How Do I Avoid That ASP.Net (or IIS?) Decodes My URL-encoded Ciphertext (resulting In A 404) Instead Of Passing It To The Approve Script?

I'm working on a piece of a web application in ASP.Net MVC where the user registers for membership using an sql membership provider. When they register they are put in the system but not approved. The code then sends an approval email to the user with the email given.

BfEncrypt refid = new BfEncrypt();
string code = HttpContext.Current.Server.UrlEncode(refid.CipherText);
Body += "<a href=\"http://localhost:1091/approve/" + code + "\">Approval Link</a>\n\r\n\r";

But when a user clicks on the link they get the following error:

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /Approve/k/9IHrY43os=

The question is, if I'm url encoding the link before I send it, why is it decoding before it tries to call the action? The url in my browser is actually 'http://localhost:1091/Approve/k%2f9IHrY43os%3d' when I get the error. My routing is setup correctly but it doesn't account for the extra '/' in the encrypted string in the url (since it shouldn't be there anyways.)



You could encode it as base64 instead of using URLEncode.