Invalid password message in CSP Application with correct password

Primary tabs

Hi,

I have a problem with CSP Application Authentication, when the user input you correct password, however the message "Invalid password" returns.

This error returns just Cache password user type, for user delegated don't.

this error is momentary also, if you wait a moment, it stops.

  • 0
  • 0
  • 259
  • 3
  • 0

Comments

There are a lot of details not included here which could be necessary.  For example:

Are you using a custom login page?  The "invalid password" message you state should never be returned by default Cache pages.  This message would leak information to an attacker by letting them know that they had found a valid username.   "Access denied" is the standard message returned by Cache when a login fails, for any reason.

Have you checked the audit log for login and/or loginfailure events?  You may need to enable auditing, and then the individual event types, then reproduce the problem.  The loginfailure event should give a reason for the failure to log in.  Depending on what's happening here, it may not be the same as the error returned to the user.   

Hi Katherine,

Our page is custom only in layout and the message is return of the Caché.

I checked the audit log for login and login failure events, and shows this:

9

2018-07-13 13:50:33.749

%System

%Login

Logout

10388

4yM9pLPnE4

cache.user

/csp/application/ Session end

 

10

2018-07-13 13:50:32.875

%System

%Login

Login

1490

4yM9pLPnE4

cache.user

/csp/application/ login

 

11

2018-07-13 13:50:24.474

%System

%Login

LoginFailure

21532

zdLzeDMmcj

cache.user

/csp/application login failure

 

12

2018-07-13 13:49:39.865

%System

%Login

Logout

25316

Ai7zeADmrW

cache.user

/csp/application/ Session end

 

13

2018-07-13 13:49:38.988

%System

%Login

Login

21532

Ai7zeADmrW

cache.user

/csp/application/ login

 

The massage of the LoginFairue is:

Error message: Invalid password
CSP Application: /csp/application
Authentication: Password

Update:
The problem message on the audit log is the session timeout,  the logout message (when you logout with a method) is different.