Saving State
Saving State
In general, Microsoft® .NET Passport participating sites should attempt to use cookies or other means (instead of query string variables) for purposes of saving state that is particular to a Web application. For the following reasons, do not attach custom query string variables to any site URL passed to a Passport Manager method as a returnURL parameter:
returnURL parameters passed to Passport Manager methods are subject to multiple escapes and encodes as the full returnURL is passed among various .NET Passport network servers. Depending on the types of parameters you try to pass, you may experience more difficulty integrating .NET Passport.
The .NET Passport testing team has seen some cases in which proxy servers change the HTML encoding of URLs on requests, and this can affect returnURL parameters with special encoding requirements (for example, those that contain spaces or special characters).
Some browsers or proxies have URL length restrictions. The current IETF RFC regarding URL length limits them to 4096 characters, but the .NET Passport testing team has experienced instances of some proxy servers and browsers truncating URLs to smaller sizes. Microsoft .NET Passport requires the use of the query string to pass back authentication credentials (the Ticket and Profile, as encrypted strings) and for other network purposes. Any site-specific variables will be concatenated at the end of the query string, after the Ticket and Profile and other network-specific variables. Because they are at the end of the query string, this can mean that your site-specific variables are the most susceptible to being truncated.
Because of these issues, it is recommended that your site set custom cookies containing any site-specific state information instead of using the query string to pass state information. Cookies must already be enabled in order for the .NET Passport single sign-in (SSI) service to function at all, so accepting your site's private cookies in addition to accepting the various .NET Passport cookies should not present a usage barrier to typical users or browsers.
If your site must use query strings and cannot use cookies to save state, attempt to keep the variable content small and simple. Use the Server.URLEncode method to encode your variables. Do not use the variables t, p, and f, which are reserved for .NET Passport.
See Also