Hashtag "#" in URL / URI.
search cancel

Hashtag "#" in URL / URI.

book

Article ID: 11822

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When the URL/URI contains a # character, CA Single Sign-On (SiteMinder) is not able to process this URL / URI.

The URL gets truncated if # is present in it.  This includes Access Gateway.

How does CA Single Sign On (SiteMinder) handle a # in the URL/URI?

Is this a problem with CA Single Sign-On OR a problem with the Agent or Access Gateway?

Environment

Conclusion:

  1. User has to send %23(encoded #) while sending the request to webserver.  Some browsers send complete URL even though # is present.  In that case no issue is observed.

  2. At present even though %23( encoded #) is sent as part of the request,  final page is truncated after authentication. 
    This is fixed in R12.52SP1CR9 (Internal SE Engineering Ticket - DE140714).

  3. If browser is truncating the URL, then WebAgent / Access Gateway cannot fix it.


 

Resolution

# Character - This is considered as an Unsafe Character

More about “unsafe” characters from RFC1738:

All unsafe characters must always be encoded within a URL. For example, the character “#” must be encoded within URLs even in systems that do not normally deal with fragment or anchor identifiers, so that if the URL is copied into another system that does use them, it will not be necessary to change the URL encoding.

Any information that appears after the first hash symbol in a URL is referred to as the fragment identifier – sometimes also called an anchor tag. By default, the fragment identifier is interpreted only by the local web browser and is typically not passed to the remote web server. For example, the following two links would both be considered requests for the same document by the web server:

www.example.com/fruits.html#apple
www.example.com/fruits.html#orange

This may be the problem with the URI syntax, "#" is considered a sign of end of URL, so if you put it as part of an URL, it just considers as a termination character and it does not understand it.

So in the above examples, When you access the above URLs, Web browser truncates it and send like below to the web server.

www.example.com/fruits.html
www.example.com/fruits.html

So when the request go to the web agent which does not contain "#" in the resource itself.  Hence agent is not modifying or truncating the request here.

As per the above information, the problem of URL getting truncated is not due to Web agent, But the Web Browser (URI syntax) itself considering it as end of URL and ignore whatever present after the "#".

Additional Information

Please refer below link for more details on URI syntax.

https://tools.ietf.org/html/rfc3986 

Powered by Wolken Software