We are currently deploying an MVC app that needs to also support a number of clients that have cookies blocked due to corporate policy. We have cookieless sessions and authentications set to autodetect because we figured out that cookieless="UseDeviceProfile" is completely unreliable since we have to support multiple browsers and Chrome (as well as IE9) craps out with this setting (UseDeviceProfile). Everything works great with the setting "AutoDetect" except for one instance:
If the user is blocking cookies and types in http://somehost.com ASP.Net adds ?AspAutoDetectCookieSupport=1 to the end of the string leaving you with a url of http://somehost.com?AspAutoDetectCookieSupport=1. When this string comes into our MVC app it blows up with a 404 error. However, if you append a "/" to the end of the initial url, as in http://somehost.com/, then everything works as expected and ASP.Net prepends the url with the session string (eg http://somehost.com/(sessionstring)/......
This will be somewhat of an edge case since the vast majority of the users will be hitting the app from a url we send to them which is not susceptible to this "bug". Additionally, the vast majority of the users will have cookies enabled as well. But we would still not like having even the small number of users this would affect see this ugly error.
Any suggestions?
