Access Denied After Successful Member Login

2025/09/23 2:52 PM

Hello everyone πŸ‘‹, I hope you're all doing well.


I'm working on implementing the "Requires Authentication" page feature in my XbyK project, but I'm running into an issue I can't seem to resolve.

I'm logging in a user (Member) using the following code, and everything seems to work fine β€” signInResult.Succeeded returns true, and User.Identity is not null:

SignInResult signInResult = await signInManager.PasswordSignInAsync(response.EmailAddress, response.Password, rememberMe, false);
if (!signInResult.Succeeded)
    throw new Exception($"Unable to sign in the user: {response.EmailAddress} / {response.Password}");

However, after the user logs in successfully, any page that requires authentication still returns an Access Denied error. I can confirm the proper roles are assigned to the member.

Here’s how I'm configuring Identity and authentication in Program.cs:

static void ConfigureMembershipServices(IServiceCollection services)
{
    services.Configure<AdminIdentityOptions>(options =>
    {
        options.AuthenticationOptions.ExpireTimeSpan = TimeSpan.FromHours(12);
    });

    services.AddIdentity<ExtendedApplicationUser, NoOpApplicationRole>(options =>
    {
        options.Password.RequireDigit = false;
        options.Password.RequireNonAlphanumeric = false;
        options.Password.RequiredLength = 8;
        options.Password.RequireUppercase = false;
        options.Password.RequireLowercase = false;
        options.Password.RequiredUniqueChars = 0;
        options.SignIn.RequireConfirmedAccount = false;
    })
    .AddUserStore<ApplicationUserStore<ExtendedApplicationUser>>()
    .AddRoleStore<NoOpApplicationRoleStore>()
    .AddUserManager<UserManager<ExtendedApplicationUser>>()
    .AddSignInManager<SignInManager<ExtendedApplicationUser>>();

    services.ConfigureApplicationCookie(options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromDays(14);
        options.SlidingExpiration = true;
        options.AccessDeniedPath = new PathString("/error/403");
        options.Cookie.IsEssential = true;
        options.Cookie.Name = "project.auth";
    });

    services.AddAuthorization();
}

Has anyone encountered this behavior before? Could it be related to authorization policies, or something else in the pipeline?

Any insights or suggestions would be greatly appreciated πŸ™

Environment

  • Xperience by Kentico version: [30.9.0]

  • .NET version: [8]

  • Execution environment: [Private cloud (Azure/AWS/Virtual machine)]

Tags:
Security v30.9.0 ASP.NET Core

Answers

2025/09/23 3:15 PM
  1. How does your sign-in method end?
  2. If you open your browser dev tools and check "Preserve log" do you see, a response from the server that has a Set-Cookie response header after your authentication request succeeds?
  3. What is the cookie name in the response? It should match your CookieAuthenticationOptions.Cookie.Name value.
  4. How are you requiring authentication checks for pages in your code?
  5. Are you performing any authorization?
  6. What does your ASP.NET Core middleware pipeline look like?
2025/09/24 6:03 PM

Hello Sean,


Thanks for sharing those insights. I have reviewed a few of them and even after some improvements the issue persists. See the details below:

  • The CookieAuthenticationOptions.Cookie.Name is .AspNetCore.Xperience.Application

  • The page has set "Requires Authentication" enabled:

  • The page has set the proper role permissions:

  • When the member is logged in successfully, the claims and roles are set properly, I even displayed them just to make sure the roles are there. I can confirm the User is not null and has all the logged properties.

  • I added the proper role claims factory and registered the services:
    .AddClaimsPrincipalFactory<CustomUserClaimsPrincipalFactory>();

    services.AddScoped<IUserClaimsPrincipalFactory<ExtendedApplicationUser>, CustomUserClaimsPrincipalFactory>();

  • The ASP.NET Core pipeline looks like this:

static void ConfigureMembershipServices(IServiceCollection services)
{
    services.Configure<AdminIdentityOptions>(options =>
    {
        options.AuthenticationOptions.ExpireTimeSpan = TimeSpan.FromHours(12);
    });

    services.AddIdentity<ExtendedApplicationUser, NoOpApplicationRole>(options =>
    {
        options.Password.RequireDigit = false;
        options.Password.RequireNonAlphanumeric = false;
        options.Password.RequiredLength = 8;
        options.Password.RequireUppercase = false;
        options.Password.RequireLowercase = false;
        options.Password.RequiredUniqueChars = 0;
        options.SignIn.RequireConfirmedAccount = false;
    })
    .AddUserStore<ApplicationUserStore<ExtendedApplicationUser>>()
    .AddRoleStore<NoOpApplicationRoleStore>()
    .AddUserManager<UserManager<ExtendedApplicationUser>>()
    .AddSignInManager<SignInManager<ExtendedApplicationUser>>()
    .AddClaimsPrincipalFactory<CustomUserClaimsPrincipalFactory>();

    services.AddScoped<IUserClaimsPrincipalFactory<ExtendedApplicationUser>, CustomUserClaimsPrincipalFactory>();

    services.ConfigureApplicationCookie(options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromDays(14);
        options.SlidingExpiration = true;
        options.AccessDeniedPath = new PathString("/error/403");
        options.Cookie.IsEssential = true;
    });

    services.AddAuthorization();
}


Even with those improvements, after logged in, if I try to access the a secured page, it returns a 403 forbidden error. I'm not sure where else to look at, so any other insight is always welcome. Should I build a middleware to intercept those secure pages somehow? any samples?


Thanks in advance

To response this discussion, you have to login first.