Okay, so it might not be best-practise to have spaces in directories - notwithstanding that, the irony surrounding this bug is that it's in the internal type System.Web.Mvc.AntiForgeryDataSerializer+FormatterGenerator+TokenPersister, which is prefixed with a comment saying how difficult it is to unit test (and I don't disagree with that!).

I've written a blog post on this here (http://www.lordzoltan.org/blog/post/MVC-Bug-The-virtual-path-path-maps-to-another-application-which-is-not-allowed.aspx) which has a lot more detail. But to summarise from there, this is how you can reproduce the problem:

- Create a new Asp.Net MVC2 Web Application (from the template) called ‘Asp Net Bug 2008’
- Don’t bother with the unit tests project
- Open the project web properties, and set the project to use the Local IIS Web Server, the location should automatically be set to http://localhost/Asp Net Bug 2008/ (you might need to add the trailing slash here) – the spaces here are important so leave them in.
- Create the Virtual Directory
- Don’t forget to save the project file afterwards (like I just did as I created this walkthrough!)
- Open the view Views/Account/Register.aspx
- Just after the line <% using (Html.BeginForm()) { %> add: <%= Html.AntiForgeryToken() %>
- Compile and run
- Navigate to the [Log On] link at the top of the page
- Hit the ‘Register’ link

Hey presto - you get an exception.

The problem is with how TokenPersistor fakes the request to initialise the IStateFormatter in CreateFormatterGenerator.

If you simply create an Asp.Net WebForm and simply try to access the Browser property (which is where this error originates a bit further down the stacktrace), it works fine.

Could it be that the url encoding on the current Request.Url needs to be undone when being fed into the dummy page so that the virtual path check (to make sure the Url is within the current application) succeeds?