Getting 403: Forbidden: Access is Denied when users closes logged in session accidentally

问题

I am getting 403 when a user accidentally closes their browser without logging out and tries again to open the url.

When they check back, website throws 403. To temporarily resolve the issue I clean out all the cookies and the access is back on.

Error: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

Details to troubleshoot: Web.Config file

  <forms loginUrl="index.aspx" 
         protection="All" path="/" 
         timeout="300" 
         name="AppNameCookie" 
         slidingExpiration="true" 
         defaultUrl="index.aspx" 
         cookieless="UseCookies" 
         enableCrossAppRedirects="false" 
         requireSSL="false"/>

Code to authenticate users

                ' Create the cookie that contains the forms authentication ticket                
                Dim authCookie As HttpCookie = FormsAuthentication.GetAuthCookie(sUserName, False)

                'HttpOnly cookie means it is not accessible by the client through ECMAScript.
                authCookie.HttpOnly = True

                authCookie.Expires = Now.AddMinutes(300)


                ' Get the FormsAuthenticationTicket out of the encrypted cookie                
                Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)

                ' Create a new FormsAuthenticationTicket that includes our custom User Data                
                Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userDataString)

                ' Update the authCookie's Value to use the encrypted version of newTicket                
                authCookie.Value = FormsAuthentication.Encrypt(newTicket)

                ' Manually add the authCookie to the Cookies collection                
                Response.Cookies.Add(authCookie)
                ' Determine redirect URL and send user there  

I think there is an issue with the cookies but I am unable to figure the root cause for this issue.

UPDATE: I found how to duplicate this issue

Login as a user and close the browser without logging out. Try to open the home page and it throws error.

回答1:

Issue has been resolved.

The conflict was with the AuthCookie in the login page and the following line was causing the problem.

authCookie.HttpOnly = True
authCookie.Expires = Now.AddMinutes(120)
Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, False, userDataString)
authCookie.Value = FormsAuthentication.Encrypt(newTicket)

Replaced with the following lines they work fine.

Dim asx As New FormsAuthenticationTicket(sdata, False, 60)
Now encrypt the ticket.
Dim encryptedTicket As String = FormsAuthentication.Encrypt(asx)
Dim authCookie As New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
Response.Cookies.Add(authCookie)

来源：https://stackoverflow.com/questions/8916649/getting-403-forbidden-access-is-denied-when-users-closes-logged-in-session-acc