+ Start a Discussion

Showstopper with mysterious "Authorization Required" page

Hi all:


I'm really hoping someone can help me with this one.


I have a custom Force.com site with custom look and feel. In a nutshell, if a user is being compelled to change their password, this works fine in the sandbox. But if I do the same thing in production, where the site is being accessed, then once the user has submitted their new password and confirmation password, they get stopped dead by an Authorization Required page.


The technical details are kind of complex. I'll do my best to summarize them.


The site is fully authenticated, meaning that all content pages are meant to require login. The site home page is a customized login page with a customized controller. The login page header looks like this:


<apex: page id="ssLoginPage" showHeader="false" title="Special Servicer Login" controller="SS_LoginController" action="{!checkLoginStatus}">


The checkLoginStatus() method looks like this:


// this action method is meant to be called from the main login page
    public PageReference checkLoginStatus() {
        if( UserInfo.getUserType() == 'Guest' ) {
            return null;
        } else { // user is already logged in, we want to redirect them to loan list
            PageReference ref =  Page.SS_ViewLoanList;
            ref.setRedirect( true );
            System.debug( 'Already logged in! ' + ref );
            return ref;


 This is simply meant to redirect the user off the login page once they're logged in.


So here are the details of what happens:


In the sandbox:

  1. As an administrator, I reset a user's password
  2. Hit http://<mysite>.dev.cs0.force.com/SS and login with the new password I was emailed
  3. I get a customized Change Password screen with this URL:
  4. When I put in and confirm a new password, I get taken to the page SS_ViewLoanList, as I should

In production:


  1. As an administrator, I reset a user's password
  2. Hit http://<mysite>.force.com/SS and login with the new password I was emailed
  3. I get my customized Change Password at http://<mysite>.force.com/SS/_ui/system/security/ChangePassword?retURL=%2FSS%2Fapex%2Fss_viewloanlist. So far things look just like they did in the sandbox. On this screen I am displaying the user's profile and it says I have the profile of a logged-in user.
  4. When I put in and confirm a new password, I get stopped dead here:
  5. On this page, I am displaying the profile, and it shows me the profile not of a logged-in user but of the guest userfor this site!

It almost appears that, in Production, the user is getting logged out after submitting the changed password.


I should note that I granted the site's Guest user profile access to ALL VF pages in production and it did not help.


I know that's a lot of info? Any ideas? Many thanks for any insights.

Message Edited by slane on 11-30-2009 01:37 PM
Best Answer chosen by Admin (Salesforce Developers) 

For those who might be curious about this somewhat subtle bug: this came down to a conflict between a site-wide setting that was forcing all requests to HTTP (under the Login Settings for the site) and a form-specific setting that was forcing SSL for the form submission (the forceSSL="true" attribute of the apex:form element in my password change form).


Upon login, the user is using a custom URL: http://www.mysite.com. When the change password form is submitted, it forces a change to SSL, which will of necessity hit https://mysite.secure.force.com. The user's authentication is valid for the domain www.mysite.com. But it's domain-specific, so it's not valid for secure.force.com. The user thus is de-authenticated, but since the Change Password page requires authentication, the user sees the Authorization Required screen.


This did not happen in the sandbox because the custom URL was not in effect there, so both HTTP and HTTPS were running via the same force.com subdomain.


The moral of the story is that if you wish to run your site on SSL, then set your org-wide settings to Require SSL, your site settings to "do NOT require http after login" (in other words, uncheck that checkbox in your site's login settings), and set forceSSL="true" on your password change and login forms. Otherwise, do not set your org-wide settings to require SSL, and do not set forceSSL="true" on your login and pw change forms. the basic truth is that your site settings and form settings must not conflict, or you will see this same cross-domain problem, IF you are using a custom URL