Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Getting BadPaddingException errors in the logs after an upgrade

Written By

Jose L. Bango

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • After upgrading Liferay DXP, javax.crypto.BadPaddingException errors appear in the logs when using 'Auto Login' feature ('Remember me').
  • Example error message: 
    ERROR [AutoLoginFilter:247] Current URL /home generates exception: 
    com.liferay.portal.kernel.exception.SystemException: com.liferay.portal.kernel.encryptor.EncryptorException: com.liferay.portal.kernel.encryptor.EncryptorException: 
    javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

Environment

  • Liferay DXP 7.0+
  • Different environments sharing the same domain

Resolution

Understanding the error

This error occurs because of stored browser cookies used by the "Remember Me" functionality (specifically, cookies ID and PASSWORD).

These cookies are encrypted with a key specific to each Liferay instance (that is, company, using Liferay terminology). If the aforementioned cookies have been encrypted with a different key, this issue arises.

Typical scenario

During upgrades, this key is intentionally reset, which will lead to decryption issues with existing cookies.

This can be a normal error after an upgrade, simply meaning that users have obsolete cookies and need to sign-in again. Liferay typically clears these invalid cookies automatically once the error is thrown, so the error is usually printed once per client (i.e., browser).

Other scenarios where the error persists

However, some scenarios have been found where these errors persist even after relogging or clearing cookies manually. This can occur when separate environments share the same domain.

For instance, imagine that you are testing an upgrade. During the upgrade, the source environment might be on www.example.com while the target is on testupgrade.example.com. Since they share the domain, cookies from these different environments can conflict and continuously generate the error if one of the environments (at least) does not use the full hostname (session.cookie.use.full.hostname=false), because some cookies will be stored with the global domain (.example.com).

Approaches to avoid the error or mitigate its impact

These persistent errors do not impact functionality but can clutter the logs. Below you can find some approaches that you can evaluate to identify the most suitable option for your needs. Depending on your current situation/infrastructure, some of them may not apply:

  • Disable "Remember Me" feature, using the company.security.auto.login property.
  • Adjust Log Verbosity: Temporarily change the logging level for com.liferay.portal.servlet.filters.autologin.AutoLoginFilter from ERROR to FATAL to suppress these messages. Be aware that this might also hide other potential errors. See Configuring Logging.
  • Redirect Log Output: Configure Liferay to write these specific log messages to a separate file. See How to write some logs to a different log file.
  • Set session.cookie.use.full.hostname=true: Ensure this property is set to true in all the environments that share the same domain, as explained in Resolving 'BadPaddingExceptions' in the Console Logs . Make sure this fits your needs since it will disable cross domain logins.

Additional Information

  • Resolving BadPaddingExceptions in the Console Logs
  • Cookies are shared across all the ports on a given host. See RFC 6265: 
    8.5. Weak Confidentiality
    Cookies do not provide isolation by port. 
    If a cookie is readable/writable by a service running on one port, 
    the cookie is also readable/writable by a service running on another port of the same server.
  • When setting session.cookie.use.full.hostname, you can specify you application server and it will take precedence. For example: session.cookie.use.full.hostname[jboss]=true. Its definition can be found in the Session section of the portal.properties file.
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?