[ContentBox] Invalid Redirect from Login for Specific Admin Page

Whenever I timeout from a cbadmin session and try to log back in from the timed out url, the redirect prepends my root’s subfolder from the server’s wwwroot.

Expected: localhost/my/approot/cbadmin/pages
Actual: localhost/my/approot/my/approot/cbadmin/pages.

The culprit appears to be event.buildLink( linkTo=reReplace( cgi.path_info, ‘^/’, ‘’ ) ) in coldbox.system.interceptors.security.

Because cgi.path_info already includes the “/my/approot/” segment and buildLink automatically adds it in, it appears twice. So either I’m missing a setting somewhere, or I’m not the only one who has come across this issue. I’m guessing the former, but I can’t figure out what I’m missing.


We might not need to use build link for this. Can you test and verify? If so they you can add a jira ticket

Luis Majano
Ortus Solutions, Corp
P/F: 1-888-557-8057
Direct: (909) 248-3408

ColdBox Platform: http://www.coldbox.org

ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483

Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox


I would be glad to test for you. I’m just not certain I understand what you want me to test. Can you explain?


There is already a ticket, I am guessing why this would mean I actually have to log in twice when I secure the cbadmin down with SSL. I am betting my bottom dollar this is the fix that is required.

Perhaps, Andrew. It wouldn’t come from coldbox.system.interceptors.security as the SSL handling doesn’t change the redirect link. There it’s the redirect built for SES events.

But if the ssl redirect passes an SES url (that includes a subfolder) in a buildLink call, that would make sense. I think the solution is to change the buildLink function to recognize adjust for the root directory location in the linkTo argument when the application resides in a subfolder of the server’s root folder.

I really don’t care, I am sick of my customers typing their credentials in twice.

In the mean time, you could use the concept from your captcha plugin replacement to override contentbox-security.handlers.security with an extended version of the handler that simply overrides doLogin() so that it corrects rc._securedURL before setting the next event.

Well, as it was meant more for Luis as I had raised the bug months and months and months ago. All I ever get from Luis is hat he can’t duplicate. So Luis if you’re reading, does this fix that reported bug?