originally requested and the authentication cookie. A duplicate authentication
cookie is also appended to the QueryString so that the logon Web page can access the values of the QueryString property. Therefore, the size of QueryString increases because it contains duplicate information. When a
mobile device reaches a QueryString limit, the device may truncate the information. RESOLUTION To work around this problem, use the AuthenticateRequest and the EndRequest methods of the HttpApplication class in the Global.asax file. To do this, follow these steps:
- Use the AuthenticateRequest event of the HttpApplication class to determine if the authentication cookie has expired.
- Create an HttpContext class, which you can use as a flag if the authentication cookie
has expired.
- In the Application_EndRequest event of the HttpApplication class, look for the HttpContext flag.
- Store the Request.URL.AbsolutePath property in a string variable. If the flag exists, remove the QueryString.
- After you remove the QueryString, add an HTTP Location header that has a simulated Mobile Forms
Authentication redirect location to the AbsolutePath property that is saved.
The following is the Visual Basic .NET code sample that
implements AuthenticateRequest and EndRequest methods of the HttpApplication class:
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
' Fires when trying to authenticate the use
Dim strAuthTicket As String
Dim objAuthTicket As FormsAuthenticationTicket
strAuthTicket = Request.QueryString(FormsAuthentication.FormsCookieName)
If Not (strAuthTicket Is Nothing) Then
objAuthTicket = FormsAuthentication.Decrypt(strAuthTicket)
If objAuthTicket.Expired Then
HttpContext.Current.Items("ClearCookie") = "1"
End If
End If
End Sub
Sub Application_EndRequest(ByVal sender As Object, ByVal e As EventArgs)
' Fires when trying to authenticate the use
Dim strReturnPath As String = Request.Url.AbsolutePath
Dim strClearCookieFlag As String
strClearCookieFlag = CType(HttpContext.Current.Items("ClearCookie"),
String)
If Not (strClearCookieFlag Is Nothing) Then
If strClearCookieFlag = "1" Then
' Just create a fresh query string with no cookie,
' and then send it to the logon page.
Response.AddHeader("Location", "login.aspx?ReturnUrl=" &
Server.UrlEncode(strReturnPath))
End If
End If
End Sub
Note To implement this solution successfully, you must add the
following code at the beginning of the Global.asax file: Imports System.Web.Security STATUSMicrosoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.
This bug was corrected in Visual Basic .NET
2003.
REFERENCES For additional information, click the
following article number to view the article in the Microsoft Knowledge Base: 310634
PRB: QueryString Limit When You Use MobileFormsAuthentication
| Modification Type: | Major | Last Reviewed: | 9/19/2005 |
|---|
| Keywords: | kbvs2002sp1sweep kbWMLDevice kbbug kbSecurity KB318403 kbAudDeveloper kbAudITPRO |
|---|
|