-
1. Re: Login Fail Detail Message
BKBK Mar 22, 2012 11:47 PM (in response to Phinehas1234)cfcatch.detail or cfcatch.stacktrace should give you more details
-
2. Re: Login Fail Detail Message
Phinehas1234 Mar 23, 2012 12:18 AM (in response to BKBK)Yes, cfcatch.stacktrace can give me more details.
But,
If I input an incorrect password, it prompted me "Error authenticating user: XXXXX in the Windows domain" (I expected it should say password incorrect.)
java.lang.Exception: Error authenticating user: XXXXX in the Windows domain at jrun.security.NTAuth.AuthenticateUser(NTAuth.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:87) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2260) at cfntsecurity2ecfc1797929604$funcAUTHENTICATEUSER.runFunction(E:\Inetpub\JEC Intranet\tender\ntsecurity.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:56) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:463) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:453) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:320) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2210) at coldfusion.tagext.lang.InvokeTag.doEndTag(InvokeTag.java:358) at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:2645) at cfApplication2ecfm377834145.runPage(E:\Inetpub\JEC Intranet\tender\Application.cfm:82) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:192) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:366) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:214) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:2 8) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at coldfusion.CfmServlet.service(CfmServlet.java:175) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42 ) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
If I input an incorrectly login name, it prompted me as the following: (I expected it should say username cannot be found)
java.lang.RuntimeException: The user name could not be found. ......
Also, if the password is expired, it should say "Password expired".
However, stacktrace details cannot help me to find out the login failure problem.
-
3. Re: Login Fail Detail Message
BKBK Mar 23, 2012 1:37 AM (in response to Phinehas1234)I do believe that that is intentional. Any authentication-failure message that tells you "password incorrect" or "username could not be found" might be giving away too much information. After all, the context is security. You wouldn't want to reveal more about your security than is necessary.
Suppose, for example, the username is e-mail. Suppose also that your authentication gives out error messages as above. Then I could, without having anything to do with your site, easily find out whether an arbitrary e-mail address belongs to your list of clients.
However, if you insist, you could easily extend your code to validate for password or username. That should happen before the authentication code.
Something like this comes to mind:
<cfquery name="credentials" datasource="myDSN">
select username, pword
from client
where username = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar" maxlength="20">
or pword = <cfqueryparam value="#form.password#" cfsqltype="cf_sql_varchar" maxlength="10">
</cfquery>
<cfif credentials.recordcount GT 0 and listfindnocase(valuelist(credentials.username),form.username) EQ 0>
<!--- password matched, username didn't--->
<cfelseif credentials.recordcount EQ 1 and compare(credentials.pword, form.password) NEQ 0>
<!--- username matched, password didn't--->
<cfelseif credentials.recordcount EQ 1 and compareNoCase(credentials.username, form.username) EQ 0 and compare(credentials.pword, form.password) EQ 0>
<!--- username and password matched --->
<cfelse>
<!--- no match --->
</cfif>
-
4. Re: Login Fail Detail Message
Phinehas1234 Mar 23, 2012 2:13 AM (in response to BKBK)I understand your point.
However, we use windows account to login the system, our system will not store their password.
And, sometimes users can login successfully but sometimes cannot. After reseting their windows login password, they can login the system again. Therefore, I would like to know how this happen and how to solve it. Since we have checked their windows login account, their account does not have the password expired and locked problem. There should be any other issue so users cannot login.
Do you have any information related to this issue?

