tracker issue : CF-4203170

select a category, or use search below
(searches all categories and all time range)
Title:

cflogin exception in CF 2018

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/CannotReproduce

Reporter/Name(from Bugbase): chris cornett / ()

Created: 07/31/2018

Components: Security, Authentication

Versions: 2016

Failure Type: Usability Issue

Found In Build/Fixed In Build: 2018.0.0.310739 /

Priority/Frequency: Normal / Some users will encounter

Locale/System: English / Windows 7 64-bit

Vote Count: 0

Problem Description:
I am supporting an application that recently upgraded to ColdFusion 2018. Since the upgrade we are seeing intermittent but regular errors being thrown by the cflogin tag. 

The exception dumped by ColdFusion is "Authentication has failed. Please check the logs for more details.s" 

Looking at the exception logs in CF Admin shows the following exception:

"Error","ajp-nio-8018-exec-12","07/30/18","20:09:53","","'' Can not decode string ""C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs===="". The input string is not base64-encoded."
coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs====".
	at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131)
	at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493)
	at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380)
	at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397)
	at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358)

When this error occurs the user will get locked into the invalid cookie and will receive an error until they clear their cookies or until their session times out. 

We have tracked this down to being an issue with the cookie that the cflogin tag is using to handle the authentication. 

Here is the format of the valid cookie: 
CFAuthentication_[application_name]: NDAzNTA3DUFtYmFzc2Fkb3JTdHVkaW8NMTUzMjk5OTgzNjA3Mg1GN0VCMTUxRDI0QThDNjU2

Here is the format of the cookie when the error occurs:
CFAuthentication_[application_name]: F310D1CF19C29009_HouwFInO5M0RChopPY0eiBDypCUa8/XuqIBwNNWKji0= 

Steps to Reproduce: 
We are not able to accurately reproduce this. It seems to happen after a short period of inactivity, but this doesn't seem consistent and may be coincidence. We have accurately tracked that both formats are occurring for the cookie and that the second format results in failure of cflogin. 

Actual Result:
User gets assigned an invalid CFAuthorization_ token and the cflogin fails to work. 

Expected Result:
User gets and maintains a valid CFAuthorization_ token that will work with the cflogin tag. 

Any Workarounds:
We are able to catch the exception when it occurs and force a logout. This clears the invalid cookie and the user is assigned a valid cookie upon logging in. This does not seem to permanently fix it for that user, however.

Attachments:

Comments:

Hi Chris, Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue. Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin. Thanks!
Comment by S Preethi
29418 | August 02, 2018 08:36:05 AM GMT
Hi Chris, Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue. Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin. Thanks!
Comment by S Preethi
29593 | August 22, 2018 06:35:22 AM GMT
Hi Chris, Since there has been no response, closing the bug for now. If you still do continue to face the issue, do let us know, we would reopen the bug. Thanks!
Comment by S Preethi
29625 | August 28, 2018 06:16:12 AM GMT