When I try to log in, the message
Authentication failed. Please enable browser
cookies and try again. is displayed and the operation is not successful.
- Liferay DXP 7.0 Fix Pack 102+
- Liferay DXP 7.1 Fix Pack 26+
- Liferay DXP 7.2 Fix Pack 15+
- Liferay DXP 7.3 SP3, Update 4+
- Liferay DXP 7.4
To fix issue LPS-75442 a new cookie validation was added on the front end and an existing one on the back end that was not working has been fixed.
To avoid the error message you should check the following points:
1. Check the front-end cookie validation:
To use Liferay DXP, the browser cookies must be enabled, if they are not enabled, the login operation won't work.
Check that your browser has the cookies enabled and that you didn't disable them for your site.
2. Check the back-end cookie validation:
Liferay sends to the browser a test cookie called
COOKIE_SUPPORT to check the cookies are working correctly.
Liferay is usually configured behind a web server like Apache Httpd or Nginx where the traffic is converted from HTTPS to HTTP. After that, the requests are redirected to the Apache Tomcat HTTP port.
In this situation:
- Tomcat receives the request in the HTTP port and the
COOKIE_SUPPORTcan be sent without the "secure" flag.
- If the cookie doesn't have the "secure" flag, modern browsers using HTTPS will ignore this cookie depending on SameSite and other configurations.
To force the addition of the "secure" flag, you can configure the Tomcat application server to consider all incoming requests to be HTTPS.
Just add secure=true parameter to the Connector configuration in
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8" secure="true" />
If the described solution doesn't work, you can also try disabling this validation by adding
session.test.cookie.support=false to the portal-ext.properties file.
Important: The cookie validation won't be triggered, but Liferay won't work correctly if the cookies are disabled.
- Tomcat "secure" attribute: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Attributes
- Cookies with "SameSite=None" requires "secure":