ASP.NET adds your encrypted authentication cookie automatically as part of a querystring after you're authenticated successfully. A problem can occur here if the user's cookie times out within the browser session. In this case, ASP.NET appends the ReturnUrl and new encrypted cookie to the existing querystring upon posting back to the login. When this happens, the URL's size might exceed the mobile Internet gateway's querystring limits and become truncated. The querystring information becomes invalid, and the user can't log in using that browser session. You can get around this by intercepting Application_AuthenticateRequest and Application_EndRequest event handlers in GLOBAL.asax:

Sub Application_AuthenticateRequest(ByVal sender _
   As Object, ByVal e As EventArgs)
   ' .NET calls this method for every page 
   ' authentication request
   Dim strAuthTicket As String
   Dim objAuthTicket As FormsAuthenticationTicket

   ' Try and find the user's cookie
   strAuthTicket = Request.QueryString _
      (FormsAuthentication.FormsCookieName)
   ' If found, then decrypt it and check to see 
   ' if it has expired
   If Not (strAuthTicket Is Nothing) Then
      objAuthTicket = _
         FormsAuthentication.Decrypt _
         (strAuthTicket)
      If objAuthTicket.Expired Then
         HttpContext.Current.Items _
            ("ClearCookie") = "1"
      End If
   End If
End Sub

Sub Application_EndRequest(ByVal sender As _
   Object, ByVal e As EventArgs)
   ' .NET calls this method at the end of each 
   ' page request
   Dim strReturnPath As String = _
      Request.Url.AbsolutePath
   Dim strClearCookieFlag As String

   ' Look for our clear cookie signal. If 
   ' present, then just clear out the cookie so 
   ' there are no duplicates the next time
   strClearCookieFlag = _
      CType(HttpContext.Current.Items _
      ("ClearCookie"), String)
   If Not (strClearCookieFlag Is Nothing) Then
      If strClearCookieFlag = "1" Then
         ' Just create a fresh query string with 
         ' no cookie and send it to the login 
         ' page
         Response.AddHeader("Location", _
            "login.aspx?ReturnUrl=" & _
            Server.UrlEncode(strReturnPath))
      End If
   End If
End Sub

In this example, you check to see if the cookie has expired every time the Application_AuthenticateRequest event handler handles a request for authentication. You do this by getting the cookie using the FormsAuthenticationTicket class and passing in the cookie name, which you can obtain by using the FormsAuthentication class's FormsCookieName property. If the cookie has expired, you set a flag in the HttpContext indicating you need to handle this problem.

The Application_EndRequest event handler fires when the Http request is completed. You check here for the contact flag that was set. If you detect the flag, replace the old querystring with a new one that has only the login page name and a redirect to the page that was last called. You do this because it's a lot cheaper than trying to search through the entire querystring and stripping out the duplicates, and it ends up accomplishing the same thing.

Also keep in mind that you've hard-coded the login page's value as part of the replaced querystring. To make this code more robust, you should probably read this value from the <system.web\authentication\forms> section of web.config dynamically, then insert the value for the loginUrl key.