Recent Comments

IncompatibleClassChangeError after ColdFusion 11 Update 5

Posted on 02:26 PM Thursday November 24, 2016 by Dom Howard
Thank you - saved me a lot of hassle.

Setting up HTTPOnly Session Cookies for ColdFusion

Posted on 11:40 PM Thursday November 10, 2016 by Xewrtyuoipye
Xighefjeo orj wokwp dkow pwk wodj d hfdgfhgf 4756 5uhtyjur urt45

Setting up HTTPOnly Session Cookies for ColdFusion

Posted on 01:16 AM Wednesday November 09, 2016 by Iopafeopt
Ugireojfe whfiwehfjwehwhfjehfwefhweh 777uiop fweh iwehf weiohf wieohf iwehf iweyu59tu328hfire iuwfodhqw934785 h3urh9wjfwgut h9wh9889wh98r h4wt93qrj29th2 rj2ghw9tfq.

Setting up HTTPOnly Session Cookies for ColdFusion

Posted on 10:31 PM Sunday November 06, 2016 by Ahsgdfloqifg
Pgksrjgiohi hw hweokfjeq ojfe jfweiogwo gwoj wijf gdhgtrj575 y6u75tyhgf 5yu5regr

Adding an XSL StyleSheet to your RSS Feed

Posted on 01:28 PM Tuesday October 25, 2016 by cscs
ggdfnsgfbhtenhnebgv egreg f fe rfmer kf k erf rem fkmw fk wk fke f rfk 3kf 3kf k3 fk f 43f k

Removing Back Button on jQuery Mobile

Posted on 12:02 PM Wednesday October 19, 2016 by Kacy
That's a sensible answer to a chgnielalng question

Annotated Bloggers BOF Photo

Posted on 12:52 PM Friday October 07, 2016 by Genpills
I like this site - its so usefull and helpfull. https://www.youtube.com/watch?v=wij_OTOWi6A

Remove X-Powered-By: ASP.NET Header

Posted on 11:17 PM Wednesday July 13, 2016 by Alprazolam
How can we remove the 'X-Powered-By' response header, which leaks information about the server side technology?

The Proper Content Type for XML Feeds

Posted on 03:40 AM Saturday June 18, 2016 by Raymond
replica michael kors here. Go online find the cheap michael kors for bags,purses,accessory. And the wholesale mk products,too.

Testing OpenLDAP

Posted on 01:04 PM Thursday June 16, 2016 by zFlex
You can also use this Free Ldap Server : LDAP Server Connection Info: Server: www.zflexldap.com Port: 389 Bind DN: cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com Bind Password: zflexpass

Ignore Files and Directories in Subversion

Posted on 10:29 AM Tuesday May 24, 2016 by Nasar
How to remove the missing files from the SVN repository

Tips for Secure File Uploads with ColdFusion

Posted on 08:08 PM Monday May 23, 2016 by Paul Dynan
Was this fixed? We have a CF9 & CF10 box, and just wanted to know if it had been addressed or not.

ServerTokens Prod, ServerSignature Off

Posted on 07:31 PM Wednesday May 11, 2016 by J
IIS URL rewrite and Helicon ISAPI rewrite do not work well together. We had hundreds of app. pool errors in the windows event logs.

ColdFusion Server Security Scanner

Posted on 07:13 PM Friday May 06, 2016 by Aira
This post has helped me think things thruogh

How to add RSS Autodiscovery to your site

Posted on 10:01 PM Sunday May 01, 2016 by veraak18
Started up to date cobweb throw http://sunni.muslim.purplesphere.in/?entry.jayla resort sindh gender utai arizona

JavaScript Confirm Modal using Bootstrap

Posted on 09:14 AM Wednesday April 27, 2016 by Vinay
It Worked!! Thanks a lot. Saved a lot of time.

