tracker issue : CF-4203170

select a category, or use search below
(searches all categories and all time range)
Title:

cflogin exception in CF 2018

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): chris cornett / ()

Created: 07/31/2018

Components: Security, Authentication

Versions: 2016,2018

Failure Type: Usability Issue

Found In Build/Fixed In Build: 2018.0.0.310739 / CF2018U5

Priority/Frequency: Normal / Some users will encounter

Locale/System: English / Windows 7 64-bit

Vote Count: 4

Problem Description:
I am supporting an application that recently upgraded to ColdFusion 2018. Since the upgrade we are seeing intermittent but regular errors being thrown by the cflogin tag. 

The exception dumped by ColdFusion is "Authentication has failed. Please check the logs for more details.s" 

Looking at the exception logs in CF Admin shows the following exception:

"Error","ajp-nio-8018-exec-12","07/30/18","20:09:53","","'' Can not decode string ""C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs===="". The input string is not base64-encoded."
coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs====".
	at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131)
	at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493)
	at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380)
	at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397)
	at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358)

When this error occurs the user will get locked into the invalid cookie and will receive an error until they clear their cookies or until their session times out. 

We have tracked this down to being an issue with the cookie that the cflogin tag is using to handle the authentication. 

Here is the format of the valid cookie: 
CFAuthentication_[application_name]: NDAzNTA3DUFtYmFzc2Fkb3JTdHVkaW8NMTUzMjk5OTgzNjA3Mg1GN0VCMTUxRDI0QThDNjU2

Here is the format of the cookie when the error occurs:
CFAuthentication_[application_name]: F310D1CF19C29009_HouwFInO5M0RChopPY0eiBDypCUa8/XuqIBwNNWKji0= 

Steps to Reproduce: 
We are not able to accurately reproduce this. It seems to happen after a short period of inactivity, but this doesn't seem consistent and may be coincidence. We have accurately tracked that both formats are occurring for the cookie and that the second format results in failure of cflogin. 

Actual Result:
User gets assigned an invalid CFAuthorization_ token and the cflogin fails to work. 

Expected Result:
User gets and maintains a valid CFAuthorization_ token that will work with the cflogin tag. 

Any Workarounds:
We are able to catch the exception when it occurs and force a logout. This clears the invalid cookie and the user is assigned a valid cookie upon logging in. This does not seem to permanently fix it for that user, however.

Attachments:

Comments:

Hi Chris, Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue. Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin. Thanks!
Comment by S P.
29418 | August 02, 2018 08:36:05 AM GMT
Hi Chris, Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue. Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin. Thanks!
Comment by S P.
29593 | August 22, 2018 06:35:22 AM GMT
Hi Chris, Since there has been no response, closing the bug for now. If you still do continue to face the issue, do let us know, we would reopen the bug. Thanks!
Comment by S P.
29625 | August 28, 2018 06:16:12 AM GMT
This needs to be reopened, I am facing similar issue.
Comment by rohit s.
29920 | November 10, 2018 06:14:59 PM GMT
I am facing this issue as well in CF2018. The only workaround I can think of is to store the cflogin information in the session instead of the cookie (which is not a good long-term solution).
Comment by Sam M.
29923 | November 12, 2018 07:19:37 PM GMT
Yes running into this problem as well on CF2018. App runs fine on CF11. "Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","Incompatible login information was specified." "Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","'' Can not decode string ""B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE===="". The input string is not base64-encoded." "Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","'' Can not decode string ""B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE===="". The input string is not base64-encoded." coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE====". at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131) at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493) at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380) at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397) at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358) at cfApplication2ecfm1944489541._factor5(D:\abc\Application.cfm:44) at cfApplication2ecfm1944489541._factor8(D:\abc\Application.cfm:43) at cfApplication2ecfm1944489541._factor9(D:\abc\Application.cfm:1) at cfApplication2ecfm1944489541.runPage(D:\abc\Application.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:729) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:4082) at cfApplication2ecfm2078254534.runPage(D:\Home\RepoHawk-Nexus\admin\accounts\Application.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:729) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:421) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:162) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:226) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:422) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:844)
Comment by Cody W.
30053 | December 14, 2018 10:38:30 AM GMT
Hi all, Can anyone please post an isolated repro case? Also, it is recommended to use `loginstorage="session"`. Related links: - https://www.petefreitag.com/item/735.cfm - https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/securing-applications/about-user-security.html Thanks!, -Aaron
Comment by Aaron N.
30056 | December 15, 2018 10:09:47 AM GMT
Hi Adobe, Decoding the Base64 auth info produces 4 lines of text. Example: ----------- myUsername myAppName 1544913669249 B21A210A127191FE ----------- I see the 3rd line (i.e. 1544913669249) is the milliseconds after epoch since cflogin ran. Okay. Question: How exactly is the last line (i.e. B21A210A127191FE) generated? I see its value changes after re-login, even with same password. Question: Where is this auth info format documented? If it isn't documented, can it be? Thanks!, -Aaron
Comment by Aaron N.
30058 | December 15, 2018 10:54:41 PM GMT
Is there a plan to fix this? I am encountering it to. Is the only workaround really to log the user out?
Comment by Robert D.
30636 | April 16, 2019 05:48:19 PM GMT
Hi Robert, Could you attach a small example of your cflogin usage along with which username and appname you are facing the issue for? Encoded string shouldn't contain the underscore character. Maybe some wrong combination of characters is emitting the underscore and so it isn't able to decode it. We aren't able to reproduce the issue at our end.  Thanks, Edwin
Comment by Edwin S.
30649 | April 23, 2019 10:01:37 AM GMT
Hi Adobe, Do you, please, have answers to my 2 questions on 12/15/2018 22:54:41 GMT above? Thanks!, -Aaron
Comment by Aaron N.
30666 | April 27, 2019 09:24:59 AM GMT
Hi Aaron, The fourth line is a random string which changes every time the user logs in. This is rotated based on a time interval. I guess there's no documentation for it as of now. 
Comment by Edwin S.
30693 | May 08, 2019 11:35:25 AM GMT