sunpost - 12:37 pm on Aug 8, 2007 (gmt 0)

The ISAPI filter aspnet_filter.dll appears to be the culprit. Even if the sessionState is removed, it still rewrites a header that matches the patterns above. The problem is that you can't remove that filter or the protection of certain folders(/bin, /app_data, /app_code) is removed too.

a workaround might be to not allow cookieless sessions and test if the url does not match the rawurl. Then you can rewrite using a 404 or 301.