Search code examples

Getting 403: Forbidden: Access is Denied when users closes logged in session accidentally

I am getting 403 when a user accidentally closes their browser without logging out and tries again to open the url.

When they check back, website throws 403. To temporarily resolve the issue I clean out all the cookies and the access is back on.

Error: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

Details to troubleshoot: Web.Config file

  <forms loginUrl="index.aspx" 
         protection="All" path="/" 

Code to authenticate users

                ' Create the cookie that contains the forms authentication ticket                
                Dim authCookie As HttpCookie = FormsAuthentication.GetAuthCookie(sUserName, False)

                'HttpOnly cookie means it is not accessible by the client through ECMAScript.
                authCookie.HttpOnly = True

                authCookie.Expires = Now.AddMinutes(300)

                ' Get the FormsAuthenticationTicket out of the encrypted cookie                
                Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)

                ' Create a new FormsAuthenticationTicket that includes our custom User Data                
                Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userDataString)

                ' Update the authCookie's Value to use the encrypted version of newTicket                
                authCookie.Value = FormsAuthentication.Encrypt(newTicket)

                ' Manually add the authCookie to the Cookies collection                
                ' Determine redirect URL and send user there  

I think there is an issue with the cookies but I am unable to figure the root cause for this issue.

UPDATE: I found how to duplicate this issue

Login as a user and close the browser without logging out. Try to open the home page and it throws error.


  • Issue has been resolved.

    The conflict was with the AuthCookie in the login page and the following line was causing the problem.

    authCookie.HttpOnly = True
    authCookie.Expires = Now.AddMinutes(120)
    Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
    Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, False, userDataString)
    authCookie.Value = FormsAuthentication.Encrypt(newTicket)

    Replaced with the following lines they work fine.

    Dim asx As New FormsAuthenticationTicket(sdata, False, 60)
    Now encrypt the ticket.
    Dim encryptedTicket As String = FormsAuthentication.Encrypt(asx)
    Dim authCookie As New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)