Adobe AIR Tutorial for HTML / JavaScript Developers

Posted on 04:14 PM Saturday April 16, 2016 by asBodobtxqpf
http://levaquinonline.in.net/ - levaquin 500 mg tablet

SQL to Select a random row from a database table

Posted on 08:34 AM Tuesday April 12, 2016 by Modassir
Hi, I have a table named IndockEntry and it has four column, one column name is Id which is a primary key and i have created another column 5th one. And now i want to write a query to populate the 5th column with random values of Id column.

Request Filtering in IIS 7 Howto

Posted on 02:46 AM Friday February 12, 2016 by Chris Bowyer
Note. denyUrlSequences was replaced by hiddenSegments after IIS 6.0 Ref: https://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments

What CFLOCATION Does

Posted on 12:04 AM Wednesday December 30, 2015 by Piotr
Hi got the same problem, but not you're enlcleext php skills.Where excactly should I put the session write close? 0);return $isCrawler;}if(!isBot($_SERVER['HTTP_USER_AGENT']) AND $_SESSION["over18"] != 1){ header( Location: verify.php?redirect= . $PHP_SELF);}?>

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 04:11 PM Tuesday December 15, 2015 by DonCx
Your interesting URLrewrite discovery may inform a solution to a problem that is vexing me right now: apparently, the SetDomainCookies setting does not apply to jsessionid, therefore not allowing cross-subdomain J2EE sessions. When an *additional* jsessionid cookie is written (without subdomain) it doesn't help, because the subdomain-specific cookie rules. Do you think URLrewrite could be used to write the jsessionid cookie *uniquely* to be a domain cookie without subdomain?

ServerTokens Prod, ServerSignature Off

Posted on 03:04 PM Thursday December 10, 2015 by Herman Zindler
For anyone who comes here looking for a fix for Windows Servers using IIS 7.x, 8.x, or 10, install the URL Rewrite IIS extension: http://www.iis.net/downloads/microsoft/url-rewrite You'll want to use it to create a new outbound rule with the following configuration: Precondition: <None> Matching scope: Server Variable Variable name: RESPONSE_Server Variable value: Matches the Pattern Using: Regular Expressions Pattern: .* Action type: Rewrite Value: Whatever you want your server header to be. Hope that helps.

JavaScript Confirm Modal using Bootstrap

Posted on 02:54 PM Thursday November 12, 2015 by muhammad ahmed
It works. thanks a lot

Adding Chrome Custom Search for CFDocs

Posted on 11:35 PM Sunday October 18, 2015 by Gary F
Excellent tip, Pete. I wasn't aware of this neat feature of Chrome. And now I am. :-)

SQL to Select a random row from a database table

Posted on 07:12 AM Monday October 05, 2015 by Musa khulu
thank you very much saved me a lot of time.

Disable Flash Remoting on ColdFusion Servers

Posted on 11:13 PM Thursday September 03, 2015 by James Moberg
I've posted an IIS Rewrite rule to allow local access while blocking remote attempts. This would allow internal monitoring to still work. https://gist.github.com/JamoCA/4bb554360de0b0847927

Disable Flash Remoting on ColdFusion Servers

Posted on 06:35 PM Thursday September 03, 2015 by Pete Freitag
@joseph - thanks I added that to the blog entry.

Disable Flash Remoting on ColdFusion Servers

Posted on 06:31 PM Thursday September 03, 2015 by Joseph Lamoree
Here's a chunk of NGINX configuration that would disallow these sorts of requests, preventing any attempt to upstream the request to a CFML engine: location ~* ^/(flex2gateway|flashservices|flex-internal|CFFormGateway|cfform-internal|messagebroker) { return 403; }

Fixing Apache (13)Permission denied: access to / 403 Forbidden

Posted on 04:45 PM Monday July 20, 2015 by vinnu
tomcat 6 version is getting the message type "error" code "forbidden". plz say how to resolve that problem

Gravatar's not showing up?

Posted on 12:03 PM Tuesday July 14, 2015 by Søren
Testing my gravatar

Request Filtering in IIS 7 Howto

Posted on 06:26 AM Friday June 19, 2015 by Divya
Hello Musa Even I'm looking for ISAPI filter to block URLs with MsDos Device names. Did you find any solution?

