[Looking for Charlie's main web site?]

CF911: Solving problem in ColdFusion Admin getting "error accessing this page" on certain actions

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Here's a real CF911 challenge (and solution): You may find that when using the CF Admin, especially in CF10 but it can happen in CF 9 or 8 depending on security hotfixes applied, when performing certain Admin operations (like making a change, or verifying datasources, or checking for server updates) you get an error:

"There was an error accessing this page. Check logs for more details."

And your operation fails. You're then prompted to "Click here to login", but even if you back up or client another link, you'll be prompted with the CF Admin login.

What gives? Why is it happening? And how can you fix things? Is CF broken? No, not in the sense that you need to reinstall or anything. The good news is that there is a quite simple solution. Well, there are several, depending on your goals.

The simple solution: delete the duplicate cfid/cftoken or jsessionid cookies that you will find your browser is sending to CF. But there is much more to this, as well as other solutions, which would be worth most readers taking a few minutes to read on here.

BTW, the same root problem can be the cause of your own application's users finding that they can't stay logged in. More on that in a moment.

[....Continue Reading....]

Comments
Thank you for this great post
# Posted By Deepa | 4/10/14 8:31 AM
This may also be related to this bug: Domain attribute of cfcookie is always trimmed to .domain.tld - https://bugbase.adob...
# Posted By Henry Ho | 4/10/14 3:53 PM
Very interesting! Next time I see you I'll buy you a beer!!

I ran into something similar and am now wondering if it had anything at all to do with fonts... http://thecrumb.com/...

I've since trashed the install I first ran into this but I'm wondering if it's the version I'm using - I'm not sure if my last install (local) was updated to 9.0.2 but that must have been it - I never recalled running into this issue until recently...

Seems to be something with recent CF installers because I
Using 9.2 I am seeing this. I tried downgrading IE10 to IE9 per another solution online, then clearing cookies for the browser, but it had no effect. I did not access anything with the browser except for the admin page. I even tried 127.0.0.1, <ip>, and the dns name, all did the same thing.
# Posted By Mike | 4/14/14 10:27 AM
Charlie, until a few minutes ago, my day seemed to be turning into a nightmare, one where I was cascading deeper and deeper into a pit of unresolvable unknowns. Thanks for pulling me out!
# Posted By Nando | 6/19/14 9:16 AM
@Nando, really glad to hear I helped then! Welcome back to the light of day. :-)
Charlie, you saved my week! Thank you! This post also explains some really odd behaviour experienced by some clients over recent years that we were never able to get to the bottom of. Thank you!!! Hugely Appreciated!
# Posted By Jason | 7/1/14 1:52 AM
@Jason, great to hear and glad to help.
Thanks Charlie, you are the best...(new CF11 install, Chrome, OS X 10.9).
# Posted By Pierre Chaillet | 7/10/14 10:19 PM
@Pierre, thanks for the kind regards. Glad to help.
thanks for the tips, the cookies was the problem, I flushed the cookies, and it worked fine.

regards..
# Posted By Orlando | 8/13/14 5:53 PM
This didn't work for me at all. Tried from many different browsers and different computers, flushed the cookies. Nothing helps.
@Peter, I suggested a lot more than those 2 things. So when you say "this didn't work for me at all", do you mean you tried every thing in the blog entry? Including disabling the protectfixation issue? or tweaking the Admin-, app-, or code-level settings for cookies? Did you use a browser proxy tool and did you see changeing and/or duplicate session cookies?

If so, I'll repeat what I said that this can be a difficult challenge to solve, especially if it's affecting your applications.

But you don't clarify which it is: is it that (as the blog entry focuses on) you have trouble posting pages in the CF Admin? Or is it about your applications (which I go on to discuss later)?

Or is it perhaps that you can't even login at all to the Admin (which is another problem I didn't think to mention here)? In that case (or if any future reader sees this), that problem happens often when you first install FR on a Windows server and are using Internet Explorer on the server itself. It's so locked down that it can't even run the Javascript in the login page that's doing some validation. Just add your current site (whatever the IP or domain name is you are using for the Admin) to the "trusted sites" feature in IE. Then refresh the page and try logging in again.

Finally, to Peter or anyone else, I'll repeat that if time is of the essence and you don't want to wait for back and forth here in the blog post, I can provide direct, remote support. For more on my rates, approach, satisfaction guarantee, and more, see http://www.carehart....

Hope something there helps, Peter.
Sorry Charlie, I had the specific problem you are describing in this blog post when trying to post any changes in the admin:

"There was an error while verifying the token. Either the session timed out or un-authenticated access is suspected."

