Getting Invalid Token from Browser

Question

I am generating a EmailConfirmationToken for email confirmation. The generated token looks like this:

AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA48Afnm/pyU6UZrt2VXGfHAAAAAACAAAAAAADZgAAwAAAABAAAAAv/3aZrzISkdKPKY/E44DXAAAAAASAAACgAAAAEAAAAAzqg9nuZRZdY2nbqshoqZRgAAAAzqerzjcOuZ06IgrWypvNdp406OlHJpcn/KIr6ZlgMqbPU/4S3COVpY8jcfc0O4/zlZbyLdgVeKCX22P6rvwRWXIAdA/mR+cfgRoOMw16DGh0WpOR26Qan/YeVj8vDwW1FAAAAIskto/9Vzb/7Em2RspEQvZaEqbD

I am sending that token via email as a hyperlink to the user. When the user clicks on the link he will redirect to my confirmation function.

This is how I implemented the function:

[Route("Register/ConfirmEmail")]
[HttpGet]
public async Task<IHttpActionResult> ConfirmEmail(string userId, string code)
{
    string errorMessage = null;
    if (userId == null || code == null)
    {
        errorMessage = "Die Benutzeridentifikation oder der Aktivierungscode sind beschädigt";
        return RenderEmailConfirmedPage(userId, errorMessage);
    } 
    var registerContext = new RegisterContext
    {
        UserId = userId,
        ActivationCode = code
    };
    var result = await userService.ConfirmEmailAsync(registerContext);

The problem is the code which I get is invalid look at the following token:

AQAAANCMnd8BFdERjHoAwE/Cl sBAAAA48Afnm/pyU6UZrt2VXGfHAAAAAACAAAAAAADZgAAwAAAABAAAAAv/3aZrzISkdKPKY/E44DXAAAAAASAAACgAAAAEAAAAAzqg9nuZRZdY2nbqshoqZRgAAAAzqerzjcOuZ06IgrWypvNdp406OlHJpcn/KIr6ZlgMqbPU/4S3COVpY8jcfc0O4/zlZbyLdgVeKCX22P6rvwRWXIAdA/mR cfgRoOMw16DGh0WpOR26Qan/YeVj8vDwW1FAAAAIskto/9Vzb/7Em2RspEQvZaEqbD

Do you know why all + are deleted ?

Answer 1

the + character has a special meaning in URLs. You need to encode it before you return the confirm URL. The UrlEncode utility should do what you need.

https://msdn.microsoft.com/en-us/library/system.web.httputility.urlencode(v=vs.110).aspx

pass your URL string through that method before you return it to the user, it should replace the + sign with %2B