问题
Within an MVC application, we're using a querystring parameter called ReturnUrl to track where the user came from, and where they return to after they finish with the current page/view. In addition, this same parameter is used when their session times out (for instance) and they are sent to the login page with the ReturnUrl parameter now containing the page they were just on.
The login redirect is handled correctly as long as the URL they're coming from does not include the ReturnUrl parameter. But if it does, then they are shown a hard 401 from IIS.
Example 1:
- User is on http://example.com/Account/Edit
- Session times out, then user hits refresh.
- User is brought to login page with querystring parameter
ReturnUrlproperly set. GOOD
Example 2:
- User is on http://example.com/Account/Edit?ReturnUrl=%2FSomething%2FElse%2F4
- Session times out, then user hits refresh.
- User is immediately shown IIS' 401 error page instead of being sent back to the login page. BAD
Note that the request is making it to the MVC handler:
I've debugged as best I can but the issue appears to occur within the MVC framework itself. If I change the ReturnUrl parameter to something else, ReturnUrl2 for example, then the login redirect works fine.
What's so special about the word ReturnUrl?
来源:https://stackoverflow.com/questions/29973280/mvc-route-returns-401-only-if-returnurl-parameter-is-in-querystring