CF911: Solving problem in ColdFusion Admin getting "error accessing this page" on certain actions
Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.Here's a real CF911 challenge (and solution): You may find that when using the CF Admin, especially in CF10 but it can happen in CF 9 or 8 depending on security hotfixes applied, when performing certain Admin operations (like making a change, or verifying datasources, or checking for server updates) you get an error:
And your operation fails. You're then prompted to "Click here to login", but even if you back up or client another link, you'll be prompted with the CF Admin login.
What gives? Why is it happening? And how can you fix things? Is CF broken? No, not in the sense that you need to reinstall or anything. The good news is that there is a quite simple solution. Well, there are several, depending on your goals.
The simple solution: delete the duplicate cfid/cftoken or jsessionid cookies that you will find your browser is sending to CF. But there is much more to this, as well as other solutions, which would be worth most readers taking a few minutes to read on here.
BTW, the same root problem can be the cause of your own application's users finding that they can't stay logged in. More on that in a moment.
I ran into something similar and am now wondering if it had anything at all to do with fonts... http://thecrumb.com/...
I've since trashed the install I first ran into this but I'm wondering if it's the version I'm using - I'm not sure if my last install (local) was updated to 9.0.2 but that must have been it - I never recalled running into this issue until recently...
Seems to be something with recent CF installers because I
regards..
If so, I'll repeat what I said that this can be a difficult challenge to solve, especially if it's affecting your applications.
But you don't clarify which it is: is it that (as the blog entry focuses on) you have trouble posting pages in the CF Admin? Or is it about your applications (which I go on to discuss later)?
Or is it perhaps that you can't even login at all to the Admin (which is another problem I didn't think to mention here)? In that case (or if any future reader sees this), that problem happens often when you first install FR on a Windows server and are using Internet Explorer on the server itself. It's so locked down that it can't even run the Javascript in the login page that's doing some validation. Just add your current site (whatever the IP or domain name is you are using for the Admin) to the "trusted sites" feature in IE. Then refresh the page and try logging in again.
Finally, to Peter or anyone else, I'll repeat that if time is of the essence and you don't want to wait for back and forth here in the blog post, I can provide direct, remote support. For more on my rates, approach, satisfaction guarantee, and more, see http://www.carehart....
Hope something there helps, Peter.
"There was an error while verifying the token. Either the session timed out or un-authenticated access is suspected."
I've googled around for this question and inevitably there is an "Accepted answer" from you on almost all the forum entries about this that "Basically, it's a duplicate cookie problem for the CF session cookie(s)" with a link back to this blog entry.
Well, it's not in my case.
Tried:
* clearing cookies (there were no duplicates that I could see, but hey - I'll give anything a shot)
* accessed admin from a different domain
* visited admin url from different browser
* used incognito
* reopened browser
These were all the temporary solutions provided which you said "should" get me past the problem.
I looked at the longer term solutions, but they all seem to revolve around fixing the same duplicate cookie problem fixed by the temporary ones. And seeing as I can't see any duplicate cookies, I just don't think this is my problem. Oh, and I'm not using IE.
I don't mean to be contrary on your blog, but I just see your answer posted in so many places as an accepted truth, that I felt it important to add my own comment saying that not *everyone* who experiences this error has the duplicate cookie problem.
And here is the latest bugbase report on this: https://bugbase.adob... . Adobe doesn't seem to think this problem exists at all!
First, no, the long-term fixes do not revolve around solely the duplicate cookie issue. They also address "rotation" issue, which is in fact what the error in the application.log points to (as noted above).
Can you confirm if you see that in your log? If so, then you might possibly want to try disabling the session fixation protection. But then I'll note that such a change would apply to all your CF apps, so it may be overkill.
Do you find that any other app users complain of any issues related to sessions? Or is this problem only in the CF admin? If so, is this CF admin in fact a production server? If not, then you may want to give the change a try just to confirm if it helps, in which case you'd know you're on the right track.
Similarly, you could try changing to using J2EE sessions (another CF-server-wide change), or revert from using them if you are using them already. If either helped (and you cleared cookies on your testes, to remove any previous remnants), it would not only offer some relief but could point to the real root cause here.