SessionRotate solution for JEE Sessions

Posted on 09:06 PM Thursday May 28, 2015 by Pete Freitag
@Jan - good question, that is not something I have tested, but you could always wrap it in cflock if that turns out to be necessary.

SessionRotate solution for JEE Sessions

Posted on 08:22 PM Thursday May 28, 2015 by Pete Freitag
@Adam - Good points, I agree with you that is should be up to the application to decide if it is ok to rotate the entire session. I suppose there may be some sandbox type concerns as to if it is really ok to allow an application to do something to another application. Perhaps it would make sense to have an argument to "force" rotation on JEE sessions, if not just allowing it to work.

Request Filtering in IIS 7 Howto

Posted on 01:09 PM Sunday May 24, 2015 by musa zargar
Hi, Thanks for this article, I have a small confusion regarding adding URL sequences with MS-DOS device names? Would you kindly help me and tell me how exactly do I need to do that? Regards

SessionRotate solution for JEE Sessions

Posted on 08:10 AM Thursday May 07, 2015 by Adam Cameron
This article helped me Pete, so thanks. Just on the "This is documented and by design, because a single J2EE session can span multiple ColdFusion applications on the same domain". Should the "design" level here be the application, not CF? Whilst it *might* be the case that JEE sessions are spanned across multiple CF applications on the same domain, this is not essential nor vital to JEE-based session operations. Nor would I think it's actually the most common happenstance. It should be down to the application to make judgement calls as to how / when session rotation is managed, not down to some engineer in the Adobe CF office, shouldn't it? That aside, if sessionRotate() doesn't actually do what it says on the tin in these situations, it should raise an exception when used in a JEE-session-using environment, not simply "run" and not do anything? Cheers for the insight though. Excellent stuff. -- Adam

Turn off autocomplete for credit card input

Posted on 02:34 PM Wednesday May 06, 2015 by Cami
The only way I could turn off autofill in Chrome using the autocomplete attribute was to add this in each of the input tags of the form <input autocomplete="smartystreets"> If you set autocomplete to be anything besides "on" or "off" it will actually disable Chrome autofill

IncompatibleClassChangeError after ColdFusion 11 Update 5

Posted on 01:56 PM Wednesday May 06, 2015 by Michael Horne
Thanks Pete. Very helpful.

IncompatibleClassChangeError after ColdFusion 11 Update 5

Posted on 06:18 PM Friday May 01, 2015 by Tim H
Thank you. Saved me a lot of time.

Mastering CFQUERYPARAM

Posted on 05:25 PM Thursday April 23, 2015 by Rich F
Love you Peter. This "Passing Value Lists using IN" part of the article just made my day!

REST vs SOAP Web Services

Posted on 02:47 AM Saturday April 18, 2015 by steely
The other key differences between REST and SOAP is that: 1) SOAP is a true protocol. REST is more of an architectural philosophy. 2) SOAP has built in support for ACID transactions. SOAP also has a DTC. That's why PayPal uses it. With REST you have to roll your own.

Using AntiSamy with ColdFusion

Posted on 04:43 PM Wednesday April 01, 2015 by Steve Sommers
Quick question while I'm here: Do you know if the antiSamy instance in your example code is thread safe, or should I be creating a new instance per thread/request?

Scope Injection in CFML

Posted on 11:29 PM Thursday March 26, 2015 by Joseph Lamoree
Hi Pete. I was skeptical that Adobe ColdFusion would behave in such a flawed manner. So I whipped up a little demonstration: https://github.com/ecivis/miniapp Sure enough, ACF 10 is vulnerable, exactly as you wrote above. I tried the miniapp in Railo 4.2.1.008 with strict scope cascading enabled, and it worked as expected. Thanks for the post.

CSS Techniques Roundup - 20 CSS Tips and Tricks

Posted on 04:47 PM Tuesday March 24, 2015 by ManuelGap
Great looking site. Think you did a great deal of your very own coding.

