Cannot disable ASP.NET cookieless mode

Question

I'm trying to find out why UrlHelper.RouteUrl returns me cookieless URLs that start with /(F(. This only seems to happen for Bing requests (Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)).

I already disabled cookieless mode 3 times:

<authentication mode="None">
  <forms cookieless="UseCookies" />
</authentication>

<anonymousIdentification enabled="true" cookieless="UseCookies" />

<sessionState cookieless="UseCookies" />

I also added the following assertion:

if (url.StartsWith("/(F(", StringComparison.Ordinal))
    throw new Exception(
        FormsAuthentication.CookieMode + " " +
        FormsAuthentication.CookiesSupported + " " +
        HttpContext.Current.Request.Browser.Cookies);

This throws in case of bing bot. But it claims that CookieMode == UseCookies && CookiesSupported == true && Browser.Cookies == true. This means that the config setting took, as well as that ASP.NET thinks that Bing bot does support cookies. There should be no reason whatsoever to prepend this cookieless string to the URL.

I cannot reproduce it locally on Windows 7 .NET 4.7. The production server runs Server 2008 R2 with .NET 4.7.

I tried really hard disabling this nasty feature. How can I escape this madness?

Update: The F seems to mean that the forms authentication feature is responsible. But clearly it is disabled in the web.config?! I'm not using it in any way as far as I know (might be a wrong assumption).

Also, I tested the "app path modifier" value which is being used by MVC:

var x =
(string)typeof(HttpResponse)
.GetField("_appPathModifier", BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.FlattenHierarchy)
.GetValue(HttpContext.Current.Response);

I added this value to the assert and indeed the nasty /(F( string is present here. I have no idea how it comes to be that the .NET Framework sets this value.

Are you sure your server is currently giving out those URLs and they’re not just in Bing’s list of URLs to check? — Sami Kuhmonen, Nov 18 '17 at 20:49
Yes. The assert is directly after `Url.RouteUrl` and tests the return value. — boot4life, Nov 18 '17 at 21:01

Rainmaker · Answer 1 · 2020-11-11T06:37:35.010

Because before that, the value of SessionId has been removed (CookielessHelper.RemoveCookielessValuesFromPath) from url path.

HttpContext's Init method process that.

private void Init(HttpRequest request, HttpResponse response)
{
    this._request = request;
    this._response = response;
    this._utcTimestamp = DateTime.UtcNow;
    this._principalContainer = this;
    if (this._wr is IIS7WorkerRequest)
    {
        this._isIntegratedPipeline = true;
    }
    if (!(this._wr is StateHttpWorkerRequest))
    {
        this.CookielessHelper.RemoveCookielessValuesFromPath();
    }
    // other codes ...
}

Please Ref Possible Bug With ASP.NET MVC 3 Routing?

I will check Response._appPathModifier value at Application_BeginRequest event,

protected void Application_BeginRequest(object sender, EventArgs e)
{
    //到這時，Url已被改成沒包含SessionId
    //但它的值會放在 Response._appPathModifier 變數之中
    var appPathModifierFieldInfo = Context.Response.GetType().GetField("_appPathModifier",
                 BindingFlags.NonPublic | BindingFlags.Instance);
    var appPathModifier = appPathModifierFieldInfo.GetValue(Context.Response);
    if (appPathModifier != null)
    {
        //url 中有 SessionId
        throw new HttpException(404, "Not found");
    }
}

Cannot disable ASP.NET cookieless mode

1 Answers1