Invalid password message in CSP Application with correct password

Question

Question

Richard Roeder · Jul 13, 2018

#Caché #Authentication #Access control #CSP

Hi,

I have a problem with CSP Application Authentication, when the user input you correct password, however the message "Invalid password" returns.

This error returns just Cache password user type, for user delegated don't.

this error is momentary also, if you wait a moment, it stops.

Discussion (3)1

Log in or sign up to continue

Katherine Reid · Jul 13, 2018

There are a lot of details not included here which could be necessary. For example:

Are you using a custom login page? The "invalid password" message you state should never be returned by default Cache pages. This message would leak information to an attacker by letting them know that they had found a valid username. "Access denied" is the standard message returned by Cache when a login fails, for any reason.

Have you checked the audit log for login and/or loginfailure events? You may need to enable auditing, and then the individual event types, then reproduce the problem. The loginfailure event should give a reason for the failure to log in. Depending on what's happening here, it may not be the same as the error returned to the user.

1 0

score 0 · Answer 1 · 2018-07-16T07:11:08-04:00

Hi Katherine,

Our page is custom only in layout and the message is return of the Caché.

I checked the audit log for login and login failure events, and shows this:

9	2018-07-13 13:50:33.749	%System	%Login	Logout	10388	4yM9pLPnE4	cache.user	/csp/application/ Session end
10	2018-07-13 13:50:32.875	%System	%Login	Login	1490	4yM9pLPnE4	cache.user	/csp/application/ login
11	2018-07-13 13:50:24.474	%System	%Login	LoginFailure	21532	zdLzeDMmcj	cache.user	/csp/application login failure
12	2018-07-13 13:49:39.865	%System	%Login	Logout	25316	Ai7zeADmrW	cache.user	/csp/application/ Session end
13	2018-07-13 13:49:38.988	%System	%Login	Login	21532	Ai7zeADmrW	cache.user	/csp/application/ login

The massage of the LoginFairue is:

Error message: Invalid password
CSP Application: /csp/application
Authentication: Password

score 0 · Answer 2 · 2018-07-20T09:57:46-04:00

Update:
The problem message on the audit log is the session timeout, the logout message (when you logout with a method) is different.