0
699
Question Richard Roeder · Jul 13, 2018

Invalid password message in CSP Application with correct password

#Caché #Authentication #Access control #CSP

Hi,

I have a problem with CSP Application Authentication, when the user input you correct password, however the message "Invalid password" returns.

This error returns just Cache password user type, for user delegated don't.

this error is momentary also, if you wait a moment, it stops.

Discussion (3)1
Log in or sign up to continue

Comments

Katherine Reid · Jul 13, 2018

There are a lot of details not included here which could be necessary.  For example:

Are you using a custom login page?  The "invalid password" message you state should never be returned by default Cache pages.  This message would leak information to an attacker by letting them know that they had found a valid username.   "Access denied" is the standard message returned by Cache when a login fails, for any reason.

Have you checked the audit log for login and/or loginfailure events?  You may need to enable auditing, and then the individual event types, then reproduce the problem.  The loginfailure event should give a reason for the failure to log in.  Depending on what's happening here, it may not be the same as the error returned to the user.   

0
Richard Roeder  Jul 16, 2018 to Katherine Reid

Hi Katherine,

Our page is custom only in layout and the message is return of the Caché.

I checked the audit log for login and login failure events, and shows this:

9

2018-07-13 13:50:33.749

%System

%Login

Logout

10388

4yM9pLPnE4

cache.user

/csp/application/ Session end

10

2018-07-13 13:50:32.875

%System

%Login

Login

1490

4yM9pLPnE4

cache.user

/csp/application/ login

11

2018-07-13 13:50:24.474

%System

%Login

LoginFailure

21532

zdLzeDMmcj

cache.user

/csp/application login failure

12

2018-07-13 13:49:39.865

%System

%Login

Logout

25316

Ai7zeADmrW

cache.user

/csp/application/ Session end

13

2018-07-13 13:49:38.988

%System

%Login

Login

21532

Ai7zeADmrW

 cache.user

/csp/application/ login

The massage of the LoginFairue is:

Error message: Invalid password
CSP Application: /csp/application
Authentication: Password
0
Guilherme Silva  Jul 20, 2018 to Richard Roeder

Update:
The problem message on the audit log is the session timeout,  the logout message (when you logout with a method) is different.

0