And I'll say again (as I do in the post): if you ARE using J2EE sessions, and you try to clear cookies, you do have to CLOSE the browser (all instances of it) to be sure all cookies related to j2ee sessions variables are removed: they're stored in memory, not on disk, and some browser tools don't clear them even when they assert that they do, in my experience.
All this comes down (in my experience, at least) to cookies, and in your list of things you say you did, you don't say whether you viewed the session cookie values with a tool that exposes them. It would seem very important for you to to confirm first that rotation of cookie values is indeed the problem, but that specific error you quote does seem always to be connected to an error about rotation in the application.log.
These are all things you can still investigate.
But I realize you're probably more in the "adobe has a bug and I just want it fixed" frame of mind. If so, I can help no further. Obviously I don't work for Adobe. But I am confident there is an explanation that you're not yet seeing, and it may not reflect so much a "bug" but just a change of behavior that needs to be understood. I realize that's no consolation when your admin does not work.
In fact, it made me just think of yet another possibility (which could explain why your problem seems different than others): could it be that you have the wrong version of the CF Admin code running, for the version of CF you're running? I have seen that problem plenty of times.
Look in your CF Admin mappings. Where is the CFIDE pointing to? And then if you are using an external web server (like IIS or Apache), where is THAT pointing to for its CFIDE? Or do you have CFIDE code in your web site's docroot? If this is CF10 or 11, there ought instead to be a virtual directory pointing to the CFIDE in the CF10 or 11 wwwroot. I have seen lots of "odd, unexplainable" errors happen when the version of the CF admin code does not match the version of CF that's running. Sadly, it's easy to have happen for a variety of reasons (which may be have been caused by someone else on your server if you're not the sole CF or web server admin).
You also don't mention what version of CF this is. If it's 9 or 8, did you perhaps apply any CF hotfixes recently (or in recent months), since which you've seen the problem? It was a security hotfix (or the latest CHF for 9.x) that would have added this session fixation protection. It's even possible someone made a mistake in applying a hotfix (or CHF) in CF 9 or earlier. I point out the details of how that can happen easily, at http://www.carehart....
Hope that helps. And again, if this is important for you and you only continue to struggle, I could help more directly. I don't work for Adobe, though, so I can't offer that help for free, nor offer a refund if it's proven to be a bug in CF. I realize that for both those reasons you may not be interested. Just making the offer, though I'll repeat that I DO offer a satisfaction guarantee, so that if you don't think some part of time we spend together is valuable, you won't pay for it.
Anyway, hope perhaps some of the additional info above can help, especially the recommendation to look at the cookie values. That has been the bottom line pointer to the problem. The cookies may not look like they should (domain- adn sub-domain wise), or they may have attributes that are not expected. I mentioned how there are settings that can influence those, but there are a lot of moving parts with all this, and cruft in CF that has built-up over the years, as well as changes based on Tomcat (if you may be on CF10 or 11).
If you may look for more help here (from me or others), you may want to clarify not only what CF version (and updates) you have, but what OS and web server. Just trying to help, if possible from afar like this.
I have a lead to chase up which may resolve this. I had to adjust my server.xml file (I'm using CF10) to adjust so my app could handle domain cookies. The standard setdomaincookies=yes option doesn't seem to work on JSESSIONIDs, which is why I had to go down that path. I have a feeling that the change there messed up the admin area since it specifies my domain and I'm not actually accessing the admin on the same domain. I'll follow down that path and see if it resolves things.
In doing so, the response cookie containing the jsessionid was both HttpOnly & Secure. Two ways we could have fixed it:
1. Access the ColdFusion Administrator over HTTPS only.
-or-
2. Remove the cookie-config entry in the relevant jrun-web.xml (ColdFusion 9) file(s) and restart the ColdFusion instance(s).
XXX is a search engine application which searches for documents contained in various applications including App YYY. The issue is when App YYY document is searched in XXX and clicked to view the same, it is not opening.
Both the applications are in CF10 now and the issue is observed after migration of XXX from CF8 to CF10, earlier XXX was on CF8 and YYY was on CF10 and both applications were working fine.
Please help me in resolving the issue.
Saved my butt.
I just had to use this post to fix an issue for my client. Thanks for writing! :)
-Nolan