I've googled around for this question and inevitably there is an "Accepted answer" from you on almost all the forum entries about this that "Basically, it's a duplicate cookie problem for the CF session cookie(s)" with a link back to this blog entry.

Well, it's not in my case.

Tried:
* clearing cookies (there were no duplicates that I could see, but hey - I'll give anything a shot)
* accessed admin from a different domain
* visited admin url from different browser
* used incognito
* reopened browser

These were all the temporary solutions provided which you said "should" get me past the problem.

I looked at the longer term solutions, but they all seem to revolve around fixing the same duplicate cookie problem fixed by the temporary ones. And seeing as I can't see any duplicate cookies, I just don't think this is my problem. Oh, and I'm not using IE.

I don't mean to be contrary on your blog, but I just see your answer posted in so many places as an accepted truth, that I felt it important to add my own comment saying that not *everyone* who experiences this error has the duplicate cookie problem.

And here is the latest bugbase report on this: https://bugbase.adob... . Adobe doesn't seem to think this problem exists at all!
@Peter, I hear your frustration, and while I'm tempted to think you may not think I can help you at all, I'm not going to give up so easily.

First, no, the long-term fixes do not revolve around solely the duplicate cookie issue. They also address "rotation" issue, which is in fact what the error in the application.log points to (as noted above).

Can you confirm if you see that in your log? If so, then you might possibly want to try disabling the session fixation protection. But then I'll note that such a change would apply to all your CF apps, so it may be overkill.

Do you find that any other app users complain of any issues related to sessions? Or is this problem only in the CF admin? If so, is this CF admin in fact a production server? If not, then you may want to give the change a try just to confirm if it helps, in which case you'd know you're on the right track.

Similarly, you could try changing to using J2EE sessions (another CF-server-wide change), or revert from using them if you are using them already. If either helped (and you cleared cookies on your testes, to remove any previous remnants), it would not only offer some relief but could point to the real root cause here.

And I'll say again (as I do in the post): if you ARE using J2EE sessions, and you try to clear cookies, you do have to CLOSE the browser (all instances of it) to be sure all cookies related to j2ee sessions variables are removed: they're stored in memory, not on disk, and some browser tools don't clear them even when they assert that they do, in my experience.

All this comes down (in my experience, at least) to cookies, and in your list of things you say you did, you don't say whether you viewed the session cookie values with a tool that exposes them. It would seem very important for you to to confirm first that rotation of cookie values is indeed the problem, but that specific error you quote does seem always to be connected to an error about rotation in the application.log.

These are all things you can still investigate.

But I realize you're probably more in the "adobe has a bug and I just want it fixed" frame of mind. If so, I can help no further. Obviously I don't work for Adobe. But I am confident there is an explanation that you're not yet seeing, and it may not reflect so much a "bug" but just a change of behavior that needs to be understood. I realize that's no consolation when your admin does not work.

In fact, it made me just think of yet another possibility (which could explain why your problem seems different than others): could it be that you have the wrong version of the CF Admin code running, for the version of CF you're running? I have seen that problem plenty of times.

Look in your CF Admin mappings. Where is the CFIDE pointing to? And then if you are using an external web server (like IIS or Apache), where is THAT pointing to for its CFIDE? Or do you have CFIDE code in your web site's docroot? If this is CF10 or 11, there ought instead to be a virtual directory pointing to the CFIDE in the CF10 or 11 wwwroot. I have seen lots of "odd, unexplainable" errors happen when the version of the CF admin code does not match the version of CF that's running. Sadly, it's easy to have happen for a variety of reasons (which may be have been caused by someone else on your server if you're not the sole CF or web server admin).

You also don't mention what version of CF this is. If it's 9 or 8, did you perhaps apply any CF hotfixes recently (or in recent months), since which you've seen the problem? It was a security hotfix (or the latest CHF for 9.x) that would have added this session fixation protection. It's even possible someone made a mistake in applying a hotfix (or CHF) in CF 9 or earlier. I point out the details of how that can happen easily, at http://www.carehart....

Hope that helps. And again, if this is important for you and you only continue to struggle, I could help more directly. I don't work for Adobe, though, so I can't offer that help for free, nor offer a refund if it's proven to be a bug in CF. I realize that for both those reasons you may not be interested. Just making the offer, though I'll repeat that I DO offer a satisfaction guarantee, so that if you don't think some part of time we spend together is valuable, you won't pay for it.

