ColdFusion 10 administrator "error accessing this page" [SEC=UNCLASSIFIED]

I'm trialling CF10 (Windows Server 2008, IIS 7.5) before upgrading my CF9 instances. I did a clean install, and set my IP address in the Allowed IP addresses section. From my desktop machine, I can log into the administrator but when I try to change a setting I get "There was an error accessing this page. Check logs for more details." and a "Click here to login" link. The application.log shows: "Warning","ajp-bio-8012-exec-1","07/19/12","08:57:24","CFADMIN","There was an error while verifying the token. Either the session timed out or un-authenticated access is suspected." I'm making sure that I don't have the administrator open on any other machine when I try it from my desktop, but if I try it on the server itself, it works just fine. Have I missed a security step somewhere? -Miles ___________________________________________________________________________     Australian Antarctic Division - Commonwealth of Australia IMPORTANT: This transmission is intended for the addressee only. If you are not the intended recipient, you are notified that use or dissemination of this communication is strictly prohibited by Commonwealth law. If you have received this transmission in error, please notify the sender immediately by e-mail or by telephoning +61 3 6232 3209 and DELETE the message.         Visit our web site at http://www.antarctica.gov.au/ ___________________________________________________________________________

----- Excess quoted text cut - see Original Post for more ----- During the install, did you check the "Secure Profile" checkbox? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

> During the install, did you check the "Secure Profile" checkbox? Yep, but I also supplied my local IP as an allowed Administrator address, and not using a proxy. These are some of the settings I pulled from Ray's Security Profile CF Admin extension: Use UUID for cftoken: Enabled Disable access to internal ColdFusion Java components: Enabled Enable Global Script Protection: Enabled Maximum size of post data: 20 MB Disable updating of ColdFusion internal cookies: Enabled Require both a username and password for the Administrator   - Require Password: Enabled   - Require Username: Disabled   Enable Sandbox Security: Disabled Allowed IP Addresses: <my IP is here> -Miles ___________________________________________________________________________     Australian Antarctic Division - Commonwealth of Australia IMPORTANT: This transmission is intended for the addressee only. If you are not the intended recipient, you are notified that use or dissemination of this communication is strictly prohibited by Commonwealth law. If you have received this transmission in error, please notify the sender immediately by e-mail or by telephoning +61 3 6232 3209 and DELETE the message.         Visit our web site at http://www.antarctica.gov.au/ ___________________________________________________________________________

----- Excess quoted text cut - see Original Post for more ----- Are you sure that the server sees your machine as using the same IP address as you're actually using? You may have some sort of gateway between you and the server, and the gateway may be doing network address translation. Are either your machine or the server configured to use IPv6 in addition to IPv4? If so, and you're not actually using IPv6 "for real", try disabling it on both ends. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Dave Watts wrote: ----- Excess quoted text cut - see Original Post for more ----- Yeah, my IP looks ok in the CGI scope. The strange thing is, it lets me in and I can view settings, but kicks me out when I try to save a setting. > Are either your machine or the server configured to use IPv6 in > addition to IPv4? If so, and you're not actually using IPv6 "for > real", try disabling it on both ends. Yep, and good idea. Tried it with no luck. But I think I figured out what the problem is... I quite often have another tab open with the server monitor in it. If I make sure I don't, it works. The same happens if another admin/developer has the server monitor open on their computer... it just kicks anyone that tries to save settings in CFadmin. I also noticed that you can't have 2 people looking at the server monitor at the same time... one stops updating. Thanks for your help. -Miles ___________________________________________________________________________     Australian Antarctic Division - Commonwealth of Australia IMPORTANT: This transmission is intended for the addressee only. If you are not the intended recipient, you are notified that use or dissemination of this communication is strictly prohibited by Commonwealth law. If you have received this transmission in error, please notify the sender immediately by e-mail or by telephoning +61 3 6232 3209 and DELETE the message.         Visit our web site at http://www.antarctica.gov.au/ ___________________________________________________________________________