获取 403：禁止访问：当用户意外关闭登录会话时，访问被拒绝

Posted 2023-03-31

【中文标题】获取 403：禁止访问：当用户意外关闭登录会话时，访问被拒绝

【英文标题】：Getting 403: Forbidden: Access is Denied when users closes logged in session accidentally

【发布时间】：2012-02-13 13:21:58

【问题描述】：

当用户在未注销的情况下意外关闭浏览器并再次尝试打开网址时，我收到 403。

当他们回来查看时，网站会抛出 403。为了暂时解决这个问题，我清除了所有的 cookie 并重新打开了访问权限。

错误： 403 - 禁止：访问被拒绝。 您无权使用您提供的凭据查看此目录或页面。

故障排除的详细信息： Web.Config 文件

  <forms loginUrl="index.aspx" 
         protection="All" path="/" 
         timeout="300" 
         name="AppNameCookie" 
         slidingExpiration="true" 
         defaultUrl="index.aspx" 
         cookieless="UseCookies" 
         enableCrossAppRedirects="false" 
         requireSSL="false"/>

验证用户的代码

                ' Create the cookie that contains the forms authentication ticket                
                Dim authCookie As HttpCookie = FormsAuthentication.GetAuthCookie(sUserName, False)

                'HttpOnly cookie means it is not accessible by the client through ECMAScript.
                authCookie.HttpOnly = True

                authCookie.Expires = Now.AddMinutes(300)


                ' Get the FormsAuthenticationTicket out of the encrypted cookie                
                Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)

                ' Create a new FormsAuthenticationTicket that includes our custom User Data                
                Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userDataString)

                ' Update the authCookie's Value to use the encrypted version of newTicket                
                authCookie.Value = FormsAuthentication.Encrypt(newTicket)

                ' Manually add the authCookie to the Cookies collection                
                Response.Cookies.Add(authCookie)
                ' Determine redirect URL and send user there  

我认为 cookie 存在问题，但我无法找出问题的根本原因。

更新：我找到了如何复制这个问题

以用户身份登录并在不注销的情况下关闭浏览器。 尝试打开首页，报错。

【参考方案1】：

问题已解决。

与登录页面中的 AuthCookie 冲突，是以下行导致问题。

authCookie.HttpOnly = True
authCookie.Expires = Now.AddMinutes(120)
Dim ticket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
Dim newTicket As FormsAuthenticationTicket = New FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, False, userDataString)
authCookie.Value = FormsAuthentication.Encrypt(newTicket)

替换为以下行，它们可以正常工作。

Dim asx As New FormsAuthenticationTicket(sdata, False, 60)
Now encrypt the ticket.
Dim encryptedTicket As String = FormsAuthentication.Encrypt(asx)
Dim authCookie As New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
Response.Cookies.Add(authCookie)