Contributed by Jean Khawand
Error 403 Forbidden is displayed instead of, or in, the session time-out pop-up window in various application contexts. In one reported case, a blank time-out pop-up window is displayed only and there is no 403 Forbidden error.
Here are the reported situations:
In the session time-out pop-up window, the error 403 Forbidden is displayed when there is an open drop-down list in the inactive session. Follow these steps to reproduce the problem:
- Log in to the application and create a case.
- In a drop-down list, click the drop-down arrow and leave the drop-down list open.
- Leave the session inactive for at least five (5) minutes to allow the session timeout pop-up window to display.
Unexpectedly, the session timeout pop-up window is displayed with the error 403 Forbidden.
Whenever a Pega session expires, a pop-up window usually displays on the screen allowing application users to extend the session or end the session. However, after a recent update to Pega Platform™ version 8.6, a blank pop-up window is displayed.
After you log in as an application user (not as an application developer or administrator) to the application in a portal that is not Dev Studio, you expect a session time-out pop-up window to display after a wait time of two (2) minutes. No time-out pop-up window is displayed. When you go to the browser’s Network tab, you see the error 403 Forbidden. , the
In the application section, the pxSessionTimer is included in user portal header. In the Development environment, the application works as expected: A pop-up window warns that a time-out is about to occur and logs the Dev user off if no action is taken. In the Staging environment, from a portal other than Dev Studio, application users (not application developers or administrators) see no time-out pop-up window, and no log-off action is taken after the allotted time. From the browser’s Network tab, you can see the request occurring to attempt to log the user off, but the HTTP status error 403 Forbidden response is displayed. This error prevents the correct behavior., the
In other cases, the Pega Security Alert, SECU0019 - Unauthorized request, is displayed.
Unregistered request encountered . . .
Pega Security Alert, SECU0019 - Unauthorized request
User error – The application called pzDisplayModalDialog without registering the activity. This violates Basic Access Control (BAC), causing the HTTP Error 403.
Pegasystems Defect – Corrected by hotfixes delivered in Pega Platform patch releases with temporary remediation delivered in the workaround described in the Solutions.
The problem was reported in the following environments:
- Pega Platform version 8.7, on-premises environment
- Pega Platform version 8.6.3, on-premises environment
- Pega Platform version 8.5.3, on-premises environment
Choose the solution that meets your needs, beginning with the Best Practice and using the Workaround as a solution of last resort.
Update your Pega deployment to the latest release as explained in Keeping current with Pega.
This Pega Platform issue was addressed in the following patch releases.
Go to the Pega Support Center Pega Platform Resolved Issues and search for ISSUE-<BUG Number> (Pega Platform version <number>) or the ISSUE Title Removed unneeded query parameter in UI.
Pega Platform 8.5.4 Resolved Issues Search the page for ISSUE-645042.
Pega Platform 8.6.1 Resolved Issues Search the page for ISSUE-645041.
Here is the Resolved Issue title and description:
Removed unneeded query parameter in UI
When using an Ajax container without a dynamic container, a Refresh Harness or Refresh Section event call related to pyBlockUnregisteredRequests was not properly registered, resulting in the error 403 Forbidden and the message "Unregistered request encountered . . . ". This was traced to a "pyDataTransform=" query parameter that was present in the PZPEGA_UI_MICRODC file. The query parameter was removed to resolve the issue.
If you cannot update your Pega deployment and the Resolved Issues do not help you, resolve the problem by editing the User Work Form to add the following code:
ClipboardPage actionAPI = ((PegaAPI)tools).getUIEngine().getUIActionPage("localAction");