6

Using ASP.NET MVC3, how can I have IIS not redirect 302 on case-sensitive routing?

For example, I create an application folder under my site called "Admin" in IIS. The javascript (there are hundreds of files, no trivial change, and then when new code gets generated or written, we have to manually case-enforce on all routes? I think that's overkill) and some of the handwritten links all point to /admin/ControllerName/ or /admin/controllername/ already, and so when IIS sees this, it issues a 302 to /Admin/ControllerName/. Obviously (I tested to confirm) just changing the case prevents the 302.

Every image, javascript include, etc, causes two hits to IIS.

How can I reduce the traffic and just have IIS go ahead and reroute me case-insensitively so we can stop all the silly 302's. Or is this impossible and I should go case-enforce every potential URL forevermore in all the code we write? Or do I just need to suck it up and live with the 302's?

jcolebrand
  • 278
  • 4
  • 27

2 Answers2

9

I'm guessing that you're using WS-Federation? Or at least using the WSFederationAuthenticationModule and/or SessionAuthenticationModule? Both of those modules perform a redirect to match the casing of your application as it's in IIS any time they're unable to authenticate you or verify that you're authorized to get the requested resource. I don't see any way to keep it from doing this, and even if you could, you probably wouldn't be able to actually access the resources by using /admin.

The reason for this is that the path listed in cookies is case-sensitive, and since everything related to WS-Federation is done via cookies, the casing has to match. If the cookies showing that you've been authenticated are created for /Admin and then you try to access /admin, it will think you're not authenticated.

One possible workaround would be to set the admin directory as a separate application in IIS, and configure it to not use the FAM or SAM. However, based on the name of the directory, I'm guessing that won't be a viable option for you, since you'd lose authentication on that directory.

Elezar
  • 256
  • 2
  • 3
  • 1
    I wasn't sure about the OP but I am using ws-federation and encountered the same problem. This goes back to the old thing: Always lowercase your URLs! IIS may be case insensitive, and you can get away with this for a while, but eventually it will bite you. This is especially true with traffic analytics, etc. Lots of things using IIS are still case sensitive. – HAL9000 May 08 '14 at 15:28
  • For confirmation of this SAM behavior, see https://brockallen.com/2013/02/08/beware-wif-session-authentication-module-sam-redirects-and-webapi-services-in-the-same-application/ – Elroy Flynn Aug 25 '17 at 14:55
  • Also note that if you you have a web proxy that rewrites urls, and the output urls don't case-match the application url, you'll get an infinite redirect loop. I know, because it happened to me. – Elroy Flynn Aug 25 '17 at 15:56
1

Hmmmm, I thought IIS was case insensitive.

Are you sure there isn't any URL rewriting going on here that you can just disable?

Cheers

Neil
  • 551
  • 3
  • 10
  • well, that's what I'm trying to understand. Figured I would start with the server guys for tricks before letting them choose to migrate to SO. Not sure which is the better audience. All I know is, I'm getting 302's and it's silly. – jcolebrand Jan 11 '13 at 20:20
  • If IIS 7, Check if URL Rewrite module is installed if so there maybe the out-the-box rule enabled that forces urls to lowercase. – Neil Jan 11 '13 at 20:26