'F' tokens in urls?

Question

Previously updated my mvc application from mvc2 to mvc 3 and last week to mvc 4. Also moved it from IIS6 server to IIS7 server.

Now many urls, generated by mvc routing, have token in url. Like this:

http://domain.net/(F(D4379600E44F6AF6D4695965E697E4EF18E37E9D4A33EF1DFAC33B05D8BD1C3601EC6D41276ADE9048699F26558469FB12118644813DE200464A082F0250855D8AC0825CAA33DFF40092C74D3B3AA0440D2547DEFE320118B53A1C43149B9E616D8579D2DFC35225E06055C3E4F8FF37F610729E))/page/something

This token is applied for 70% of all urls on pages, even for images. It looks like Forms Auth token for cookieless browsers. But I disabled cookieless in web.config(set it to cookies only). Also it applied for all browsers(with enabled cookies), and even when user is not signed in.

How to solve this issue? Any ideas? Think, I missed something when upgraded to new mvc.

UPD. Tried to disable cookieless in next way(web.config):

<sessionState cookieless="false" />
<authentication mode="Forms">
  <forms loginUrl="~/LogOn" timeout="2880" cookieless="UseCookies"  />
</authentication>

UPD1. I use couple RenderAction commands in master page, to render some general partial views. and controller methods for these parts, I marked with OututCache attribute. Removed this attribute - and all urls now looks good. It is very strange, but helped me.

<%Html.RenderAction("BlogPosts", "Widgets", new RouteValueDictionary()); %> 


[ChildActionOnly]
    //[OutputCache(Duration = 180)]
    public ActionResult BlogPosts()
    {
        var model = new BlogListModel();
        model.BlogPostType = defService.BlogType();
        model.List = widgetService.BlogPosts(3);
        return PartialView("Widgets/BlogPostsWidget", model);
    }

http://stackoverflow.com/questions/6229565/iis7-5-asp-net-mvc-users-hitting-strange-urls-f1xe9exixpz might contain some useful information. — user247702, Nov 27 '12 at 13:53
could you clarify how have you disabled cookieless in web.config? — eis, Dec 28 '12 at 21:17
it doesn't make sense, since the cookieless parameter is set to false. Did you try restarting the pool, cleaning the cache, etc? — Gabriel, Jan 04 '13 at 17:16
restarted all pools and server, cleared cache, etc... - same result — barbarian, Jan 04 '13 at 18:45
I've run into this problem too. I have a razor layout which calls a few @Html.Action("xxx","xxx"). The action returns a PartialViewReusult. I had the OutputCache directive on these actions, to provide partial page caching. These actions would return URLs, when build using @Html.ActionLink(), URLs with the cookieless forms auth token included. I have verified that both my section includes cookieless="UseCookies" and includes cookieless="false". Once I disabled output caching, the issue went away, but that makes sense if the output with form tokens were being cached. — LaptopHeaven, Apr 25 '13 at 11:54

score 0 · Answer 1 · edited May 23 '17 at 12:18

I agree with other commenters that this was probably caused by the cookieless session state attribute. Various sites show that if you have the cookieless attribute set to true, then URLs will be embedded with the session ID.

Example:http://yourserver/folder/(session ID here)/default.aspx

OutputCache appears to have no connection with cookieless implementation.

The web.config change you made may not have been immediate. It's a little ambiguous, but just to be safe, you should restart the application after making any changes to the web.config file.

I would restart the application, uncomment your OutputCache code, build/publish, and see what results you get.

'F' tokens in urls?

1 Answers1