Applies to the Pega Platform versions 7.2 to the latest
Scenario
Configure Direct Web Access (DWA) in your application. Create two work objects for which two DWA email messages are sent to the application user for processing. The user opens the DWA link of the first work object, enters the details, and submits it or closes the tab. The browser session is not terminated and when the application user clicks the DWA link of the second email message, they get the Access Denied error.
Error
The following error was displayed:
Explanation
This is an expected behavior.
For security, DWA is designed for a one-time only server interaction. It does not run twice in the same active browser session. DWA must be opened in a new browser session.
DWA does not work when there is any other active Pega session available or when trying to process multiple external assignments in the same browser session. If users open a second link on the same session, the browser session is re-used, causing the cookie from the last session to be used and rejected.
Environments
The problem was reported in the following Pega Platform versions:
- Pega Platform version 8.3, on-premises
- Pega Platform version 8.3.1, on-premises
- Pega Platform version 8.6.2 on Pega Cloud® 2.21.1
- Pega Platform version 8.6.6 on Client Cloud services
- Pega Platform version 8.8.1 on Pega Cloud® services 2.27.8
- Pega Platform version 8.8.3 on Pega Cloud® services 3.13.0
This issue may occur in any Pega Platform versions from 7.2 to the latest.
Solution
To proceed with a DWA request, the user needs to terminate the current browser session. This can be done by either clearing the browser cookies or launching the second URL in a separate browser session.
Best Practice
The best practice for sending a DWA request is to limit it to one assignment request per user.