Silent Breaking-Change to FormsAuthentication::RedirectFromLoginPage

Heads up on a silent breaking change that I just came across with FormsAuthentication’s RedirectFromLoginPage method when migrating from ASP.NET 1.1 to 2.0. The exact message you get will be (with top of callstack):

System.Web.HttpException: The return URL specified for request redirection is invalid.
  at System.Web.Security.FormsAuthentication.GetReturnUrl(Boolean useDefaultIfAbsent)
  at System.Web.Security.FormsAuthentication.RedirectFromLoginPage(String userName, Boolean createPersistentCookie, String strCookiePath)
  at System.Web.Security.FormsAuthentication.RedirectFromLoginPage(String userName, Boolean createPersistentCookie)
... your method would be here ...

There problem here is that some part of your return URL contained invalid characters. In my case, someone was creating a return URL where the query string was not properly encoded and it contained : and / which need to be encoded as %3a and %2F respectively.

Some how we had gotten lucky all this time in 1.1 with it not being encoded properly. Guess it goes to show just how flakey URL parsing really is in general… either that or how resiliant it is. 🙂

Leave a Reply