2

I have a two server system... one hosting the app and the other hosting the authentication/authorization. When the app detects the user isn't logged in yet, it redirects to the auth server and passes, as a parameter, the URL originally requested by the user so that after authentication, the user will be redirected back to the app server to the exact URL originally requested.

However, if that original URL contains a #, the whole routine is hosed. It appears that the browsers are decoding the url encoded parameter and, as a consequence, dropping anything after the # to the floor. I've tried this on Chrome, Safari and Firefox.

Example:

Original URL:

https://xxx.com/#/main/by-users?param1=53&param2=13&param3=39

Redirect URL:

https://yyy.com/signin/?returnURL=https%3A%2F%2Fxxx.com%3A80%2F%23%2Fmain%2Fby-users%3Fparam1%3D53%26param2%3D13%26param3%3D39

Browser shows:

https://yyy.com/signin/?returnURL=https%3A%2F%2Fxxx.com%2F#/main/by-users?param1=53&param2=13&param3=39

As you can see, everything including and after the # is decoded. Thus the server never gets the full 'returnURL' parameter value. It basically just gets 

https://xxx.com/

This must be part of some spec someplace, though it seems insane that an encoded # should be decoded and dealt with as if it were never encoded in the first place. But how does one get around this?

Thanks.

ticktock
  • 1,593
  • 3
  • 16
  • 38

2 Answers2

11

Not sure if it is the best solution or even if you can control this, but it may work if you do double-encoding: for example, instead of "%23", make it use "%2523".

The unwanted decoding should then convert "%2523" to "%23", leaving the desired result in the redirect URL that the browser shows.

Kwateco
  • 300
  • 3
  • 9
  • 1
    Yes, I tried this. The problem, in the end, was that I was doing the redirect from the server, which again, never sees anything after the #. The only solution is to use javascript to either a) perform the redirect or b) supply the 'current url' to the server in an encoded parameter. – ticktock Jun 19 '14 at 17:36
2

You need to URI-escape the "#" character.

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98
  • Erm.. I did. The redirect URL : https://yyy.com/signin/?returnURL=https%3A%2F%2Fxxx.com%3A80%2F**%23**%2Fmain%2Fby-users%3Fparam1%3D53%26param2%3D13%26param3%3D39 – ticktock Sep 19 '13 at 17:12
  • 1
    Ah, ok. Just decoded in the address bar then. You may want to do an HTTP trace to see what's going on on the wire. Keep in mind that the #fragment part isn't actually sent by the browser to the server, so this might cause a problem. Better avoid hashtag URIs (see http://www.w3.org/blog/2011/05/hash-uris/) – Julian Reschke Sep 20 '13 at 07:26
  • You're right on track there. The fact that the server is doing the redirect is the root of the problem. I need javascript help to accomplish it, either by doing the redirect for me, or to provide the full url (encoded) to the server side. – ticktock Jun 19 '14 at 17:38