Recent Comments

Counting IP Addresses in a Log File

Posted on 06:08 PM Friday October 11, 2019 by Will B.
Man -- this works, even on my Windows server. (I think I have some form of Unix tools installed.) With Windows, though, the output includes the filename. Not too problematic. But I wish I were a better dark-arts-regex wizard, like you. I often scan my SSH server logs for hacking attempts (there are many!) and manually block the IP addresses at the firewall. Unfortunately, the *reason* associated with the IP address in on the NEXT line (I_LOGON_AUTH_FAILED), therefore the regex doesn't quite work for me. (It's all XML.) But this is a great use of grep! Thanks for the post.

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 10:32 PM Monday October 07, 2019 by MattW
I was able to get it working with the following connection string.... EncryptionMethod=SSL;Encrypt=yes;ValidateServerCertificate=false; I couldn't use the hostNameInCertificate parameter as suggested above. This is because Azure SQL uses a CNAME and then multiple redirects before landing on one of their clustered machines. I had to set hostNameInCertificate to the actual endpoint to get it working. However, that endpoint could change from time to time depending on which back-end server in the cluster we get routed to. Specifying one of the those endpoints in that parameter would amount to a single point of failure on an otherwise redundant setup.

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 08:27 PM Monday October 07, 2019 by RandalB
@Pete - thanks for the suggestion. Before implementing we did some further testing and found where the server address in ColdFusion was just the IP address (internal server, no DNS) and the name in the exported SSL cert was the server's FQDN, which did not match. Adding hostNameInCertificate=xxxxxfqdn; to the connection string did the trick and we now have successful connection, despite the CF2018 u5.

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 07:05 PM Monday October 07, 2019 by Pete Freitag
@RandalB - not sure what update the latest installer has by default, but if it is less than update 2, you could try looking in the hf-updates folder, and then in the backup subfolder.

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 06:56 PM Monday October 07, 2019 by RandalB
@Ben @Pete - We are running into this same issue with a new install of CF2018. We applied the update before doing our first datasource connection. We have followed instructions for adding the SQL server's SSL certificate to the CF2018 \jre\lib\security\cacerts file, but still cannot get CF to use SSL to make its connection to SQL. Now wondering if it is related to the update and the issues you pointed out. Not sure how to "load up" the old macromedia_drivers.jar file or reverting to pre-update drivers.

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 10:20 PM Wednesday October 02, 2019 by MattW
@Ben Reid We ran into the same issue today when upgrading CF2016 Update 7 to Update 12. We use SSL DSN's connecting to Azure SQL and it broke them for the same wildcard certificate issue you mentioned. Since you reported this on Update 9 and it's now Update 12 and it's still not fixed I am wondering what's going on. Have you heard or read anymore about this issue. I don't mind just loading up the old macromedia_drivers.jar file but I have to wonder if some of the security fixes they implemented are "undone" by using the old JDBC drivers.

Development SSL / TLS with CommandBox

Posted on 06:30 PM Friday September 27, 2019 by James Moberg
Sorry, I meant "*.local.test". (based on other info I provided earlier which hasn't been approved as a blog comment yet.)

Development SSL / TLS with CommandBox

Posted on 06:28 PM Friday September 27, 2019 by James Moberg
FYI: Chrome & Firefox reject second-level wildcard certificates https://stackoverflow.com/questions/54939770/wildcard-ssl-tls-certificate-for-second-level-domain-rejected-be-the-browsers so I'll be using "*.test.local" instead.

Development SSL / TLS with CommandBox

Posted on 06:23 PM Friday September 27, 2019 by James Moberg
FYI: According to this post from 2016 https://news.ycombinator.com/item?id=12578908 RFC-6761 [1] reserves four TLDs: .example, .invalid, .localhost, and .test. (I'm using .test as my TLD.) .DEV is own by Google while .LOCAL & .APP are reserved. (RFC 6762 reserves .LOCAL for Multicast DNS on a local network.)

Development SSL / TLS with CommandBox

Posted on 06:06 PM Friday September 27, 2019 by Pete Freitag
Yes, I did -- I have updated the link, thanks.