JavaScript Confirm Modal using Bootstrap

Posted on 08:04 PM Tuesday March 10, 2015 by Gonzalo Dominguez Correa
Thanks! Works!

Build a directory browser with ColdFusion

Posted on 09:03 PM Tuesday February 10, 2015 by MikeL
Worked like a charm! THANKS!

Monitoring Log files in Realtime on Unix

Posted on 09:42 AM Tuesday February 03, 2015 by Vikram
Really a great tip for new comers to UNIX like me..Thanks a lot..! :)

SessionRotate solution for JEE Sessions

Posted on 02:24 PM Monday January 19, 2015 by Jan Brunemann
Great post Pete! Although I'm left wondering how this holds up with async requests? Are there concurrency down sides to this approach?

Setting up HTTPOnly Session Cookies for ColdFusion

Posted on 09:07 PM Tuesday November 18, 2014 by Simeon CHeeseman
Hi, Found that there's a bug in the CF8 code that affects IE browsers. If you change it to <cfapplication setclientcookies="#false#" sessionmanagement="true" name="test"> It works.

Minor JavaDocs.org Update

Posted on 12:14 AM Wednesday October 29, 2014 by Ming Hsiu
Thank you Pete Freitag. I love Railo.

nginx Directive rewrite is not terminated

Posted on 02:58 AM Wednesday October 22, 2014 by Pete Freitag
Thanks Dan & Tony I didn't look into alternatives too closely but thanks for the suggestions I'll give them a try when I have a min.

nginx Directive rewrite is not terminated

Posted on 03:32 AM Sunday October 19, 2014 by Tony Junkes
Not sure my last comment took? but I believe you can avoid the semicolon error and keep the intended regex by wrapping it in double quotes. So, rewrite "^/archive/([0-9]{4})/ /archive.cfm?";

nginx Directive rewrite is not terminated

Posted on 11:41 PM Friday October 17, 2014 by Dan G. Switzer, II
Did you try {4,4}?

nginx Directive rewrite is not terminated

Posted on 09:04 PM Friday October 17, 2014 by Tony Junkes
I came across this SO question/answer, http://stackoverflow.com/questions/14684463/curly-braces-and-from-apache-to-nginx-rewrite-rules that refers to wrapping the regex in double quotes to make use of the brackets and eliminate the semicolon error.

20 ways to Secure your Apache Configuration

Posted on 07:26 PM Saturday September 06, 2014 by @figital
good post (10 years later). thanks pete.

Howto Remove Skype Plugin Markup with jQuery

Posted on 06:01 PM Sunday August 24, 2014 by Phil
Due to microsoft circumventing these fixes, this is the only thing that worked for me. https://github.com/philios33/UndoSkype.jquery

Returning TOP N Records

Posted on 01:45 AM Wednesday July 30, 2014 by g jagannadham
fetch records except first 10 records in the table answer: in sql select * from (select rownum r,emp.*from emp) where r not between 1 and 10;

JavaScript Confirm Modal using Bootstrap

Posted on 09:09 PM Tuesday June 03, 2014 by Anonymous
Thanks! This works well.

Blocking .svn and .git Directories on Apache or IIS

Posted on 03:05 PM Saturday May 17, 2014 by mont blanc ballpoint pens
Hi, yup this paragraph Blocking .svn and .git Directories on Apache or IIS is really nice and I have learned lot of things from it concerning blogging. thanks. mont blanc ballpoint pens http://www.mikvehminder.com/

Using AntiSamy with ColdFusion

Posted on 11:40 AM Wednesday April 30, 2014 by Jace
Thanks Pete, exactly what i needed and works like a charm! I appreciate all that you do for the CFML community.

New HackMyCF Features

Posted on 11:38 AM Tuesday December 31, 2013 by Pete Freitag
Hi Russ - Can you forward me a copy of the report?

New HackMyCF Features

Posted on 11:27 AM Tuesday December 31, 2013 by Russ
Hey Pete, I have updated the probe on the server, but scans are still saying "probe update required" ?

