Recently we had a bizarre response from a server when attempting to access a web site.

If I browse to http://web_1.myweb.com/home/login.aspx, the web site redirects to http://web_1.myweb.com/(X(1))/home/login.aspx.

Turns out the (X(1)) is ASP.NET attempting to run in cookieless mode. The cuprit is the combination of the underscore in the URL and having your web configured to autodetect cookies:

    <authentication mode="Forms">
      <forms cookieless="AutoDetect" />

Here’s the sequence of events:

I send a request for http://web_1.myweb.com/home/login.aspx.

The server responds with a 302 redirect to http://web_1.myweb.com/home/login.aspx?AspxAutoDetectCookieSupport=1 and will include a AspxAutoDetectCookieSupport=1 cookie.

Normally, your browser would respond with a request to the new URL with the added querystring, as well as the cookie, and the system would continue on, but with the underscore in the URL, your browser (up to and including IE10) doesn’t consider this to be a valid domain, so it doesn’t send the cookie back.

ASP.NET then goes into cookieless mode, according to this MSDN article: Understand How the ASP.NET Cookieless Feature Works.

The solution is to remove the underscore from your URL, or (if your application requires cookies) to change your cookieless setting to “UseCookies”.

MSDN article describing why IE doesn’t play nicely with underscores in a URL: Article ID: 241980.