3

We are hosting a site on IIS, and we are requiring HTTPS requests, and I've run across an odd bug related to how internet explorer (IE) handles that URL redirect.

If the initial request is

http://my.domain.com/?param1=hello&param2=100

then IIS forces the request to be redirected to an HTTPS request, but the resulting request is

https://my.domain.com/?param1=hello&param2=100&param1=hello&param2=100

In other modern browsers, this is not the case and the request is redirected as expected.

We are using URL Rewrite to redirect requests to HTTPS

Has anyone else seen this before, and is there anything that can be done to fix it?

TJ Rockefeller
  • 3,178
  • 17
  • 43
  • Since you are using HandleNonHttpsRequest, please refer to [this thread](https://stackoverflow.com/questions/3628181/asp-net-mvc-how-to-automatically-disable-requirehttps-on-localhost) to override the HandleNonHttpsRequest method, in this method, you could set a break point to check the url, if it contains duplicate query parameters, you could rewrite the url. – Zhi Lv Jun 12 '19 at 02:25
  • @ZhiLv-MSFT I realized this morning that we have code in ASP.NET to handle this, but it is never getting hit because we ended up handling the HTTPS redirect using IIS URL Rewrite. – TJ Rockefeller Jun 12 '19 at 13:32

1 Answers1

7

After realizing that the redirect was occurring in IIS, I was looking at settings in the rewrite action and noticed that the check box Append query string was checked. After unchecking that box, it appears to have resolved the issue. Query strings are still present in the redirect, but they aren't being duplicated now in IE.

The setting can also be changed in xml of the web.config by adding appendQueryString = "false" to the <action> child.

In the web.config file before making the change, there was nothing explicitly specifying the state of appendQueryString, so it is important to note that it seems that the default behavior of a redirect action is to append the query string.

To change the setting in IIS:

  1. Open IIS Manager.
  2. Select [Web Site With Issue].
  3. In the Feature View, click "URL Rewrite".
  4. Select "HTTP/S to HTTP Redirect" Rule and click "Inbound Rules > Edit" at right
  5. Scroll down to nearly the bottom of the editor pane to "Action > Append Query String" checkbox and uncheck it.
  6. Click "Apply" at right.

(Pretty pictures of most of this procedure here)

Campbeln
  • 2,880
  • 3
  • 33
  • 33
TJ Rockefeller
  • 3,178
  • 17
  • 43
  • Thanks for this solution! Seems very few people has run into this particular idiosyncratic behavior of IIS. – Campbeln Oct 14 '19 at 06:12