Development SSL / TLS with CommandBox

Posted on 05:59 PM Friday September 27, 2019 by James Moberg
Upon further review, it looks like pre-built binaries for makecert are available at https://github.com/FiloSottile/mkcert/releases

Development SSL / TLS with CommandBox

Posted on 05:57 PM Friday September 27, 2019 by James Moberg
I think you intended to link to https://mkcert.dev and not mkcert.org It looks like mkcert works with Windows too, but requires using Chocolatey.

Passing Environment Variables to Sudo Command

Posted on 08:42 PM Monday September 23, 2019 by Charles Arehart
Nice. Thanks, Pete.

Difference between cd - vs cd ~-

Posted on 04:03 PM Thursday September 19, 2019 by Charlie Arehart
Very nice, Pete. Thanks.

Docker Container exited with code 137

Posted on 08:43 AM Wednesday August 14, 2019 by Thomas Knee
Thank you, struggled for days with this.

Why is my cron.daily script not running?

Posted on 02:56 PM Thursday June 13, 2019 by Javier Lobo
Thanks! In my case, there was two of them not set as executable (chmod +x scriptfile).

Docker Container exited with code 137

Posted on 02:23 PM Wednesday June 12, 2019 by Srini
Thanks for sharing this resolution for the docker container fail issue! I updated the memory settings on my Windows 10 and running fine now. Have a wonderful day!

JavaScript Confirm Modal using Bootstrap

Posted on 07:06 PM Saturday April 13, 2019 by Jana Sindelarova
How this can be implemented for forms ? maybe: $( "#dataConfirmOK" ).click(function() { $(ev).closest("form").submit(); });

Updating Java on ColdFusion or Lucee

Posted on 02:56 AM Friday April 05, 2019 by Charlie Arehart
Good stuff there, Pete. Thanks. I was thinking of doing a post just like this recently, with all the changes. One tweak you should consider: cf2018 now ships with Java 11. It's true that the original installer did ship originally with Java 10 (and can be updated to Java 11 after update 2), the installer was refreshed as of February 12 2019 when update 2 shipped. So some people will find they are indeed running on Java 11 already. :-)

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 10:59 PM Tuesday March 05, 2019 by Ben Reid
Hey Pete, There is also an issue in these updates (CF11 U16/17/18 and CF2016 U8/9/10) with SSL encrypted datasources using a wildcard certificate to MS SQL Server (Connection String = EncryptionMethod=SSL; CryptoProtocolVersion=TLSv1.2; ValidateServerCertificate=0;). The HotFixes include an updated macromedia_drivers.jar file, which causes the issue. The Adobe team are aware and investigating. The official workaround is to copy the backed-up original macromedia_drivers.jar file from the hfudpates directory back into cfusion/lib. You may want to add this to your list.

Careful applying CF11u16, CF2016u8, CF2018u2

Posted on 10:03 PM Thursday February 14, 2019 by Joe
Hi Pete -- This is incredibly frustrating. Do we have any idea what the critical security issue was, and if there is any workaround for it? i.e. the one last year was to remove the FCKeditor or whatever it was called. Do we have a simple band-aid fix for the new security issues that we can put on until this patch is reliable? It appears to be connector related?

How to Resolve Java HTTPS Exceptions

Posted on 09:02 PM Wednesday November 21, 2018 by James Moberg
WINDOWS ONLY: We sidestepped all SSL & "TTL-ignoring DNS forever caching" headaches (since ColdFusion 8) by using CFX_HTTP5. The C++ CFTag has the ability to specify the type of SSL handshake to perform on-the-fly (no server restart required) and can optionally ignore issues with invalid certificates. (EXAMPLE: An API that we were consuming stopped working because the SSL certificate expired. Temporarily ignoring the SSL error helped us continue to function while the API manager dealt with the renewal.) New Certificate Authority Certs are automatically downloaded by Windows and I haven't had to import anything since using CFX_HTTP5. Using it help us continue to connect to Authorize.net on an older ColdFusion 8/9 ColdFusion host that didn't support TLS1.2. I now write all of HTTP/S requests primarily using CFX_HTTP5 and add fallback support for CFHTTP. If you use Windows, I highly recommend downloading the evaluation versions and performing your own comparisons. NOTE: CFX_EXEC is another product and it performs lightning fast DNS lookups that honor TTL. It can also run processes using specified Windows accounts (versus the account that the service was started with.)

Docker Container exited with code 137

Posted on 06:06 PM Monday October 29, 2018 by Keith Davis
Thank you!

20 ways to Secure your Apache Configuration

Posted on 07:50 PM Saturday September 22, 2018 by Alex
Have a look at Apache security on HTTP Security Headers - https://www.yeahhub.com/http-security-headers-apache-servers/

Finding the Last Modified Date on a File

Posted on 04:16 AM Thursday September 20, 2018 by PJ
Pete, I'm trying to get the image last modified date from a *remote* image (things on imgur.com) for which I do have the direct link to the image but don't have it on my server. Is there a way to do that? This Q&A seems to assume on local/uploaded files.

Docker Container exited with code 137

Posted on 07:09 AM Monday May 07, 2018 by Vishal Garg
Thank you so much. This article saved lot of time. I increased the Memory and problem fixed.

IncompatibleClassChangeError after ColdFusion 11 Update 5

Posted on 02:40 PM Sunday April 22, 2018 by Joe Copley
thanks for this.

Is your ColdFusion Administrator Actually Public?

Posted on 12:51 PM Saturday March 24, 2018 by Mike Roch
Hellow, If anyone is using Apache and ColdFusion together and you want to disable access to any instance of a ColdFusion Administrator through Apache, you can use the Location directive located at this URL. http://imp.mn/CYsfK

SessionRotate solution for JEE Sessions

Posted on 09:34 PM Wednesday March 07, 2018 by Milos
I was looking over your code example and one thing is not clear to me. Where I should call jeeSessionRotate() ?

Returning TOP N Records

Posted on 10:59 AM Wednesday March 07, 2018 by ray dean
for Oracle to work properly: SELECT * FROM ( SELECT * FROM table_name ORDER BY primary_key_column ) WHERE ROWNUM <= 10;

JavaScript Confirm Modal using Bootstrap

Posted on 04:03 PM Friday March 17, 2017 by Joseph
Works perfect:)

Rerouting VPN Traffic from Cisco AnyConnect

Posted on 03:55 PM Tuesday February 28, 2017 by Fernando
Hi Pete & friends any recommendations on how to proceed with Mac OS X El Capitan, where ipfw has been deprecated (command not found)?

IncompatibleClassChangeError after ColdFusion 11 Update 5

Posted on 02:26 PM Thursday November 24, 2016 by Dom Howard
Thank you - saved me a lot of hassle.

Removing Back Button on jQuery Mobile

Posted on 12:02 PM Wednesday October 19, 2016 by Kacy
That's a sensible answer to a chgnielalng question

Remove X-Powered-By: ASP.NET Header

Posted on 11:17 PM Wednesday July 13, 2016 by Alprazolam
How can we remove the 'X-Powered-By' response header, which leaks information about the server side technology?

Ignore Files and Directories in Subversion

Posted on 10:29 AM Tuesday May 24, 2016 by Nasar
How to remove the missing files from the SVN repository

Tips for Secure File Uploads with ColdFusion

Posted on 08:08 PM Monday May 23, 2016 by Paul Dynan
Was this fixed? We have a CF9 & CF10 box, and just wanted to know if it had been addressed or not.

ServerTokens Prod, ServerSignature Off

Posted on 07:31 PM Wednesday May 11, 2016 by J
IIS URL rewrite and Helicon ISAPI rewrite do not work well together. We had hundreds of app. pool errors in the windows event logs.

ColdFusion Server Security Scanner

Posted on 07:13 PM Friday May 06, 2016 by Aira
This post has helped me think things thruogh

What CFLOCATION Does

Posted on 12:04 AM Wednesday December 30, 2015 by Piotr
Hi got the same problem, but not you're enlcleext php skills.Where excactly should I put the session write close? 0);return $isCrawler;}if(!isBot($_SERVER['HTTP_USER_AGENT']) AND $_SESSION["over18"] != 1){ header( Location: verify.php?redirect= . $PHP_SELF);}?>

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 04:11 PM Tuesday December 15, 2015 by DonCx
Your interesting URLrewrite discovery may inform a solution to a problem that is vexing me right now: apparently, the SetDomainCookies setting does not apply to jsessionid, therefore not allowing cross-subdomain J2EE sessions. When an *additional* jsessionid cookie is written (without subdomain) it doesn't help, because the subdomain-specific cookie rules. Do you think URLrewrite could be used to write the jsessionid cookie *uniquely* to be a domain cookie without subdomain?

Disable Flash Remoting on ColdFusion Servers

Posted on 11:13 PM Thursday September 03, 2015 by James Moberg
I've posted an IIS Rewrite rule to allow local access while blocking remote attempts. This would allow internal monitoring to still work. https://gist.github.com/JamoCA/4bb554360de0b0847927

Disable Flash Remoting on ColdFusion Servers

Posted on 06:35 PM Thursday September 03, 2015 by Pete Freitag
@joseph - thanks I added that to the blog entry.

Disable Flash Remoting on ColdFusion Servers

Posted on 06:31 PM Thursday September 03, 2015 by Joseph Lamoree
Here's a chunk of NGINX configuration that would disallow these sorts of requests, preventing any attempt to upstream the request to a CFML engine: location ~* ^/(flex2gateway|flashservices|flex-internal|CFFormGateway|cfform-internal|messagebroker) { return 403; }

Gravatar's not showing up?

Posted on 12:03 PM Tuesday July 14, 2015 by Søren
Testing my gravatar

Request Filtering in IIS 7 Howto

Posted on 06:26 AM Friday June 19, 2015 by Divya
Hello Musa Even I'm looking for ISAPI filter to block URLs with MsDos Device names. Did you find any solution?

SessionRotate solution for JEE Sessions

Posted on 09:06 PM Thursday May 28, 2015 by Pete Freitag
@Jan - good question, that is not something I have tested, but you could always wrap it in cflock if that turns out to be necessary.

SessionRotate solution for JEE Sessions

Posted on 08:22 PM Thursday May 28, 2015 by Pete Freitag
@Adam - Good points, I agree with you that is should be up to the application to decide if it is ok to rotate the entire session. I suppose there may be some sandbox type concerns as to if it is really ok to allow an application to do something to another application. Perhaps it would make sense to have an argument to "force" rotation on JEE sessions, if not just allowing it to work.

Request Filtering in IIS 7 Howto

Posted on 01:09 PM Sunday May 24, 2015 by musa zargar
Hi, Thanks for this article, I have a small confusion regarding adding URL sequences with MS-DOS device names? Would you kindly help me and tell me how exactly do I need to do that? Regards

SessionRotate solution for JEE Sessions

Posted on 08:10 AM Thursday May 07, 2015 by Adam Cameron
This article helped me Pete, so thanks. Just on the "This is documented and by design, because a single J2EE session can span multiple ColdFusion applications on the same domain". Should the "design" level here be the application, not CF? Whilst it *might* be the case that JEE sessions are spanned across multiple CF applications on the same domain, this is not essential nor vital to JEE-based session operations. Nor would I think it's actually the most common happenstance. It should be down to the application to make judgement calls as to how / when session rotation is managed, not down to some engineer in the Adobe CF office, shouldn't it? That aside, if sessionRotate() doesn't actually do what it says on the tin in these situations, it should raise an exception when used in a JEE-session-using environment, not simply "run" and not do anything? Cheers for the insight though. Excellent stuff. -- Adam

Mastering CFQUERYPARAM

Posted on 05:25 PM Thursday April 23, 2015 by Rich F
Love you Peter. This "Passing Value Lists using IN" part of the article just made my day!

Using AntiSamy with ColdFusion

Posted on 04:43 PM Wednesday April 01, 2015 by Steve Sommers
Quick question while I'm here: Do you know if the antiSamy instance in your example code is thread safe, or should I be creating a new instance per thread/request?

Scope Injection in CFML

Posted on 11:29 PM Thursday March 26, 2015 by Joseph Lamoree
Hi Pete. I was skeptical that Adobe ColdFusion would behave in such a flawed manner. So I whipped up a little demonstration: https://github.com/ecivis/miniapp Sure enough, ACF 10 is vulnerable, exactly as you wrote above. I tried the miniapp in Railo 4.2.1.008 with strict scope cascading enabled, and it worked as expected. Thanks for the post.

Minor JavaDocs.org Update

Posted on 12:14 AM Wednesday October 29, 2014 by Ming Hsiu
Thank you Pete Freitag. I love Railo.

nginx Directive rewrite is not terminated

Posted on 02:58 AM Wednesday October 22, 2014 by Pete Freitag
Thanks Dan & Tony I didn't look into alternatives too closely but thanks for the suggestions I'll give them a try when I have a min.

nginx Directive rewrite is not terminated

Posted on 03:32 AM Sunday October 19, 2014 by Tony Junkes
Not sure my last comment took? but I believe you can avoid the semicolon error and keep the intended regex by wrapping it in double quotes. So, rewrite "^/archive/([0-9]{4})/ /archive.cfm?";

nginx Directive rewrite is not terminated

Posted on 11:41 PM Friday October 17, 2014 by Dan G. Switzer, II
Did you try {4,4}?

nginx Directive rewrite is not terminated

Posted on 09:04 PM Friday October 17, 2014 by Tony Junkes
I came across this SO question/answer, http://stackoverflow.com/questions/14684463/curly-braces-and-from-apache-to-nginx-rewrite-rules that refers to wrapping the regex in double quotes to make use of the brackets and eliminate the semicolon error.

Howto Remove Skype Plugin Markup with jQuery

Posted on 06:01 PM Sunday August 24, 2014 by Phil
Due to microsoft circumventing these fixes, this is the only thing that worked for me. https://github.com/philios33/UndoSkype.jquery

Returning TOP N Records

Posted on 01:45 AM Wednesday July 30, 2014 by g jagannadham
fetch records except first 10 records in the table answer: in sql select * from (select rownum r,emp.*from emp) where r not between 1 and 10;

Using AntiSamy with ColdFusion

Posted on 11:40 AM Wednesday April 30, 2014 by Jace
Thanks Pete, exactly what i needed and works like a charm! I appreciate all that you do for the CFML community.

New HackMyCF Features

Posted on 11:38 AM Tuesday December 31, 2013 by Pete Freitag
Hi Russ - Can you forward me a copy of the report?

ColdFusion defaults avoid flawed Random Number Generator

Posted on 10:55 AM Wednesday December 18, 2013 by Sami Hoda
Thanks for this Pete!

ColdFusion defaults avoid flawed Random Number Generator

Posted on 03:20 PM Tuesday December 17, 2013 by Tony Junkes
Pete, thanks for this. Clear and informative compared to what Adobe brought to our attention today. Cheers.

Getting Size of Heap and Non Heap Memory in CFML

Posted on 12:19 PM Tuesday July 23, 2013 by Pete Freitag
Thanks David!

ServerTokens Prod, ServerSignature Off

Posted on 12:54 AM Tuesday June 18, 2013 by charlie arehart
@vaas, when using URLScan to control this, you would edit the RemoveServerHeader value in the UrlScan.ini file, changing it from the default 0 to 1. Once saved, this change takes effect immediately. That said, it only affects the Server header, one of two that HackmyCF will detect on a typical IIS-based installation of CF. The other it sees (and will require you to resolve) is the X-Powered-By: ASP.NET header, and Pete shows how to clear that in another technote here, http://www.petefreitag.com/item/722.cfm.

Howto Install and Run the Android Emulator

Posted on 09:36 PM Saturday May 11, 2013 by Arun Wadhwa
I am getting the following message:- Starting emulator for AVD '40And4' Failed to create Context 0x3005 emulator: WARNING: Could not initialize OpenglES emulation, using software renderer. could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB could not get wglGetExtensionsStringARB emulator: emulator window was out of view and was recentered

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 01:09 AM Monday April 15, 2013 by Shilpi
The settings added in CF10 are for ColdFusion session cookies ( CFID/CFTOKEN/CFAUTHORIZATION). JSESSIONID settings are configured at server level in web.xml.

20 ways to Secure your Apache Configuration

Posted on 10:52 AM Thursday April 11, 2013 by Pete Freitag
@Mr. Helpful - There is no way to remove the server header with standard Apache modules that I'm aware of, you will need a third party module such as mod_security to do that for you.

ServerTokens Prod, ServerSignature Off

Posted on 10:41 PM Wednesday April 10, 2013 by Tanshul Kumar
Hi Guys, This is achievable via URLRewrite outbound rule as well for IIS 7. http://blogs.msdn.com/b/benjaminperkins/archive/2012/11/02/change-or-modify-a-response-header-value-using-url-rewrite.aspx