Anyway, hope perhaps some of the additional info above can help, especially the recommendation to look at the cookie values. That has been the bottom line pointer to the problem. The cookies may not look like they should (domain- adn sub-domain wise), or they may have attributes that are not expected. I mentioned how there are settings that can influence those, but there are a lot of moving parts with all this, and cruft in CF that has built-up over the years, as well as changes based on Tomcat (if you may be on CF10 or 11).

If you may look for more help here (from me or others), you may want to clarify not only what CF version (and updates) you have, but what OS and web server. Just trying to help, if possible from afar like this.
Hi Charlie, Thanks for your response and your patience. I'm on CF10, using J2EE sessions and yes, that is the error I see in my logs when this happens. I did look at the cookies' values. And there were no duplicates there.

I have a lead to chase up which may resolve this. I had to adjust my server.xml file (I'm using CF10) to adjust so my app could handle domain cookies. The standard setdomaincookies=yes option doesn't seem to work on JSESSIONIDs, which is why I had to go down that path. I have a feeling that the change there messed up the admin area since it specifies my domain and I'm not actually accessing the admin on the same domain. I'll follow down that path and see if it resolves things.
I actually ran in to this same error today (ColdFusion 9, Multi-Instance in our case). Our issue turned out to be slightly different. In our case, we had previously forced Secure cookies on our ColdFusion instances by modifying the jrun-web.xml as specified in this article: http://www.adobe.com...

In doing so, the response cookie containing the jsessionid was both HttpOnly & Secure. Two ways we could have fixed it:

1. Access the ColdFusion Administrator over HTTPS only.
-or-
2. Remove the cookie-config entry in the relevant jrun-web.xml (ColdFusion 9) file(s) and restart the ColdFusion instance(s).
# Posted By Mike Pacella | 10/7/14 3:12 PM
@Mike, thanks for the comment (and sorry for missing this last week). I hope your additional point may help someone if in the same boat. I'll note that I was alluding to that in the section above called "Reconsider the CF cookie settings", but I was not as explicit in pointing out specifics like your particular case. Thanks again.
Issue occurred after migration from ColdFusion 8 to ColdFusion 10 -

XXX is a search engine application which searches for documents contained in various applications including App YYY. The issue is when App YYY document is searched in XXX and clicked to view the same, it is not opening.

Both the applications are in CF10 now and the issue is observed after migration of XXX from CF8 to CF10, earlier XXX was on CF8 and YYY was on CF10 and both applications were working fine.

Please help me in resolving the issue.
# Posted By Anjan | 11/26/14 2:40 PM
@Anjan, I'm afraid that your question here has absolutely nothing to do with the topic of this blog entry. I appreciate that you just have a problem you want solved, and perhaps you somehow found this, but I would recommend you post this question instead on the Adobe CF forums (https://forums.adobe...). I'm afraid I have nothing I can think to add based on your cryptic references to your apps XXX and YYY.
Thanks Charlie

Saved my butt.
# Posted By me | 2/3/15 5:03 AM
@me, glad to hear that. Thanks for sharing, and happy to help, of course!
Thanks Charlie, now maybe I won't pull out the rest of my hair. At least not today. I tossed my cookies and can now actually use CF Admin on one of our dev boxes again.
# Posted By Mark Gregory | 3/5/15 12:07 PM
@Mark, sorry to hear that it got so bad for you that you tossed your cookies...oh, you mean you deleted the duplicates I mention here, right? :-) Glad to help.
Thank you Charlie for the perfect answer. This is showing me the light to get out of the rabbit hole I have been digging for entirely too long. Restores my faith in humanity, if not software.
# Posted By Don Bellenger | 3/10/15 10:07 PM
Don, thanks very much for the kind regards, and of course really glad i could help. Always a pleasure hearing from you. Until again.
Hi Charlie,

I just had to use this post to fix an issue for my client. Thanks for writing! :)

-Nolan
Great to hear, Nolan. Thanks for the kind regards. See you in May at the conference!
There is an additional scenario that could cause this behavior where logging in will not prompt that you have the incorrect password, but also will not let you in. If your JCE Cryptography Policy files are corrupt or the incorrect version, this will happen. Download and install the correct policy files.
# Posted By Aaron DeRenard | 6/5/17 10:48 AM
Thanks, Aaron. I had not seen that, but I appreciate you pointing it out for readers.
Apologies if this was already mentioned above: This error can also be caused if "Secure Cookies" is enabled and cfadmin is accessed with http rather than https. Clearing cookies will not help but using https will.
# Posted By jt | 10/30/20 11:30 AM
Thanks, JT. Yep, it was covered in comments above from Oct 2014. That said, it's a long post with many comments. :-) Still, Thanks for trying to help readers, even all these years after the initial post.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting