[SalesForce] Visualforce exception page authentication

For sites, there's a standard visualforce exception page.

We use a header on the site that will present either
Welcome, username

…based on login status. Whenever a user finds a new, clever way to get an unhandled exception, the error page ALWAYS appears in guest user mode.

Not only did they get an error page (bad enough) but they also think that we just logged them out. They try to log in and see another error page (because they tried to log in while they're already logged in).

How do I allow the exception page to present itself to authenticated users and stay on the secure domain? The page is available to both the guest and authenticated user profile.

For clarity (asked below) it's not the styling that is going bad. It's that the exception page always thinks rendered="{!ISPICKVAL($User.UserType,'Guest')}" is true.

For clarification, we're using authenticated sites with a custom domain.

Best Answer

If I understand you correctly, basically the issue is that the exception page is requested by the Guest user no matter what because the Exception page request is going to the non-secure (e.g., https://www.example.com URL and not https://example.secure.force.com. The rub is that there is no way to change that behavior because the Exception page request is made by the system.

Could you do a redirect from the Exception page to a different page using Javascript? You'd override the custom Exception page and add in a redirect on it. The redirect would be to an error page on the secure domain which would send the request as the logged in user. Not sure how this would play with exceptions generated by the non-secure portion, though. I guess as long as the page is accessible by the site it wouldn't be a problem to access the page, though.

Update to capture a workaround for the login. This part doesn't address the exception page portion but just the double login.

This assumes that you have link called Login that displays instead of the Welcome, FirstName and not an actual small login form in the upper right hand corner of the page or something to that effect and that link goes to a dedicated login page.
Store the full path to the secure login page (e.g., https://example.secure.force.com/thesite/login) in a custom setting. It's important to externalize the URL so that when you move to sandboxes you can update it.
"Hardcode" the Link to the login to come from that custom setting, so that the link will never go to an unsecure page.
In the Login VF page put JavaScript in the head to test if the URL is equal to that custom setting value and if it isn't redirect to it.
In the Login Controller that handles the display of the login form detect if the user is already logged in. If they are then redirect them to their start/landing page.

Related Solutions

[SalesForce] Preserving session after login

You could just not display the log in form if the user is already logged in, but instead displays a link to whatever the action of logging in takes them to or do whatever it is you want to for the logged in user when they visit the main page.

So, on the VF page that displays the www.mysitename.com have something like:

<apex:outputPanel rendered="{!ISPICKVAL($User.UserType,'Guest')}">
     Not logged in.  Code for log in form goes here.
</apex:outputPanel>
<apex:outputPanel rendered="{! NOT(ISPICKVAL($User.UserType,'Guest'))}">
     Logged in. Code for link to post log in landing page or something else.
</apex:outputPanel>

If you'd rather have them redirected immediately upon accessing the public page while logged in you could use an apex:page action on the public page. Something like the following:

<apex:page controller="MyMainPageController" action="{!redirectIfLoggedIn}">
</apex:page>

Then in the MyMainPageController, something like:

public PageReference redirectIfLoggedIn() {
    if (UserInfo.getUserType() != 'Guest') {
        PageReference loggedInPage = getLoggedInPageSomehow();
        return loggedInPage;
    }
    // Guest user so just display as usual.
    return null;
}

[SalesForce] always logging in with Guest user profile on sites even though I enter partner credentials

Anonymous (unauthenticated) users always show as "logged in" as the Guest User; authenticated website users always show as the actual authenticated user. If you are only seeing activity from the Guest User, you are not authenticating correctly, or you have not properly set up your Sites instance to accept logins via a portal user.

If you are doing it correctly, your portal user will be the context user in your controller. It is possible your problem page is only enabled for public access, not authenticated website, when you need it to be the opposite way around. An easy test is to open a new browser, clear cookies, then hit the page you need to be authenticated. If you see normal execution as the Guest User, instead of being redirected to a login or error page, your page security is misconfigured.

Best Answer

Related Solutions

[SalesForce] Preserving session after login

[SalesForce] always logging in with Guest user profile on sites even though I enter partner credentials

Related Topic