Issue with special character handling in redirect URI after authentication

[route443]

Problem

An issue arises when the original request's query string contains certain special characters, such as semicolons (;). This issue becomes apparent after authentication when the user agent is redirected back to the application, resulting in a truncated query string in the redirect URI.

Technical details

The core of the issue is the absence of URI encoding for the auth_redir cookie value. When the Set-Cookie header is set with a URI that includes a semicolon, the browser misinterprets the semicolon as a part of the cookie's attribute delimiter. This results in the browser truncating the cookie value at the point of the special character. Consequently, when the user is redirected back post-authentication, we retrieve a truncated version of the original URI from the auth_redir cookie, leading to incorrect or incomplete redirection.

Proposed solution

To prevent this issue, we need to URI-encode the original request before setting it as the cookie value.