Windows Identity Foundation and Port Forwarding

There is net cofiguration:

Client - FW - IIS

IIS is listening port 8080, there is a web application on IIS, for example MyApp. FW implements simple port forwarding (it replaces port 80 to port 8080). Assume the following case:

Client asks http://MyWebSite/MyApp/Index.aspx, FW changes standart port 80 to 8080 and request is http://MyWebSite:8080/MyApp/Index.aspx. IIS returns to client requested page Index.aspx One importatn thing: if user types in browser http://MyWebSite/myapp/index.aspx IIS returns http://MyWebSite/MyApp/Index.aspx (so it changes url address according the real application name). Everything works well.

But the problem appears if I insert in standart pipeline WIF. For example I want MyApp to accept only authenticated users. I want to redirect users to some Identity Provider. If user trying to get a page http://MyWebSite/MyApp/Index.aspx, everything works fine, user is redirected to IP. But if user is trying to get http://MyWevSite/myapp/index.aspx (applicaion name in lower case), IIS returns to client redirect to http://MyWebSite:8080/MyApp/Index.aspx. Because port 8080 is closed on FW user gets an error. If I remove WIF from my application everything works fine again.

Did anybody encountered sich a problem?

The problem was discovered by Reflector, it is in WIF's CookieHandler.

Browsers send cookies only if the requested path matches (case-sensetive) the path was set by CookieHandler (by default the application's virtual directory on IIS). When WIF processes the request it compares the requested path to the CokkieHandler's path. If they don't match (case-sensetive) WIF thinks that user just typed wrong cased URL but he or she still wants to access the application, but user's browser will not send session cookie because the cases don't match, so WIF's CookieHandler makes redirect to correct URL, but it doesn't know anything about real port number, so it just added the requested port number to redirect answer. Browser tries to make redirect, the requested port is closed on FW, we get an error.

In .NET FW 4.5 you can override the default behavior of CookieHandler using your own Custom CookieHandler and implementing its MatchCookiePath method (for example you can add special port number from your application configuration file).

You can also use only lowered case urls and application names, and make lowered each request before WIF had begun to process it, then there will be no redirects.