locked
Redirect Loop on the patch with MVC 2 RRS feed

  • Question

  • User260983704 posted

    I've installed the patch and added the necessary entry to the UrlScan.ini to deny the ?aspxerrorpath= query string variable.

    However, this has caused every error to cause a redirect loop because ?aspxerrorpath= is still being added to every error page that gets thrown.

    How can I tell IIS to stop adding this query string to the error pages? It's causing the redirect loop ... consider this scenario:

    The default behavior is to send the user to the /Error?aspxerrorpath=/originalpath
    • Customer requests a page that doesn't exist
    • They get the 404 page and are sent to /Error?aspxerrorpath=/some-404-path
    • BUT then the ?aspxerrorpath= query string is being denied by the UrlScan feature
    • The UrlScan feature, detects this and then sends the user to /Rejected-By-UrlScan
    • But there is no Controller or Page located at /Rejected-By-UrlScan, so it sends to another error, which is
      /Error?aspxerrorpath=/Rejected-By-UrlScan
    • But then once again, the ?aspxerrorpath= query string is included in the request and it sends them to the same page again -- causing the redirect loop

    I've run the check script that Scott Gu posted and my sites are configured correctly as far as custom error pages and not having separate error statuses go to different pages. 

    Thursday, October 14, 2010 2:59 PM

Answers

  • User260983704 posted

    One way to fix this, I guess, is to add "aspxerrorpath=/Rejected-By-UrlScan" to the [AlwaysAllowedQueryStrings] header.

    At least then it won't do the redirect loop. I thought maybe it would be better to just remove the automatic addition of ?aspxerrorpath= query string all together. I'm just not sure if this is possible.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 14, 2010 4:24 PM

All replies

  • User260983704 posted

    One way to fix this, I guess, is to add "aspxerrorpath=/Rejected-By-UrlScan" to the [AlwaysAllowedQueryStrings] header.

    At least then it won't do the redirect loop. I thought maybe it would be better to just remove the automatic addition of ?aspxerrorpath= query string all together. I'm just not sure if this is possible.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 14, 2010 4:24 PM
  • User-613285958 posted

    Mase, have you ever sorted all this out? I'm seeing the same issue.

    Tuesday, July 5, 2011 10:55 AM