So, more information: we moved from Umbraco 11.2.2 to 11.4.2 during this security update on July 13, 2023. It seems that none of the ConfigureApplicationCookie settings are working now. I tried updating the ExpireTImeSpan - that is not working either.
The member is still being logged out in 20 mins or so and if the member navigates to a page that they do not have access to, they see the IIS 403 page instead of this "no-access" page. Has anyone else seen this issue?
// Explicit redirect is required to prevent Umbraco from overriding this behaviour with empty 403 response
ctx.Response.Redirect(ctx.RedirectUri);
return Task.CompletedTask;
};
});
Also figured that the member was being logged out in 30 mins because we have a custom SSO authentication implementation, so we needed to add a custom Security Stamp Validator.
Access Denied Path issue after recent security update
After the recent security update, my umbraco 11 site no longer redirects to the 'no access' page specified in the AccessDeniedPath.
services.ConfigureApplicationCookie(options => { options.LoginPath = "/login"; options.AccessDeniedPath = "/no-access"; });
Do we know why or how to resolve this?
So, more information: we moved from Umbraco 11.2.2 to 11.4.2 during this security update on July 13, 2023. It seems that none of the ConfigureApplicationCookie settings are working now. I tried updating the ExpireTImeSpan - that is not working either.
services.ConfigureApplicationCookie(options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(480); options.LoginPath = "/login"; options.AccessDeniedPath = "/no-access"; });
The member is still being logged out in 20 mins or so and if the member navigates to a page that they do not have access to, they see the IIS 403 page instead of this "no-access" page. Has anyone else seen this issue?
Resolved the access denied page issue by updating the ConfigureApplicationCookie code:
services.ConfigureApplicationCookie(options => {
options.LoginPath = "/login"; options.AccessDeniedPath = "/no-access"; options.Events.OnRedirectToAccessDenied = ctx => {
// Explicit redirect is required to prevent Umbraco from overriding this behaviour with empty 403 response ctx.Response.Redirect(ctx.RedirectUri); return Task.CompletedTask; };
});
Also figured that the member was being logged out in 30 mins because we have a custom SSO authentication implementation, so we needed to add a custom Security Stamp Validator.
is working on a reply...