Skip Navigation
Expand
Customer Portal users are getting logged out before they can submit incidents from the ask page
Answer ID 6876   |   Last Review Date 11/18/2018

Why are Customer Portal users getting logged out before they can submit incidents from the ask page?

Environment:

Customer Portal, Oracle B2C Service

Issue:

End users can log in to the Customer Portal and the log in is successful (cp_profile cookie is set). However, after around 2 minutes, the end user is being logged out, potentially while he/she is in the middle of submitting an incident on the ask page.  

Resolution:

Customer Portal login data is stored in the contacts table. Contact passwords can expire. The expiration settings can be configured here:

Defining Customer Password Requirements

When a password expires, the default behavior is:

The end user will try to log in with the expired password. The out-of-the-box login form widget (standard/login/LoginForm2) will grant the user a special 2-minute cp_profile cookie and redirect him/her to the password reset page (defined by the configuration verb CP_CHANGE_PASSWORD_URL). The user then has 2 minutes to reset his/her password and submit the reset request from that page, at which point the user will be granted a normal cp_profile cookie with the expected expiration time (defined by the configuration verb CP_LOGIN_COOKIE_EXP).

The above problem can occur if you have customized the LoginForm widget and have not preserved the functionality to handle an "expired password" response from the server.

Sample login response from /ci/ajaxRequest/doLogin in expired password scenario:

{"w_id":"*Your custom widget ID*","success":1,"addSession":false,"sessionParm":"","url":"\/app\/utils\/login_form\/redirect\/home","message":"Redirecting...","forceRedirect":"\/app\/account\/change_password\/msg\/Your current password has expired. Please set a new one."}

The out-of-the-box login form widget JavaScript (standard/login/LoginForm2/logic.js) handles the forceRedirect parameter by prioritizing this redirect over any others in the _getRedirectURL function:

    /**
    * Function used to parse out the URL where we should redirect to
    * after a successful login
    * @param result Object The response object returned from the server
    * @return String The URL to redirect to
    */
    _getRedirectUrl: function(result){
        var redirectUrl;
        if(this.data.js && this.data.js.redirectOverride)
            redirectUrl = RightNow.Url.addParameter(this.data.js.redirectOverride, 'session', result.sessionParm.substr(result.sessionParm.lastIndexOf("/") + 1));
        else
            redirectUrl = (this.data.attrs.redirect_url || result.url) + ((result.addSession) ? result.sessionParm : "");

        redirectUrl += this.data.attrs.append_to_url;

        if (result.forceRedirect)
            redirectUrl = RightNow.Url.addParameter(result.forceRedirect, 'redirect', encodeURIComponent(redirectUrl));
       
        return redirectUrl;
    },

If your custom login form widget is not handling the "forceRedirect" parameter then your users with expired passwords are going to be given the 2-minute cookie but won't be redirected to the reset password page in order to be able to update their password. Consequently, they will be inexplicably (in their eyes anyway) logged out after 2 minutes.

The proper way to resolve this is to update your custom login form widget to handle the "forceRedirect" parameter appropriately.

Available Languages for this Answer:

Notify Me
The page will refresh upon submission. Any pending input will be lost.