Microsoft KB Archive/318403

= FIX: An expired authentication cookie increases the QueryString size in Visual Basic .NET 2002 =

Article ID: 318403

Article Last Modified on 9/19/2005

-

APPLIES TO


 * Microsoft Mobile Internet Toolkit 1.0
 * Microsoft Visual Basic .NET 2002 Standard Edition

-



This article was previously published under Q318403





For a Microsoft Visual C# .NET version of this article, see 317269.



SYMPTOMS
You may notice that QueryString property values are lost or truncated under the following circumstances:
 * You use Mobile Forms Authentication.

-and-
 * The Mobile Forms Authentication cookie expires.

-and-
 * You log on back to a Microsoft Mobile Internet Toolkit (MMIT) Web site.



CAUSE
Mobile Forms Authentication creates an encrypted authentication cookie that is appended to the URL request for a Microsoft Mobile Internet Toolkit Web page. When you request to view a page after the authentication cookie has expired, the client browser is redirected to the logon Web page.

When the browser is redirected, the Mobile Forms Authentication feature creates a ReturnUrl parameter in the QueryString. The ReturnUrl parameter contains both the Web page that was originally requested and the authentication cookie. A duplicate authentication cookie is also appended to the QueryString so that the logon Web page can access the values of the QueryString property. Therefore, the size of QueryString increases because it contains duplicate information. When a mobile device reaches a QueryString limit, the device may truncate the information.



RESOLUTION
To work around this problem, use the AuthenticateRequest and the EndRequest methods of the HttpApplication class in the Global.asax file. To do this, follow these steps:
 * 1) Use the AuthenticateRequest event of the HttpApplication class to determine if the authentication cookie has expired.
 * 2) Create an HttpContext class, which you can use as a flag if the authentication cookie has expired.
 * 3) In the Application_EndRequest event of the HttpApplication class, look for the HttpContext flag.
 * 4) Store the Request.URL.AbsolutePath property in a string variable. If the flag exists, remove the QueryString.
 * 5) After you remove the QueryString, add an HTTP Location header that has a simulated Mobile Forms Authentication redirect location to the AbsolutePath property that is saved.

The following is the Visual Basic .NET code sample that implements AuthenticateRequest and EndRequest methods of the HttpApplication class: Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs) ' Fires when trying to authenticate the use Dim strAuthTicket As String Dim objAuthTicket As FormsAuthenticationTicket strAuthTicket = Request.QueryString(FormsAuthentication.FormsCookieName) If Not (strAuthTicket Is Nothing) Then objAuthTicket = FormsAuthentication.Decrypt(strAuthTicket) If objAuthTicket.Expired Then HttpContext.Current.Items(&quot;ClearCookie&quot;) = &quot;1&quot; End If End If End Sub

Sub Application_EndRequest(ByVal sender As Object, ByVal e As EventArgs) ' Fires when trying to authenticate the use Dim strReturnPath As String = Request.Url.AbsolutePath Dim strClearCookieFlag As String strClearCookieFlag = CType(HttpContext.Current.Items(&quot;ClearCookie&quot;), String) If Not (strClearCookieFlag Is Nothing) Then If strClearCookieFlag = &quot;1&quot; Then ' Just create a fresh query string with no cookie, ' and then send it to the logon page. Response.AddHeader(&quot;Location&quot;, &quot;login.aspx?ReturnUrl=&quot; & Server.UrlEncode(strReturnPath)) End If End If End Sub Note To implement this solution successfully, you must add the following code at the beginning of the Global.asax file: Imports System.Web.Security



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the &quot;Applies to&quot; section. This bug was corrected in Visual Basic .NET 2003.

