Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

Order Management page not working


I have recently upgraded Episerver/commerce version. After this upgrade, we have a new "Oder Management" screen but it does not work.

The message is "Your session has expired. Please relogin.

Am I missing any configuration?


Sorry I can not attach a screenshot with the ticket.

Jan 06, 2021 17:07

check this out... section with this heading "Fix for 'Customer is undefined' error [New in Commerce 13.9.0]"

Jan 08, 2021 7:11

Thank you, Praful for your suggestion but it did not help to resolve the issue.

Now I'm going to compare User groups & access rights in old vs new version. 

Any more suggestion? 

Jan 26, 2021 15:10
Praful Jangid - Jan 27, 2021 5:12
Strange! We have Episerver.Commerce v13.19.0 installed and I don't see that happening (for sure, I saw that issue in some older projects but not in current one)
Is this happening on local system or in integration/preprod environments?

I had to add this to the site initialization/global configuration to make it work, where the authenticationtype should be the same as what you use in your owin statrtup class. If you use owin that is.

config.Filters.Add(new HostAuthenticationFilter(DefaultAuthenticationTypes.ApplicationCookie));
Feb 02, 2021 13:32

Do you have ServiceAPI installed? ServiceAPI remove the cookie authentication for WebAPI controllers which causes that issue. It's a known issue but no workaround so far, unfortunately, except to have ServiceAPI as a separate website instead

Feb 03, 2021 13:36

Hi Quan - Thanks for your reply - Yes we are using Service API

Edited, Feb 03, 2021 17:07

Quan, we are also running into this issue. You mention a possible solution is to setup the ServiceApi as a separate website. Can you point me to some doucmentation about to how to do this?

Mar 16, 2021 20:05

You can setup an empty site and then install ServiceAPI to it. As long as you set the correct connection strings it should just work

Mar 16, 2021 23:25

@Naveed If @Jeroen's solution doesn't work for you.

You can also create an InitializationModule and add the following code in:

var handler = GlobalConfiguration.Configuration.MessageHandlers.FirstOrDefault(x => x.GetType() == typeof(PassiveAuthenticationMessageHandler));

This will open up the Order Management screen to look for authentication in the cookies in addition to the headers.

Service API uses SuppressDefaultHostAuthentication which locks down authentication to headers to protect against csrf attacks.

Mar 18, 2021 11:51
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.