Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In this entry, I want to throw in another reason why it's important to make sure you properly update (reconfigure/rebuild/upgrade) your web server connector after applying certain CF10 updates, or if applying only the latest update for the first time to a newly installed CF10 instance.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update.

I explain here what that means, how do to it, and why you may miss that you need to.

Update in 2019:

Since writing this entry, I did one in 2019 on When and how to upgrade CF web server connector, easier since CF2016, which at least makes it EASIER to upgrade, though much of what I write here still applies. I also updated this post since originally writing it, in ways discussed below.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.)

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Should you? What do you gain? what do you lose? what are some gotchas? That's what this blog entry is about, answering the following questions:

• First, what is ColdFusion 9.0.2? Why did Adobe create it?
• What about the 9.0.1 updater? Can we still get that? Yes.
• So what all does 9.0.2 add and remove?
• If I download CF 9 today, what do I get?
• "But if I download 9.0.2 today, I get the latest version of it available, right? I don't need to add hotfixes, do I?" Wrong.
• Warning: DO NOT install 9.0.1 atop 9.0.2 (nothing will stop you)
• If I am on 9.0 or 9.0.1, how can I get to 9.0.2?
• Why might I want to get to 9.0.2 from 9.0 or 9.0.1?
• How did i miss this? Was 9.0.2 discussed? Yes it was.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Anyway, here is the answer I wanted to offer to that question...

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Adobe ColdFusion Web Application Construction Kit: ColdFusion 10 Enhancements and Improvements

But some may not have known who the contributors were, because since its release the Amazon site for the book had listed only Ben (Forta). Doh! :-)

Ben is indeed the series editor and a fellow contributor--and truly the glue that has held the project together since the first edition for CF3 in 1997.

But as with each edition since the first, there are indeed multiple contributors.

Amazon book page now lists all the contributors

And now the Amazon page does list all the co-authors:

Charlie Arehart, Rob Brooks-Bilson, Raymond Camden, Ken Fricklas, Hemanth Khandelwal, and Chandan Kumar.

Of course, we were indeed properly listed on the front cover, for those who may have looked--and in that same alphabetical order, whereas the Amazon site order is a bit random. Anyway, it's just nice to see this issue fixed.

Problems like that just happen sometimes, and I'd only I noticed it this week and raised it to Amazon. To their credit they were quick to update it.

And I thought some of my co-authors and perhaps others in the community might want to know about it.

Glad to mention the book

Indeed, I've been meaning simply to announce the book and my involvement here myself but got behind on many such news items, as I've just been busy (with my ColdFusion troubleshooting consulting services). Busy is good, of course!

So this was a good chance both to share the above news of the correction for any who'd noticed the issue, and to mention my involvement with the book, in case that and news of the book itself may interest some of my readers. (FWIW, I was a contributor to all 3 vols for CF 8 and 9 also, and I do thank Ben for including me in these works.)

A bit about the book

For those who hadn't noticed the book yet, it's unique in the series in that we decided to go with just a single book, just about the updates. In the past, we instead updated all 3 books throughout. There are pros and cons to either choice, of course, but I do agree that the single book was the way to go.

FWIW, I did chapters 8, 10, and 19.

I was especially delighted to get in a chapter at the end on "hidden gems", as I have loved doing (as article or talks) for each release starting with my first CFDJ article on CF 4.0. The editors chose for Chapter 19 the more sedate name of "Miscellaneous Enhancements", but I'm just thrilled we got to add the chapter at all. :-)

You can learn more about (and buy, and review) the book here:

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

As an update since I first wrote this, it turns out this issue may or may not affect you depending on a couple of variables, which I will discuss, with a prefix of "update:" below. But don't dismiss this thinking you are not affected. I would propose that still far more CF servers may be exposed than not, as I will explain.

The CF Admin has (for several releases) offered an option called, "Use UUID for cftoken" (in the "Settings" section), and it's been intended as a security measure. Its purpose is to cause CF to use a UUID value (a long, complex string of numbers and letters) for the CFTOKEN cookie (and session variable) that CF generates, versus what used to be a simple, 8-digit value. This cookie, along with the simpler and incrementing CFID, is used to connect users to the session and/or client scope values created for that user in CF code.

Some may be surprised to learn, though, that while this setting DOES cause CF to *create* such UUID-formatted CFTOKEN values for requests that do not already present a CFTOKEN cookie, it does NOT necessarily cause CF to block any continued use of such simple, 8-digit cftoken cookies.

In other words, browsers which had visited your site before you turned on "use uuid for cftoken" would still send the 8 character cftoken they already had, not a uuid, and that could be accepted as valid by CF, even with that setting on, under certain conditions. (And the user will not be sent any new cftoken cookie in a UUID format, in CF's response, in those conditions.)

There's good and bad news related to this fact, which I will elaborate on below.

Update: Since writing this entry, I learned of a couple of factors that influence if and when this is a problem.

1. It turns out that if you are using CF10, or CF9 or 8 with the "session fixation" hotfix (APSB11-04), then the problem only happens until you restart CF. The Admin does not currently warn you of this, so beware that you will have the exposure below until you do restart. (If you have added one of the later security hotfixes or cumulative hotfixes that came out since then, then you have gotten the fix.) This fix causes CF to create a new UUID-based CFTOKEN, if you turn on this feature at least (and after a restart) when a browser presents a previously created 8-digit cftoken.
2. On the other hand, even if you are running CF 10, or running 8 or 9 and HAVE applied that hotfix, note that if you TURN OFF that fixation protection (by adding the -Dcoldfusion.session.protectfixation=false value to your jvm.config, as discussed in that technote), then you are back to the state that I discuss below.
3. And of course, if you are on CF 8 or 9 and have NOT yet applied that APSB11-04 hotfix (or a later cumulative one that includes it), then you are indeed still vulnerable.

So that leaves still many people who could be affected by this. Even if it seems you may not be, you may want to continue reading this entry to understand what the issue is about, for you and others who may be impacted by it.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

I offered a reply, both explaining why CFB has a project-oriented nature (being an Eclipse-based product) and also how they could be seen akin to DW "sites". Still, I appreciate the difference and the challenge to newcomers.

But most important, I explained how the Aptana plug-in built-into CFB does indeed offer a solution for him, in its "Untitled Files" feature, easily accessed from the File>New dialog. This would let him create a new file without need of either naming the file first or picking a project (whether when creating the new page or when saving it).

It's not an obvious solution, but I show how it can be made to be easily accessible with a single keystroke.

Rather than repeat myself here, I'll just point interested readers to the forum thread, "Creating a new file". Perhaps others will share more insights after mine, and feel free to leave comments here or there as you see fit.

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

• Updating/Hotfixing #ColdFusion 10, 9 and 8: Tips and Traps
• Locking down the #ColdFusion Administrator: Your First Line of Defense Against Hackers

For more details on the talks, or to get the slides once I post them (likely right after the meeting), please see the links for the two sessions above.

And if you may want to attend, please RSVP.

I may offer these later on the Online ColdFusion Meetup or perhaps one of the remaining CF conferences this year, if I may be selected to speak.

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But have you ever found that when you tried that, you get:

...even though you KNOW that you're entering the right id? Indeed, one that has been used before?

Perhaps it also happens on other Adobe site properties, and the trick I propose may work for you, also.

[....Continue Reading....]