Anatomy of ASP.NET Forms Authentication Return URL

  • Article

Consider you are browsing an asp.net web application that uses forms authentication and you are browsing the following url

https://localhost:43751/FormsAuth/default.aspx?var1=test1&var2=test2&var3=test3

Once you time out you will be redirected to the login page with an URL similar to

https://localhost:43751/FormsAuth/login.aspx?ReturnUrl=%2fFormsAuth%2fdefault.aspx%3fvar1%3dtest1%26var2%3dtest2%26var3%3dtest3&var1=test1&var2=test2&var3=test3

The URL is actually built of three parts

1. https://localhost:43751/FormsAuth/login.aspx?

2. ReturnUrl=%2fFormsAuth%2fdefault.aspx%3fvar1%3dtest1%26var2%3dtest2%26var3%3dtest3 and

3. &var1=test1&var2=test2&var3=test3

Ever wonder why we have an encoded version and an un-encoded version of the variables? If you look at the entire URL you will get a feeling that the query-string variables are being passed twice as %3fvar1%3dtest1%26var2%3dtest2%26var3%3dtest3 and var1=test1&var2=test2&var3=test3

It is actually a neat trick to provide access to the original query-string variables in the login.aspx. This is done as a convenience so code on the login page can access the query-string variables sent from the page that triggered the redirect.

Here is how the URL for login.aspx is built.

From the original URL https://localhost:43751/FormsAuth/default.aspx?var1=test1&var2=test2&var3=test3 a search is done for "?" to find the variables that are in the query string. The string after "?" ie. var1=test1&var2=test2&var3=test3 are the query-string variables that the original page has.

Now the entire URL is encoded to get %2fFormsAuth%2fdefault.aspx%3fvar1%3dtest1%26var2%3dtest2%26var3%3dtest3 and this will be passed on as the variable ReturnUrl to the login.aspx

Apart from the ReturnUrl we also append "&" and the variable string that we extracted earlier  "var1=test1&var2=test2&var3=test3"

Now if the code in login.aspx page loops thro' the keys in the Request.QueryString variables it will find ReturnUrl,var1,var2,var3. And that exactly is the purpose behind this, you get access to the original query-string variables in the login.aspx without having to parse through the ReturnUrl.

If you disassemble System.Web.Security.FormsAuthentication you will find a function by name GetLoginPage(String,Boolean) :String that builds this string.

loginUrl = loginUrl + "ReturnUrl=" + str2;
if (!string.IsNullOrEmpty(extraQueryString))
{
    loginUrl = loginUrl + "&" + extraQueryString;
}

Once the authentication is done the ReturnUrl variable is used to redirect the user back to

https://localhost:43751/FormsAuth/default.aspx?var1=test1&var2=test2&var3=test3

Bookmark and Share