Configure Application cookie options no longer work after upgrade from 11.2.2 to 11.4.2 #14650
Comments
|
Hi there @RiaMang! Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better. We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.
We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions. Thanks, from your friendly Umbraco GitHub bot 🤖 🙂 |
|
We were able to fix the Access denied issue by updating the code like so: services.ConfigureApplicationCookie(options => Also figured that the users being logged out was due to the security stamp validator. We have users signed in through SSO and then we create a member cookie. The security stamp validator check was failing because no such member record existed in the db. We implemented a custom security stamp validator to resolve that issue. |
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
11.4.2
Bug summary
There was a recent security update on July 13 and we upgraded our umbraco 11.2.2 site to 11.4.2. After that upgrade, the Configure application cookie options no longer work. Here is a snippet of the code:
services.ConfigureApplicationCookie(options => { options.LoginPath = "/login"; options.AccessDeniedPath = "/no-access"; });
The login path works fine but instead of redirecting to /no-access, when a user tries to navigate to a page where they do not have permissions, they see the IIS 403 page instead.
Also the client's users have suddenly noticed that the cookie times out within 20 minutes which interferes with exams taken on the site and causes users to fail them. We tried extending that time here:
services.ConfigureApplicationCookie(options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(480); options.LoginPath = "/login"; options.AccessDeniedPath = "/no-access"; });
That does not seem to work either.
All these issues have started happening only after the upgrade on July 13.
Specifics
No response
Steps to reproduce
The above is the generic 403 message instead on the /no-access page.
The cookie expiring early, just causes the users to lose data and then they are kicked to the login page.
I will try to create a fresh umbraco install and update steps here if possible.
Expected result / actual result
The users were bring to redirected to the /no-access page when they tried to access a page they did not have permissions for. And there were no complaints from users about being logged out in 15-20 mins. These issues have started only after the security fix was pushed i.e. when we upgraded from 11.2.2 to 11.4.2
The text was updated successfully, but these errors were encountered: