Ok, I think I figured this out.
TLDR; if you get this error, check if you have a lucee_admin_pw_server cookie for the domain used to access the Lucee admin. If so, delete it.
As for further explanation, I experienced the error today and found this thread. When no fix was offered, and others reported seeing it, I dug in. And besides seeing the cause and a solution (more than one), I think I can see also why only some folks would hit it.
1 - First, if we take a look at the code at the listed line 179 of the admin/web.cfm file (while the OP was running 5.4.4 I was running 5.4.5 and got the same line number reported), it’s the last of these 3 lines:
<cfadmin action="connect"
type="#request.adminType#"
password="#cookie['lucee_admin_pw_#ad#']#">
So it’s about the cookie tracked for the Lucee admin password, then being used by Lucee’s cfadmin tag to log us in.
2 - As for why only some may experience it, note that folks who leave the “remember me for” option on the Lucee login page set to the default of “session” will never have that cookie set. It’s only set if you choose one of the other options. (At least that’s what I found in testing: it’s not even set as a “session” cookie in the browser, for those familiar with that concept.)
And to be clear, the code above is indeed preceded by a condition checking for its existence: !structKeyExists(session, "password" & request.adminType) && structKeyExists(cookie,'lucee_admin_pw_#ad#'). So that was a logical choice (on the face of it), for a “normal” implementation of Lucee.
3 - And in my case I did have that cookie set (the “ad” variable must have resolved to “server”, as the only cookie I had for the request was indeed lucee_admin_pw_server).
And so I deleted that cookie (in the browser dev tools, in its “application” tab, then “storage”, then “cookies”, which while viewing the page for the login will show what cookies are set for that domain), and immediately I got the login page, as expected.
4 - Finally, as for why the cookie would be “wrong” and make this code fail, it seems to be because I had been using the same browser to visit the admin of an existing (non-commandbox) Lucee instance, which had a different password. That’s why this cfadmin was failing.
It would seem only to be a snag when one may visit “different” Lucee instances using the same domain in your browser, which was 127.0.0.1 in my case.
BTW, browsers do NOT save different cookies depending on the PORT used to visit a site, so one could also hit this same problem using ONLY commandbox, if somehow the password was not the same among all Lucee instances (which can be enforced via commandbox config, I realize).
5 - So bottom line, to anyone hitting this error, you actually have a few choices:
- clear the cookie (might be easiest and most effective for some)
- use a different browser (worth trying if you don’t want to “mess with the cookies”)
- open an incognito/private window in your browser (ditto)
- use a different IP address for your request. (A little-known trick is that you can change the last number of 127.0.0.1 to be 2 or 3, and so on, and it will still resolve to the local machine, and now the browser WILL create unique cookies for each.)
Hope that helps someone.