Don’t you hate it when you’re doing timeout tests, and the application shows the login page, but when you log back in you get .BARF?
When the application says, “The return URL specified for request redirection is invalid.”, it really means “Dude, why did you put all those nasty, ill-encoded characters in the URL when you know I can’t handle them?”
To find this particular beauty, you need to watch for your application dumping a lot of data onto the querystring between transactions. Then, wait for it to time out in the middle of the operation. Your application can then recognize you’ve timed out and direct you to the login page with a return URL on the querystring (if your application does this, of course). When you try to log back in, the application chokes on its own URL.
For more information, see this piece on ASP.NET migration and this bit entitled “Silent Breaking-Change to FormsAuthentication::RedirectFromLoginPage.”