This may or may not be a programming question, but one or two users of my website have got some strange strings being inserted into their address bar.
The address should be:
http://URL/Couple of Folders/page.aspx
but occassionally the same thing becomes:
http://URL/(X(1)F(qHfgTf50ahMY47b-lnz3ovk89OA4AbMN4S-sYVZCgCULL))/Folders/Page.aspx
The string is also in the action field as so:
<form name="aspnetForm" method="post" action="/**(X(1)F(qHfgTf50ahMY47b-lnz3ovk89OA4AbMN4S-sYVZCgCULL))**/<Page>.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
I'm no server/IIS expert, so please excuse me if this is a dumb question, but what is the strange string and do I/my clients need to worry?
Looks like you have cookieless sessions set to auto in your web config.
If a user allows cookies, their sessionID is stored in an in memory cookie. If they don't, ASP.Net pushed the sessionID into the URL, and this is used to identify which user is making the request. The strange string of characters you are seeing are sessionIDs for those people who have cookies switched off.
There's not really anything to worry about here, although it does make session hijacking a little easier... Probably wouldn't stress about this though.
Hope it helps...
Please check your sessionstate node settings in web.config. The cookieless attribute in sessionstate node must be set to false as shown in the following settings.
<sessionState mode="Off|InProc|StateServer|SQLServer"
cookieless="true|false"
timeout="number of minutes"
stateConnectionString="tcpip=server:port"
sqlConnectionString="sql connection string"
stateNetworkTimeout="number of seconds"/>
Paul is correct about the sessionID being pushed into your URL's for cookieless users. This is not a problem for human users but poses a potentially significant challenge to bots (most significantly Googlebot's spider) who are crawling your site to index and rank your site in search engines.
Bots will be identified as cookieless by your ASP.NET framework which causes a couple of 302 redirects from the ://URL/autocookiesupportdetect then to the URL/(sessionID)/folders... This 302 redirect is bad enough but, to make matters worse, Googlebot receives a sessionID each time it crawls your site and views each URL with the sessionID as a duplicate page to index. This hurts the pagerank for each page Google crawls with the session ID in the URL.
The fix is add a definition file to your site to identify bots as accepting cookies thus serving them a cookie (vs. a cookieless) session. You then will not have to require that your human visitors have cookies enabled and your bot vistors will be happy to see your pages without the sessionID in your URL's.