Skip to main content

Support Doc

 Mary Carbonara (MaryCarbonara) Principal Knowledge Management Specialist
Pegasystems Inc.
US
MaryCarbonara Member since 2010 216 posts
Posted: Jul 6, 2023
Last activity: Jun 6, 2024
Posted: 6 Jul 2023 15:24 EDT
Last activity: 6 Jun 2024 0:23 EDT

Unexpected error 403 Forbidden in session time-out pop-up window [SDR-A31]

Contributed by Jean Khawand  

Symptoms

Error 403 Forbidden is displayed instead of, or in, the session time-out pop-up window in various application contexts. In one reported case, a blank time-out pop-up window is displayed only and there is no 403 Forbidden error.

Here are the reported situations:

In the session time-out pop-up window, the error 403 Forbidden is displayed when there is an open drop-down list in the inactive session. Follow these steps to reproduce the problem:

  1. Log in to the application and create a case.
  2. In a drop-down list, click the drop-down arrow and leave the drop-down list open.
  3. Leave the session inactive for at least five (5) minutes to allow the session timeout pop-up window to display.
    Unexpectedly, the session timeout pop-up window is displayed with the error 403 Forbidden.

Whenever a Pega session expires, a pop-up window usually displays on the screen allowing application users to extend the session or end the session. However, after a recent update to Pega Platform™ version 8.6, a blank pop-up window is displayed.

After you log in as an application user (not as an application developer or administrator) to the application in a portal that is not Dev Studio, you expect a session time-out pop-up window to display after a wait time of two (2) minutes. No time-out pop-up window is displayed. When you go to the browser’s Developer Tools, the Network tab, you see the error 403 Forbidden.

In the application section, the pxSessionTimer is included in user portal header. In the Development environment, the application works as expected: A pop-up window warns that a time-out is about to occur and logs the Dev user off if no action is taken. In the Staging environment, from a portal other than Dev Studio, application users (not application developers or administrators) see no time-out pop-up window, and no log-off action is taken after the allotted time. From the browser’s Developer Tools, the Network tab, you can see the request occurring to attempt to log the user off, but the HTTP status error 403 Forbidden response is displayed. This error prevents the correct behavior.

In other cases, the Pega Security Alert, SECU0019 - Unauthorized request, is displayed.

Errors

403- Forbidden

Unregistered request encountered . . .

Pega Security Alert, SECU0019 - Unauthorized request

Explanations

User error – The application called pzDisplayModalDialog without registering the activity. This violates Basic Access Control (BAC), causing the HTTP Error 403.

 Pegasystems Defect – Corrected by hotfixes delivered in Pega Platform patch releases with temporary remediation delivered in the workaround described in the Solutions.

Environments

The problem was reported in the following environments:

  • Pega Platform version 8.7, on-premises environment
  • Pega Platform version 8.6.3, on-premises environment
  • Pega Platform version 8.5.3, on-premises environment

Solutions

Choose the solution that meets your needs, beginning with the Best Practice and using the Workaround as a solution of last resort.

Best Practice

Resolved Issue

Workaround

Best Practice

Update your Pega deployment to the latest release as explained in Keeping current with Pega.

Resolved Issue

This Pega Platform issue was addressed in the following patch releases.

Go to the Pega Support Center Pega Platform Resolved Issues and search for ISSUE-<BUG Number> (Pega Platform version <number>) or the ISSUE Title Removed unneeded query parameter in UI.

Pega Platform 8.5.4 Resolved Issues Search the page for ISSUE-645042.

Pega Platform 8.6.1 Resolved Issues Search the page for ISSUE-645041.

Here is the Resolved Issue title and description:

Removed unneeded query parameter in UI

When using an Ajax container without a dynamic container, a Refresh Harness or Refresh Section event call related to pyBlockUnregisteredRequests was not properly registered, resulting in the error 403 Forbidden and the message "Unregistered request encountered . . . ". This was traced to a "pyDataTransform=" query parameter that was present in the PZPEGA_UI_MICRODC file. The query parameter was removed to resolve the issue.

Workaround

If you cannot update your Pega deployment and the Resolved Issues do not help you, resolve the problem by editing the User Work Form to add the following code:

<%
pega_rules_utilities.pzRegisterActivity(tools, "@baseclass.ShowLogoffTimer");
ClipboardPage actionAPI = ((PegaAPI)tools).getUIEngine().getUIActionPage("localAction");
actionAPI.getPage("pyActionAPI").putString("pyCustomTemplateName","pyModalTemplate");
actionAPI.getPage("pyActionAPI").putString("pyLocalAction","pzDisplayModalDialog");
((PegaAPI)tools).getUIEngine().getUIAction(actionAPI).register();
actionAPI.removeFromClipboard();
%>

Related content

Pega Documentation

SECU0019 alert: Unauthorized request detected

Pega Support Documents

Understanding HTTP status codes for troubleshooting common issues > 403 Forbidden

06July2023 This Support Document was requested by SDR-A31
To see attachments, please log in.
Pega Platform 8.7
Pega Platform 8.6.3
Pega Platform 8.5.3
Pega Platform
User Experience
Troubleshooting

Did you find this content helpful?
Yes
No

  • Reply
  • Sravya Yanduru Suman Gumudavelly

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice