tracker issue : CF-4203170

select a category, or use search below
(searches all categories and all time range)
Title:

cflogin exception in CF 2018

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/CannotReproduce

Reporter/Name(from Bugbase): chris cornett / ()

Created: 07/31/2018

Components: Security, Authentication

Versions: 2016

Failure Type: Usability Issue

Found In Build/Fixed In Build: 2018.0.0.310739 /

Priority/Frequency: Normal / Some users will encounter

Locale/System: English / Windows 7 64-bit

Vote Count: 2

Problem Description:
I am supporting an application that recently upgraded to ColdFusion 2018. Since the upgrade we are seeing intermittent but regular errors being thrown by the cflogin tag. 

The exception dumped by ColdFusion is "Authentication has failed. Please check the logs for more details.s" 

Looking at the exception logs in CF Admin shows the following exception:

"Error","ajp-nio-8018-exec-12","07/30/18","20:09:53","","'' Can not decode string ""C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs===="". The input string is not base64-encoded."
coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs====".
	at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131)
	at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493)
	at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380)
	at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397)
	at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358)

When this error occurs the user will get locked into the invalid cookie and will receive an error until they clear their cookies or until their session times out. 

We have tracked this down to being an issue with the cookie that the cflogin tag is using to handle the authentication. 

Here is the format of the valid cookie: 
CFAuthentication_[application_name]: NDAzNTA3DUFtYmFzc2Fkb3JTdHVkaW8NMTUzMjk5OTgzNjA3Mg1GN0VCMTUxRDI0QThDNjU2

Here is the format of the cookie when the error occurs:
CFAuthentication_[application_name]: F310D1CF19C29009_HouwFInO5M0RChopPY0eiBDypCUa8/XuqIBwNNWKji0= 

Steps to Reproduce: 
We are not able to accurately reproduce this. It seems to happen after a short period of inactivity, but this doesn't seem consistent and may be coincidence. We have accurately tracked that both formats are occurring for the cookie and that the second format results in failure of cflogin. 

Actual Result:
User gets assigned an invalid CFAuthorization_ token and the cflogin fails to work. 

Expected Result:
User gets and maintains a valid CFAuthorization_ token that will work with the cflogin tag. 

Any Workarounds:
We are able to catch the exception when it occurs and force a logout. This clears the invalid cookie and the user is assigned a valid cookie upon logging in. This does not seem to permanently fix it for that user, however.

Attachments:

Comments:

Hi Chris, Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue. Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin. Thanks!
Comment by S Preethi [X]
29418 | August 02, 2018 08:36:05 AM GMT
Hi Chris, Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue. Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin. Thanks!
Comment by S Preethi [X]
29593 | August 22, 2018 06:35:22 AM GMT
Hi Chris, Since there has been no response, closing the bug for now. If you still do continue to face the issue, do let us know, we would reopen the bug. Thanks!
Comment by S Preethi [X]
29625 | August 28, 2018 06:16:12 AM GMT
This needs to be reopened, I am facing similar issue.
Comment by rohit sharma
29920 | November 10, 2018 06:14:59 PM GMT
I am facing this issue as well in CF2018. The only workaround I can think of is to store the cflogin information in the session instead of the cookie (which is not a good long-term solution).
Comment by Sam Mitchell
29923 | November 12, 2018 07:19:37 PM GMT
Yes running into this problem as well on CF2018. App runs fine on CF11. "Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","Incompatible login information was specified." "Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","'' Can not decode string ""B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE===="". The input string is not base64-encoded." "Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","'' Can not decode string ""B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE===="". The input string is not base64-encoded." coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE====". at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131) at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493) at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380) at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397) at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358) at cfApplication2ecfm1944489541._factor5(D:\abc\Application.cfm:44) at cfApplication2ecfm1944489541._factor8(D:\abc\Application.cfm:43) at cfApplication2ecfm1944489541._factor9(D:\abc\Application.cfm:1) at cfApplication2ecfm1944489541.runPage(D:\abc\Application.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:729) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:4082) at cfApplication2ecfm2078254534.runPage(D:\Home\RepoHawk-Nexus\admin\accounts\Application.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:729) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:421) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:162) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:226) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:422) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:844)
Comment by Cody Watkins
30053 | December 14, 2018 10:38:30 AM GMT
Hi all, Can anyone please post an isolated repro case? Also, it is recommended to use `loginstorage="session"`. Related links: - https://www.petefreitag.com/item/735.cfm - https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/securing-applications/about-user-security.html Thanks!, -Aaron
Comment by Aaron Neff
30056 | December 15, 2018 10:09:47 AM GMT
Hi Adobe, Decoding the Base64 auth info produces 4 lines of text. Example: ----------- myUsername myAppName 1544913669249 B21A210A127191FE ----------- I see the 3rd line (i.e. 1544913669249) is the milliseconds after epoch since cflogin ran. Okay. Question: How exactly is the last line (i.e. B21A210A127191FE) generated? I see its value changes after re-login, even with same password. Question: Where is this auth info format documented? If it isn't documented, can it be? Thanks!, -Aaron
Comment by Aaron Neff
30058 | December 15, 2018 10:54:41 PM GMT