The 5.4.3.9-SNAPSHOT worked for me as well!
Thank you all!
The 5.4.3.9-SNAPSHOT worked for me as well!
Thank you all!
i was getting this issue too after installing 5.4.3.2, upgrading to the latest snapshot worked fixing the issue
I am running into this issue but with only a newly created site. Old sites on my dev machine have no issue with admin panel but a newly created site keeps redirecting me to the login page. Any help? I dont want to update from 5.4.3.2
downgraded and re-upgraded seems to have resolved issue
If someone stumbles across this, or something similar where a login attempt keeps taking you back to the login form with no errors, try using an Incognito window (Chrome terminology). At work we have a 100% ACF app and SOMETIMES this happens to us. Incognito always gets us around it, but I find it annoying. I recently had to reinstall Chrome and the problem went away for a while. And for us, it’s a single site but with multi-tenant domain names. Sometimes it’s the domain name, not the webserver. We have not been able to figure it out. There appears to be nothing different, but the browser has the issue.
We have started to experience this issue on one server. Kind of stumped here, we upgraded the misbehaving server to 5.4.7.3, and to 5.4.8.2-RC. Other two servers running 5.4.6.9 are fine to login to.
We completely reinstalled Tomcat by removing the /opt/tomcat folder which has Lucee/ folder, so seemingly a fresh install every time. Tried to reinstall 5.4.6.9 (which is stable for us), 5.4.7.3, and 5.4.8.2-RC. We have the jar install, so we drop Tomcat into /opt/tomcat then load the jar file into a folder in that installation. Don’t see a WEB-INF folder anywhere else in filesystem (Ubuntu 22.04.05; openjdk 1.8.0_452; Tomcat 9.0.106).
Have tried external browser access using incognito windows, brand new browser installations… still get login request window appearing in every screen, whether on Web or Server, no matter how long we select “Remember me for” (in the past we experienced this with “this Session” selected but not with the other options). So not sure how this could be browser, server keeps delivering “Secure” in Set-Cookie though we access Lucee admin via http:
set-cookie
cfid=36e02602-39af-4d9f-9d7d-cb8978e84acd;Path=/lucee/admin/;Expires=Tue, 15-Jun-2055 23:22:01 GMT;Secure;HttpOnly;SameSite=Strict
set-cookie
cftoken=0;Path=/lucee/admin/;Expires=Tue, 15-Jun-2055 23:22:01 GMT;Secure;HttpOnly;SameSite=Strict
Would be lovely to view the Log Analyzer on this machine, any ideas on how we can solve this?
that’s quite odd. working fine for me locally with 5.4.8.2, using the installer version
the session cookies for the admin are only set to secure when https is detected
are you accessing via 127.0.0.1 ? any warnings in the browser console?
umm, btw did you mean war install, rather than jar install?
Do me a favor: Check if the browser is sending the cookies in the chrome|firefox dev tool request header section. I think you are having some cookie “samesite=strict” or “Secure” issues, which will prevent sending cookies, so lucee (because not receiving the cookies) recreates the cookies and sessions all the time on every single new request. The secure-flag might be being set at web server level (or somewhere else)
I had a similar issue a while ago, but can’t recall it right now, thus i just can give a little hint of stuff I can barely remember. But that is what I’ll do: switch cookie samesite to be not too strict and remove the secure attribute (just for testing). Also, be aware that https and http are treated differently (as entirely different domains). Also, the secure cookie attribute will only send cookies if you are on https. Recalling the page on http will not send the cookies to the endpoint. Also, watch out for chrome console warnings, you might see something happening there. Also, 127.0.0.1 is not a domain name that uses SSL with a certificate fully correctly (its an IP-Address)
Hmmm I replied to both of your emails a couple of days ago but must’ve done something wrong… summarizing:
Thanks Zac and Andreas!
FYI:
Turns out, one of the production server’s Tomcat had it’s Connector to port 8080 misconfigured to set those cookie parameters. Lucee was not setting these.
My apologies for my confusion, and thank-you both for the advice. Removing that from the Connector fixed the issue.