Lucee Admin asks for password at every click

webguyks · September 12, 2023, 8:32pm

The 5.4.3.9-SNAPSHOT worked for me as well!

Thank you all!

mee_nothus · September 19, 2023, 1:00pm

i was getting this issue too after installing 5.4.3.2, upgrading to the latest snapshot worked fixing the issue

kpetrow · July 23, 2024, 1:03pm

I am running into this issue but with only a newly created site. Old sites on my dev machine have no issue with admin panel but a newly created site keeps redirecting me to the login page. Any help? I dont want to update from 5.4.3.2

kpetrow · July 23, 2024, 1:35pm

downgraded and re-upgraded seems to have resolved issue

CaptainPalapa · July 31, 2024, 11:40pm

If someone stumbles across this, or something similar where a login attempt keeps taking you back to the login form with no errors, try using an Incognito window (Chrome terminology). At work we have a 100% ACF app and SOMETIMES this happens to us. Incognito always gets us around it, but I find it annoying. I recently had to reinstall Chrome and the problem went away for a while. And for us, it’s a single site but with multi-tenant domain names. Sometimes it’s the domain name, not the webserver. We have not been able to figure it out. There appears to be nothing different, but the browser has the issue.

taivo · June 16, 2025, 3:32pm

We have started to experience this issue on one server. Kind of stumped here, we upgraded the misbehaving server to 5.4.7.3, and to 5.4.8.2-RC. Other two servers running 5.4.6.9 are fine to login to.

We completely reinstalled Tomcat by removing the /opt/tomcat folder which has Lucee/ folder, so seemingly a fresh install every time. Tried to reinstall 5.4.6.9 (which is stable for us), 5.4.7.3, and 5.4.8.2-RC. We have the jar install, so we drop Tomcat into /opt/tomcat then load the jar file into a folder in that installation. Don’t see a WEB-INF folder anywhere else in filesystem (Ubuntu 22.04.05; openjdk 1.8.0_452; Tomcat 9.0.106).

Have tried external browser access using incognito windows, brand new browser installations… still get login request window appearing in every screen, whether on Web or Server, no matter how long we select “Remember me for” (in the past we experienced this with “this Session” selected but not with the other options). So not sure how this could be browser, server keeps delivering “Secure” in Set-Cookie though we access Lucee admin via http:

set-cookie
cfid=36e02602-39af-4d9f-9d7d-cb8978e84acd;Path=/lucee/admin/;Expires=Tue, 15-Jun-2055 23:22:01 GMT;Secure;HttpOnly;SameSite=Strict

set-cookie
cftoken=0;Path=/lucee/admin/;Expires=Tue, 15-Jun-2055 23:22:01 GMT;Secure;HttpOnly;SameSite=Strict

Would be lovely to view the Log Analyzer on this machine, any ideas on how we can solve this?

Zackster · June 17, 2025, 12:08pm

that’s quite odd. working fine for me locally with 5.4.8.2, using the installer version

the session cookies for the admin are only set to secure when https is detected

github.com

lucee/Lucee/blob/5.4/core/src/main/cfml/context/admin/Application.cfc#L99


      
          
          private function getAppFolderPath() cachedwithin="request" {
          
          	var folder = listToArray( cgi.SCRIPT_NAME , "/\" );
          	if ( arrayLast( folder ) contains ".cfm" )
          		arrayPop( folder );
          
          	return "/" & arrayToList( folder, "/" ) & "/";
          }
          
          private boolean function isSSL() cachedwithin="request" {
          	if ( isBoolean( CGI.SERVER_PORT_SECURE ) AND CGI.SERVER_PORT_SECURE ) {
          		return true;
          	}
          	var headers = GetHTTPRequestHeaders();
          
          	// check typical proxy headers for SSL
          	if ( ( headers[ "x-forwarded-proto" ] ?: "" ) eq "https" ) {
          		return true;
          	}
          	if ( ( headers[ "x-scheme" ] ?: "" ) eq "https" ) {

are you accessing via 127.0.0.1 ? any warnings in the browser console?

umm, btw did you mean war install, rather than jar install?

andreas · June 17, 2025, 8:45pm

Do me a favor: Check if the browser is sending the cookies in the chrome|firefox dev tool request header section. I think you are having some cookie “samesite=strict” or “Secure” issues, which will prevent sending cookies, so lucee (because not receiving the cookies) recreates the cookies and sessions all the time on every single new request. The secure-flag might be being set at web server level (or somewhere else)

I had a similar issue a while ago, but can’t recall it right now, thus i just can give a little hint of stuff I can barely remember. But that is what I’ll do: switch cookie samesite to be not too strict and remove the secure attribute (just for testing). Also, be aware that https and http are treated differently (as entirely different domains). Also, the secure cookie attribute will only send cookies if you are on https. Recalling the page on http will not send the cookies to the endpoint. Also, watch out for chrome console warnings, you might see something happening there. Also, 127.0.0.1 is not a domain name that uses SSL with a certificate fully correctly (its an IP-Address)

taivo · June 19, 2025, 2:19pm

Hmmm I replied to both of your emails a couple of days ago but must’ve done something wrong… summarizing:

Thanks Zac and Andreas!

FYI:

we were accessing via IP over http
yes, it is a jar install
yes! there were warnings in the browser console about cfid and cftoken not getting set because of Secure and httpOnly.

Turns out, one of the production server’s Tomcat had it’s Connector to port 8080 misconfigured to set those cookie parameters. Lucee was not setting these.

My apologies for my confusion, and thank-you both for the advice. Removing that from the Connector fixed the issue.

andreas · June 20, 2025, 4:05pm

No need to apologize. Always good to post stuff to keep documentatiom available of stuff that may happen. Glad it helped.