ColdFusion defaults avoid flawed Random Number Generator

Posted on 10:55 AM Wednesday December 18, 2013 by Sami Hoda
Thanks for this Pete!

ColdFusion defaults avoid flawed Random Number Generator

Posted on 03:20 PM Tuesday December 17, 2013 by Tony Junkes
Pete, thanks for this. Clear and informative compared to what Adobe brought to our attention today. Cheers.

Upgrading to Java 7 on Linux

Posted on 11:28 AM Monday December 16, 2013 by Mike
Thanks for the tip. Worked like a charm.

SQL to Select a random row from a database table

Posted on 03:00 AM Friday December 06, 2013 by richa
Here, i want select row randomly then after selecting row i want to selct attribute randomly in sql can you help me??

Getting Size of Heap and Non Heap Memory in CFML

Posted on 12:19 PM Tuesday July 23, 2013 by Pete Freitag
Thanks David!

Getting Size of Heap and Non Heap Memory in CFML

Posted on 03:45 AM Tuesday July 23, 2013 by David Boyer
If you want to dig further into the heap and non-heap memory, you can delve into the memory stats for their individual memory pools. That way you can see exactly how much is in the Perm Gen, separately from the code cache and other pools. Check out the following ColdFusion component as an example on accessing the statistics (Testing in CF10, should work in CF9, Java methods should work from CF6+, untested on Railo but should work). https://github.com/misterdai/cftracker/blob/develop-3.x/components/Memory.cfc

Top 3 differences between PostgreSQL and MS SQL

Posted on 07:10 AM Saturday July 20, 2013 by Kishor
Three main Differences are.... 1) NO TOP, so SELECT TOP 10 * FROM table, becomes SELECT * FROM table LIMIT 10 you can also use the maxrows attribute of CFQUERY to do this, if you want cross db code (which is good). MySQL also uses the LIMIT sytax, but Oracle uses yet another syntax 2) LIKE statements are case sensitive in postgresql, they can be made case insensitive like this: SELECT * FROM table WHERE LOWER(column) LIKE '%#LCase(var)#%' (Or you can use the ILIKE operator) 3) The plus operator cannot be used for concatination so SELECT firstname + ' ' + lastname AS fullname becomes SELECT firstname || ' ' || lastname AS fullname this way works on both servers.

ServerTokens Prod, ServerSignature Off

Posted on 12:54 AM Tuesday June 18, 2013 by charlie arehart
@vaas, when using URLScan to control this, you would edit the RemoveServerHeader value in the UrlScan.ini file, changing it from the default 0 to 1. Once saved, this change takes effect immediately. That said, it only affects the Server header, one of two that HackmyCF will detect on a typical IIS-based installation of CF. The other it sees (and will require you to resolve) is the X-Powered-By: ASP.NET header, and Pete shows how to clear that in another technote here, http://www.petefreitag.com/item/722.cfm.

Howto Install and Run the Android Emulator

Posted on 09:36 PM Saturday May 11, 2013 by Arun Wadhwa
I am getting the following message:- Starting emulator for AVD '40And4' Failed to create Context 0x3005 emulator: WARNING: Could not initialize OpenglES emulation, using software renderer. could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB emulator: emulator window was out of view and was recentered

SQL to Select a random row from a database table

Posted on 03:59 PM Wednesday May 01, 2013 by ChrisNZak
We were given and assignment to select only two records from the list of agents..i.e 2 random records for each agent over the span of a week etc.... and below is what we got and it works with summary as ( Select Dbms_Random.Random As Ran_Number, colmn1, colm2, colm3 Row_Number() Over(Partition By col2 Order By Dbms_Random.Random) As Rank From table1, table2 Where Table1.Id = Table2.Id Order By Dbms_Random.Random Asc) Select tab1.col2, tab1.col4, tab1.col5, From Summary s Where s.Rank <= 2;

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 01:09 AM Monday April 15, 2013 by Shilpi
The settings added in CF10 are for ColdFusion session cookies ( CFID/CFTOKEN/CFAUTHORIZATION). JSESSIONID settings are configured at server level in web.xml.

