cflogin exception in CF 2018| View in Tracker
Reporter/Name(from Bugbase): chris cornett / ()
Failure Type: Usability Issue
Found In Build/Fixed In Build: 2018.0.0.310739 / CF2018U5
Priority/Frequency: Normal / Some users will encounter
Locale/System: English / Windows 7 64-bit
Vote Count: 4
Problem Description: I am supporting an application that recently upgraded to ColdFusion 2018. Since the upgrade we are seeing intermittent but regular errors being thrown by the cflogin tag. The exception dumped by ColdFusion is "Authentication has failed. Please check the logs for more details.s" Looking at the exception logs in CF Admin shows the following exception: "Error","ajp-nio-8018-exec-12","07/30/18","20:09:53","","'' Can not decode string ""C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs===="". The input string is not base64-encoded." coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs====". at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131) at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493) at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380) at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397) at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358) When this error occurs the user will get locked into the invalid cookie and will receive an error until they clear their cookies or until their session times out. We have tracked this down to being an issue with the cookie that the cflogin tag is using to handle the authentication. Here is the format of the valid cookie: CFAuthentication_[application_name]: NDAzNTA3DUFtYmFzc2Fkb3JTdHVkaW8NMTUzMjk5OTgzNjA3Mg1GN0VCMTUxRDI0QThDNjU2 Here is the format of the cookie when the error occurs: CFAuthentication_[application_name]: F310D1CF19C29009_HouwFInO5M0RChopPY0eiBDypCUa8/XuqIBwNNWKji0= Steps to Reproduce: We are not able to accurately reproduce this. It seems to happen after a short period of inactivity, but this doesn't seem consistent and may be coincidence. We have accurately tracked that both formats are occurring for the cookie and that the second format results in failure of cflogin. Actual Result: User gets assigned an invalid CFAuthorization_ token and the cflogin fails to work. Expected Result: User gets and maintains a valid CFAuthorization_ token that will work with the cflogin tag. Any Workarounds: We are able to catch the exception when it occurs and force a logout. This clears the invalid cookie and the user is assigned a valid cookie upon logging in. This does not seem to permanently fix it for that user, however.