ColdFusion Administrator - cookie error

Report · Jul 20, 2015

Hi all

One of our web devs recently installed Coldfusion 11 onto a Windows Server 2012 R2 web server.

The IIS site where the ColdFusion Administrator console is installed has a couple of bindings on it from an IIS perspective. The Admin console appears to be responding to both bindings as it should however when trying to navigate to the admin console on one of the bindings an error message is received "Please enable cookies to use ColdFusion Administrator". The other binding on the IIS site works just fine with no error message. See screenshot.

If I click "OK" I am presented with the username/password prompt however upon entering my credentials it simply appears to redirect me back to the login back and I cant get any further.

I dont see how the issue can be related to the IE browser itself as both bindings for the site are in the same domain name ("binding1.subdomain.com" and "binding2.subdomain.com") and we aren't using any special compatibility settings or the like. Also, both URL's work fine using Chrome which I think must be treating cookies differently??

I'm fairly new to ColdFusion myself so if anyone has any recommendations it would be greatly appreciated.

Cheers
Brady

Report · Jul 20, 2015

Since you’re using IE, and you can’t seem to login, the first thing I’d propose is to add your site (whichever you’re using to access the Admin) to IE’s “trusted sites” list. (Let us know if you need help with that and don’t find a google search to show a page to explain it.) The login process for the CF Admin uses Javascript, and by default in IE on servers, such javascript can be disabled. Adding to trusted sites lifts that limitation for such sites.

I realize you may think that doesn’t explain the “enable cookies” error, but it may affect that as well, so try it first and let us know how things go.

/charlie

/Charlie (troubleshooter, carehart.org)

Report · Jul 21, 2015

Hi Charlie

Thanks for your suggestion. Unfortunately even after adding the site to trusted sites the error is continuing to happen.

I tried adding both just the domain as well as the full URL however both are giving the same result.

Cheers

Brady

Report · Jul 21, 2015

Actually I think I've just figured out what it is causing the issue.

The URL that doesn't work has an underscore "_" in its name. I just tested it out and created a few more bindings (and associated DNS records) and the new records with an underscore in the name are giving the same issue where the others are working just fine.

Interesting.....perhaps an underscore is causing an issue with the ColdFusion cookies.

Cheers

Brady

Report · Jul 21, 2015

You have an underscore in the URL for the CF Admin? Is that in the domain name? There’s no page in the CF Admin with an underscore in its name, that I know of at least.

Or are you really now referring to pages other than the CF Admin?

/charlie

/Charlie (troubleshooter, carehart.org)

Report · Jul 21, 2015

Yeah the domain name of the site (which is also used by the dev's for ColdFusion administration) had an underscore in it. It was this domain name causing the issue.

Upon further investigation I'm not entirely sure that using an underscore in a domain name is entirely supported.

Report · Jul 21, 2015

If this is IIS, it could be something similar to what is reported here:

http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

See if that requestPathInvalidCharacters element may help or hinder you.

Or perhaps its IIS’s Request Filtering feature that’s at issue, which incorporates some URL “protection” features formerly in the URLScan tool. I don’t know that it has options to turn off some of its protections, but that may be worth exploring.

Unless you’re prepared to just rename that domain, of course. Who knows, there may even be http specifications that indicate it’s not supposed to be supported. Have never considered the matter before today, myself.

HTH.

/charlie

/Charlie (troubleshooter, carehart.org)