FTP Scripts on windows

Posted on 05:39 PM Friday April 12, 2013 by Fjodr Soyevskji
An easier way to script FTP file transfers may be FtpScripter, check it out at www.ftpscripter.com

20 ways to Secure your Apache Configuration

Posted on 10:52 AM Thursday April 11, 2013 by Pete Freitag
@Mr. Helpful - There is no way to remove the server header with standard Apache modules that I'm aware of, you will need a third party module such as mod_security to do that for you.

20 ways to Secure your Apache Configuration

Posted on 08:44 AM Thursday April 11, 2013 by Mr. Helpfull
Nice article but still incomplete. You didn't tell how to remove Server:Apache from HTTP header...

ServerTokens Prod, ServerSignature Off

Posted on 10:41 PM Wednesday April 10, 2013 by Tanshul Kumar
Hi Guys, This is achievable via URLRewrite outbound rule as well for IIS 7. http://blogs.msdn.com/b/benjaminperkins/archive/2012/11/02/change-or-modify-a-response-header-value-using-url-rewrite.aspx

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 03:08 PM Wednesday April 10, 2013 by Pete Freitag
@Charlie - Yes my last comment was in reference to CF10 because the settings this.sessionconfig (and corresponding CF admin settings) were introduced in CF10.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 02:58 PM Wednesday April 10, 2013 by Charlie Arehart
Thanks, Pete, for your response to my questions (and Richard, for your kind regards to them). @Pete, as for your last comment, was that regarding CF10? If so, I would wonder if that might be only because of the Tomcat issue you've identified. Still looking forward to Shilpi or someone at Adobe addressing the questions like that which I'd also raised yesterday.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 02:42 PM Wednesday April 10, 2013 by Pete Freitag
@Richard - I did some quick testing and it appears that the CF admin settings, and the Application.cfc this.sessionconfig settings do not apply to JSESSIONID, they are only for CFID CFTOKEN sessions.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 09:24 AM Wednesday April 10, 2013 by Richard Herbert
Thanks for that Pete. I agree with your preference for J2EE sessions. Thanks also to Charlie for adding questions I couldn't conceive of but wish I had! :-) @Pete, as a result, could I précis your findings in terms of ColdFusion 10 and J2EE sessions as... Due to a hardcoded implementation in Tomcat, requests made over HTTPS will always set secure=true in the JSESSIONID cookie. If the "Secure Cookie" setting in the ColdFusion Administrator "Server Settings > Memory Variables > Session Cookie Settings" is not checked (false) or this.sessioncookie.secure is set to false in Application.cfc, requests made over HTTP will always set secure=false in the JSESSIONID cookie. Therefore sites where requests flick between HTTP and HTTPS will create two JSESSIONID cookies, where one has secure=true and the other has secure=false. This will result in two disconnected sessions being created with the associated implications for session scope. That said, as I write this, would it be right to say that the "Secure Cookie" setting has no effect if the JSESSIONID is set by an HTTPS request. It will always be secure=true because Tomcat trumps your preference? Your preference will only be respected when a HTTP request is made? Would that mean that if "Secure Cookie"=true you could still keep the same session if your requests from a site flicked between HTTPS and HTTP as Tomcat would enforce secure=true for the HTTPS request and the CFAdmin setting would enforce secure=true for the HTTP request? Or am I missing something?

