At my organization, we have implemented a suggestion for fixing Cross-Site History Manipulation by appending a random GUID to the end of the URL on a redirect.
For example:
Response.Redirect($"{path}¶mX={Guid.NewGuid():N}");
So if the user has visited the page https://www.example.com/default.aspx then the redirect behavior would be the following:
Response.Redirect("https://www.example.com/default.aspx?¶mX=d11712a771294de8a6fc0c66e92954fc");
The issue or question comes into play if the Redirect happens when the user has already been redirected once or multiple times. In that case, duplicate params will be appended each time such as the following:
Response.Redirect("https://www.example.com/default.aspx?¶mX=d11712a771294de8a6fc0c66e92954fc¶mX=ff4bc6a838684b198060c70091b300e2");
Is there a limit on the URL length this could run into if excessive redirects happen?
If so, my solution to this would be to use a RegEx to detect if the param exists each time and use RegEx Replace( ) to replace it rather than appending each time.
Yes, it exists a limit for the length of url. It depends on the browser which user use. Here I list some limit of browsers for your reference:
IE: no more than 2048 byte
Chrome: no more than 8182 byte
FireFox: no more than 65536 byte
Safari: no more than 80000 byte
So I think it is not easy to exceed the limit length of url, but I suggest you to do some improvement to not append more and more same param to the url.