ColdFusion Admin: error accessing this page

One may say that this is an old one. Back in 2014, Charlie Arehart wrote an excellent blog post describing one of the sources of this issue. Since I found the solution to my particular problem in comments, not in the post itself, I would like to shed some light from a different point of view.

The issue

What is the issue? I was able to log in to my ColdFusion Admin, I was even able to switch from page to page, but when I tried to change something or perform any action that requires POST request instead of GET, I got this error:

Not that much: “There was an error accessing this page. Check logs for more details”. In the Application.log I found the following line: “There was an error while verifying the token. Either the session timed out or un-authenticated access is suspected.” Exactly the same behavior was described in the post by Charlie Arehart. The problem was that in my case, there were no duplicated tokens.

Gathering data

First, I took a look at Developer’s Console in my browser. In the cookies section, I found only one cookie:

This is strange since normally when I’m logged in to ColdFusion Admin, I also see CFID and CFTOKEN. So, let’s take a look at the server response headers:

Clearly, CFID and CFTOKEN are sent, but why are these yellow triangles next to Set-Cookie lines? Let’s find out by hovering on them:

The message states: “This Set-Cookie was blocked because it had the ‘Secure’ attribute but was not received over a secure connection”. It looks like we have the source of this issue. The lack of a secure connection.

The solution

In my case the solution was simple. Connect to the server using HTTPS instead of HTTP. The setting in ColdFusion admin dictates that the cookies are “secure” so they are accepted only when sent over HTTPS. This is not that obvious when you connect to the ColdFusion Admin locally on the server. Typically you have no SSL certificate for 127.0.0.1 but you can use a self-signed one. One way or another, the site will not be client-facing.

The second solution is to turn off Secure cookies. This is the solution I would not recommend. Right now all websites should run using HTTPS and all cookies should be sent using secure channels. The main reason is to avoid man-in-the-middle attacks and session hijacking. If you have no choice but to turn off secure cookies, you can do this by adjusting the setting in the neo-runtime.xml file and restarting ColdFusion. Why in the file? Because you will not be able to perform this change in the Admin as long as it is kicking you out on each action 🙂 Here is the setting after the change – it should be set to “false”: