ASP.NET: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied

Question

When a valid user logs into the system and closes the browser without logging out, it occasionally (i.e. not immediately after but in the next day) prevents the user to login back into the system throwing the following:

Error: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

This question refers to the same problem but in his solution, he decided not to use persistent cookies by passing false as a parameter when creating the FormsAuthenticationTicket, which is not the desired solution.

This is how I am creating the cookie:

private void createCookie(string username, int customerID, bool persist)
{
    HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, persist);
    cookie.Expires = DateTime.Now.AddHours(12);
    var ticket = FormsAuthentication.Decrypt(cookie.Value);
    var userData = customerID.ToString();
    var newTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userData);
    cookie.Value = FormsAuthentication.Encrypt(newTicket);
    Response.Cookies.Add(cookie);
}

Any ideas on how to solve this?

Answer 1

There is no inherent problem with including your own userData in the auth cookie. In one of our websites we use the asp.net login control, and add the following event listener with much success:

    protected void Login1_LoggedIn(object sender, EventArgs e)
    {
        //... unimportant code left out

        //Update the users ticket with custom userInfo object
        string userData = userInfo.Id.ToString("N");
        HttpCookie cookie = Response.Cookies.Get(FormsAuthentication.FormsCookieName);
        FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(cookie.Value);
        FormsAuthenticationTicket newTicket =
            new FormsAuthenticationTicket(
                oldTicket.Version,
                oldTicket.Name,
                oldTicket.IssueDate,
                oldTicket.Expiration,
                oldTicket.IsPersistent,
                userData,
                oldTicket.CookiePath);
        cookie.Value = FormsAuthentication.Encrypt(newTicket);
 }

Answer 2

When a valid user logs into the system and closes the browser without logging out, it occasionally (i.e. not immediately after but in the next day) prevents the user to login back into the system...

I could be dense but isn't the code working like the way you implemented it?

Namely, in createCookie(): you specify cookie.Expires = DateTime.Now.AddHours(12);, which marks the cookie to expire 12 hours after it is issued.

In Asp.net 1.0, if FormsAuthenticationTicket.IsPersistent is set, the ticket will automatically have a valid duration of 50 years from the time issued.

However in Asp.net 2.0 this is no longer the case. If FormsAuthenticationTicket.IsPersistent is set to false, the ticket will have a valid duration identical to the Session timeout period. If FormsAuthenticationTicket.IsPersistent is set to true, the valid duration will default to the Forms Authentication timeout attribute. You have the expiration time set to issue time plus 12 hours, so I would expect the ticket to stop working after 12 hours. Assuming you are using Asp.net 2.0+, hopefully this should explain the hehavior your are seeing. I would suggest try increasing the expiration time to a longer duration and see if the problem goes away.