FormsAuthentication And Query String Parameteres

4 Comments

• There is a reason for that:
  
  http://blogs.msdn.com/vijaysk/archive/2008/01/24/anatomy-of-forms-authentication-return-url.aspx
  
  Raj Kaimal
  

• Hi Raj.
  
  Thanks for the reference. I didn't know that post.
  
  I already new how it happens.
  
  I can understand why someone would want it to be like that.
  
  What I can't understand is the lack of documentation and the fact that I can´t opt out of this "feature".
  

• Pablo, you wrote:
  "It's actually an horrible hack."
  Quite the contrary.  Consider a page that depends on a querystring variable to determine the selection of certain controls.  Redirecting to the login page without saving these variables completely tarnishes the user experience when he comes back.
  I humbly disagree with you about it being a "horrible hack" and you should reconsider the thought and reason behind something like that before you start flaming.
  

• Eric,
  
  Let me clarify my opinion.
  
  I consider "an horrible hack" not the fact that the variables are encoded and saved with the return URL, but the fact that they are not encoded and part of the login request URL and I can't opt out of it.
  
  Suppose I have an ID for each request/page/whatever. When I request somepage.aspx?ID=1 and my login URL is login.aspx?ID=0, I'm redirected to login.aspx?ID=0&ReturnUrl=%2fsomepage.aspx%3fID%3d1&ID=1, which means a request to login.aspx with 2 values for ID (0 and 1).