IE10 injects token into .NET MVC links

Question

I have a working .NET MVC application, but when accessing with IE10 on Windows 8 the browser source code shows that all dynamically generated URLs, eg. with Url.Action("Index", "Home") are written as:

/(F(usb6gVWyFnXevozQyFvVxVdbsN0uM9kZ5wNu9gT9pWBINGuodOdzLKkIQzfhqy3UhnCLyXf78LugXZO2UPYfMbNzSJJawmbqUBL56TjKpXgWpiMdVAjB1T3YcPlGhZePwFd6C9P_f_Y89KiDnWcA9EfR1m0ud3IcBYTW8OwZxOMTd8bxt5hM8mgXVN6OSdoo3IMwRA2))/Home/Index

instead of:

/Home/Index

If we write the link with static HTML:

<a href="/Home/Index">[linktext]</a>

IE10 redirects to the login page. The problem is when leaving the site temporarily to go to a partner site that has a link back to the first site. As the injected code is missing the return URL is no longer valid and redirects to the login.

Anybody knows why this code is injected (Framework or IE10 issue?)

bkaid · Accepted Answer · 2012-09-01T17:02:10.820

22

That code is part of ASP.NET's cookieless session feature. You can disable it in the web.config <configuration><system.web> section with:

<sessionState cookieless="false" />

Or with:

<forms cookieless="UseCookies" />

I don't know why IE10 is doing that. You could probably add a browser file in app_browsers with updated IE10 info to tell it it supports cookies. Or perhaps you have cookies disabled?

edited Sep 01 '12 at 17:02

answered Sep 01 '12 at 15:01

bkaid

51,465
22
112
128

1

Seems you're right about the server interpreting IE10 incorrectly because of not up-to-date browseer definition files. Additionally to your suggestion I added: `` and IE10 no longer injects the session token. – Smorko Sep 01 '12 at 16:19
Yeah the forms cookieless was the one I had used in the past but couldn't think of off the top of my head. – bkaid Sep 01 '12 at 17:02

score 8 · Answer 2 · edited Jun 11 '13 at 23:40

8

There is a bug in the browser definition files that shipped with .NET 2.0 and .NET 4, namely that they contain definitions for a certain range of browser versions. But the versions for some browsers (like IE 10) aren't within those ranges any more. Therefore, ASP.NET sees them as unknown browsers and defaults to a down-level definition, which has certain inconveniences, like that it does not support features like JavaScript and/or cookies.

Microsoft released hotfixes that correct the issue.

.NET 4 - http://support.microsoft.com/kb/2600088
.NET 2.0
- http://support.microsoft.com/kb/2600100 for Win7 SP1/Windows Server 2008 R2 SP1, Windows Vista/Server 2008, Windows XP/Server 2003
- http://support.microsoft.com/kb/2608565 for Win7/Windows Server 2008 R2 RTM

(Source)

edited Jun 11 '13 at 23:40

JustinStolle

4,182
3
37
48

answered Sep 01 '12 at 15:08

Alexander Taran

6,655
2
39
60

1

Thanks Alexander, updating the browser definitions on the server is probably the best way to solve this if you're enabled to do server updates. Tweaking the web.config did the job for me though for now. – Smorko Sep 01 '12 at 17:35
If you are setting up on a fresh windows 2008 r2 vm from Azure, you need to apply the windows update (to get these fixes). lost about 2 hours looking for this tip today. – MikeJ Aug 06 '13 at 17:42

score 1 · Answer 3 · edited May 23 '17 at 10:26

1

Add your web.config file to cookieless="UseCookies" like this;

<authentication mode="Forms">
  <forms loginUrl="~/YourLoginUrl" timeout="2880" **cookieless="UseCookies"** />
</authentication>

This solve quoted from this link; https://stackoverflow.com/a/15510453/2057154

edited May 23 '17 at 10:26

Community

1
1

answered Apr 12 '13 at 13:48

yusuf

1,233
1
15
29

IE10 injects token into .NET MVC links

3 Answers3

Linked