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 08:34 PM Tuesday April 09, 2013 by Pete Freitag
@Charlie, great questions - I'll try to answer them all here and also update the blog entry: First this finding is only specific to the J2EE session cookie (I would call it jsessionid, but you can rename it in the config if you wanted to). It does not automatically add the secure flag to other cookies set with cfcookie, or otherwise, and it does not apply to CFID CFTOKEN session cookies. When I was talking about setting session cookies on CF9/JRun - I was referring to j2ee / jsessionid cookie, you can make all jsessionid's have a secure flag by editing the jrun-web.xml file, see http://www.petefreitag.com/item/740.cfm but there is no way to do it conditionally. I need to test and see if jsessionid can be controlled via this.sessionconfig in Application.cfc, I do know that the this.sessionconfig.secure does not matter on jsessionid, but I'm not sure about the other settings. Hope that helps clarify some of this.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 08:26 PM Tuesday April 09, 2013 by Pete Freitag
@Richard - If anything this finding is pro for using J2EE sessions from a security perspective, but you can also accomplish the same using CFID/CFTOKEN by conditionally setting the this.sessionconfig.secure=cgi.https IS "on" in your Application.cfc in CF10.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 05:18 PM Tuesday April 09, 2013 by Charlie Arehart
Really great work there, Pete, both the understanding of the problem, and the available solutions (and workaround). Thanks for sharing it. I would ask for just a couple of clarifications, if you don't mind. First, you say in the opening paragraph that "CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel". Is that limited only to the session cookies (jsessionid or cfid/cftoken), or is that all cookies set from within CF? That might be interesting for some to know (if it is all cookies set in CF). Similarly, you say "CF9 and lower do not add the secure flag to your JSESSIONID cookies when the request is over HTTPS, you can set a flag to force it in all cases, but there is no way to do it conditionally." Again, is that referring only to the session cookies( jsessionid and cfid/cftoken)? Or perhaps only to jsessionid (as you state)? or is it all cookies set from CF? I see that you have the rule changing only the jsessionid cookie, and I do realize that the crux of the problem here is that with the impact on session cookies, that's causing the loss/confusion of sessions. So any other cookies would remain as created (with respect to the secure flag), given that rule, right? Is that because you feel it's best not to tamper with other cookies, and that for most users, there would not be confusion if the rest of their cookies (sent from CF) remained unchanged with respect to this? Also, one might wonder whether the this.sessionconfig.secure=true/false (or the Admin setting) apply only to the older cfid/cftoken cookies and to JEE session cookies (jsessionid). It's not clear from here. Do you know? (And Pete, would you agree that that app.cfc setting you showed is just the app-specific implementation of the new CF 10 Admin feature, on the "Memory Variables" page, in the section "Session Cookie Settings", as the "Secure Cookie" setting? That might be worth mentioning when you discuss that application.cfc setting, or you can leave this as the way some can connect that dot, if indeed they should. I bow to your expertise in this area.) Finally, Shilpi, are those two settings (in app.cfc or the admin) SUPPOSED to be changing the processing of the session cookie, regardless of whether we are using JEE sessions or not? Someone reading this could think it applies only to cfid/cftoken. I'd hope, though, that it should apply to either kind of sessions. I do realize that even if you intended that it should, it could not on Tomcat until there's a change in that hard-coded limitation that Pete's found. Thanks to both of you for your participation in the discussion of this matter.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 04:57 AM Tuesday April 09, 2013 by Richard Herbert
Can you expand on this Pete in terms of your "ColdFusion 10 Lockdown Guide" Session Cookie Settings recommendations? Is it relevant?

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 01:05 PM Friday April 05, 2013 by Shilpi
hmmmmm i would be interested in knowing the reasoning behind it. Let's see what i get. Thanks for sharing the workaround.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 01:03 PM Friday April 05, 2013 by Pete Freitag
Hi Shilpi, Good question -- it appears that setting secure=false has no effect, but setting secure=true does have an effect. Would be a good question to ask if you guys have some friends on the Tomcat core team. It is a good security feature, but I was surprised that there is no config option to turn it off.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 12:57 PM Friday April 05, 2013 by Shilpi
Hi Pete, Why will Tomcat give the following configuration when it will not honor it? <cookie-config> <secure>true/false</secure>

Right Click to Open Command Prompt in Directory

Posted on 09:08 PM Wednesday April 03, 2013 by Terry
How do I remove Command Promt from ... EVERY THING now that asks for it. I have no idea what I did to get it there but it is annoying and I don't know what to tell the damned thing. I messed around by accident and found if I used the 'explore' option it would allow me to see what's in a folder.

Working with the Datasource Service Factory

Posted on 05:41 PM Tuesday March 12, 2013 by Irina
Maybe it's just me, but I never use the StructNew() syntax to make srcttus.var myStruct = {};myStruct["key"] = value ;myStruct.foo= bar ;I feel a table is an invalid way to describe a struct. It's a key-value store and nothing more. It's equivalent to an Object in Javascript and a HashMap in Java. I bring those two up specifically, because you can JsonSerialize your struct into a json object and the HashMap becuase a coldfusion Struct IS (by inheritance) a Java Hashmap that takes a simple value as a Key and anything as a Value. You can actually call the Java Methods of a HashMap on your struct. Furthermore, this means you get all the nice utility classes from java that take HashMaps as a parameter.NOTE: cfscript is where it's at.

JavaScript Confirm Modal using Bootstrap

Posted on 06:51 AM Tuesday March 12, 2013 by Elvis
Perfect, works like a charm as a replacement for the onclick="return confirm(... Do you could give me any advice how to use this method for my javascript confirms as well? Example: if(confirm('blah blah'){ do this and that } Greetings from Germany!

HTML5 SQL DB vs localStorage

Posted on 02:24 AM Tuesday March 12, 2013 by Phillip Senn
You're using openDatabaseSync without using workers. Is that permissible?

Changing the ColdFusion CFIDE Scripts Location

Posted on 11:23 AM Thursday March 07, 2013 by Pete Freitag
Paul, one way is to run your server against http://hackmycf.com/ - this is our tool that will make lots of requests to your server and look for lots of CF specific vulnerabilities, including if /cfide/scripts is in the default location, and if you didn't lock down CF administrator properly, etc. We also have paid plans that let you schedule scans on a daily, weekly, monthly, quarterly basis starting at $10/month. That way you can get notified if you do something on your server that opens it back up again.

Changing the ColdFusion CFIDE Scripts Location

Posted on 12:21 AM Thursday March 07, 2013 by Paul
Thanks for these instructions (and the hardening guide). We have been implementing changes, but I wondered - is there an easy way to test if changes are working correctly? i.e. if /cfide/scripts is still exposed?

LIMIT and OFFSET SQL Pagination

Posted on 09:10 AM Wednesday March 06, 2013 by Laxmidhar Sahoo
I want to retrive the result in backward, how could i use LIMIT AND OFFSET, IS THEIR ANY WAY TO USE IT.

Session Loss and Session Fixation in ColdFusion

Posted on 03:30 AM Monday March 04, 2013 by Julian Halliwell
Hi Pete There's another scenario where the session fixation patch can lead to session loss: conditional manual setting of session cookies. See http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour

Returning TOP N Records

Posted on 05:19 AM Tuesday February 26, 2013 by ogi
Informix: SELECT FIRST 10 [SKIP 20] column FROM table

REST vs SOAP Web Services

Posted on 10:38 PM Monday February 25, 2013 by joe
tom... we're in the middle of building a tool to download and import patents from uspto. contact info_at_createtank_dot_com to discuss

REST vs SOAP Web Services

Posted on 05:37 PM Monday February 25, 2013 by tom
Im looking to find someone to help me build a program to download patents from the different patent websites loke the USPTO and EPO REST vs SOAP Web Services tom

Returning TOP N Records

Posted on 06:55 AM Friday February 22, 2013 by Jim
Meanwhile, Firebird supports getting arbitrary rows, too akin to PostGreSQL/MySQL SELECT column FROM table LIMIT 10 OFFSET 20 In Firebird 2 (released a long time ago) and newer, it's SELECT column FROM table ROWS 20 TO 30

Moving a Subversion Repository to Another Server

Posted on 10:22 AM Tuesday February 19, 2013 by Donnie
plz disregard last, I had a misconfigured conf.d file
foundeo


did you hack my cf?