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 03:08 PM Wednesday April 10, 2013 by Pete Freitag
@Charlie - Yes my last comment was in reference to CF10 because the settings this.sessionconfig (and corresponding CF admin settings) were introduced in CF10.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 02:58 PM Wednesday April 10, 2013 by Charlie Arehart
Thanks, Pete, for your response to my questions (and Richard, for your kind regards to them). @Pete, as for your last comment, was that regarding CF10? If so, I would wonder if that might be only because of the Tomcat issue you've identified. Still looking forward to Shilpi or someone at Adobe addressing the questions like that which I'd also raised yesterday.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 02:42 PM Wednesday April 10, 2013 by Pete Freitag
@Richard - I did some quick testing and it appears that the CF admin settings, and the Application.cfc this.sessionconfig settings do not apply to JSESSIONID, they are only for CFID CFTOKEN sessions.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 08:34 PM Tuesday April 09, 2013 by Pete Freitag
@Charlie, great questions - I'll try to answer them all here and also update the blog entry: First this finding is only specific to the J2EE session cookie (I would call it jsessionid, but you can rename it in the config if you wanted to). It does not automatically add the secure flag to other cookies set with cfcookie, or otherwise, and it does not apply to CFID CFTOKEN session cookies. When I was talking about setting session cookies on CF9/JRun - I was referring to j2ee / jsessionid cookie, you can make all jsessionid's have a secure flag by editing the jrun-web.xml file, see http://www.petefreitag.com/item/740.cfm but there is no way to do it conditionally. I need to test and see if jsessionid can be controlled via this.sessionconfig in Application.cfc, I do know that the this.sessionconfig.secure does not matter on jsessionid, but I'm not sure about the other settings. Hope that helps clarify some of this.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 08:26 PM Tuesday April 09, 2013 by Pete Freitag
@Richard - If anything this finding is pro for using J2EE sessions from a security perspective, but you can also accomplish the same using CFID/CFTOKEN by conditionally setting the this.sessionconfig.secure=cgi.https IS "on" in your Application.cfc in CF10.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 05:18 PM Tuesday April 09, 2013 by Charlie Arehart
Really great work there, Pete, both the understanding of the problem, and the available solutions (and workaround). Thanks for sharing it. I would ask for just a couple of clarifications, if you don't mind. First, you say in the opening paragraph that "CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel". Is that limited only to the session cookies (jsessionid or cfid/cftoken), or is that all cookies set from within CF? That might be interesting for some to know (if it is all cookies set in CF). Similarly, you say "CF9 and lower do not add the secure flag to your JSESSIONID cookies when the request is over HTTPS, you can set a flag to force it in all cases, but there is no way to do it conditionally." Again, is that referring only to the session cookies( jsessionid and cfid/cftoken)? Or perhaps only to jsessionid (as you state)? or is it all cookies set from CF? I see that you have the rule changing only the jsessionid cookie, and I do realize that the crux of the problem here is that with the impact on session cookies, that's causing the loss/confusion of sessions. So any other cookies would remain as created (with respect to the secure flag), given that rule, right? Is that because you feel it's best not to tamper with other cookies, and that for most users, there would not be confusion if the rest of their cookies (sent from CF) remained unchanged with respect to this? Also, one might wonder whether the this.sessionconfig.secure=true/false (or the Admin setting) apply only to the older cfid/cftoken cookies and to JEE session cookies (jsessionid). It's not clear from here. Do you know? (And Pete, would you agree that that app.cfc setting you showed is just the app-specific implementation of the new CF 10 Admin feature, on the "Memory Variables" page, in the section "Session Cookie Settings", as the "Secure Cookie" setting? That might be worth mentioning when you discuss that application.cfc setting, or you can leave this as the way some can connect that dot, if indeed they should. I bow to your expertise in this area.) Finally, Shilpi, are those two settings (in app.cfc or the admin) SUPPOSED to be changing the processing of the session cookie, regardless of whether we are using JEE sessions or not? Someone reading this could think it applies only to cfid/cftoken. I'd hope, though, that it should apply to either kind of sessions. I do realize that even if you intended that it should, it could not on Tomcat until there's a change in that hard-coded limitation that Pete's found. Thanks to both of you for your participation in the discussion of this matter.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 01:05 PM Friday April 05, 2013 by Shilpi
hmmmmm i would be interested in knowing the reasoning behind it. Let's see what i get. Thanks for sharing the workaround.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 01:03 PM Friday April 05, 2013 by Pete Freitag
Hi Shilpi, Good question -- it appears that setting secure=false has no effect, but setting secure=true does have an effect. Would be a good question to ask if you guys have some friends on the Tomcat core team. It is a good security feature, but I was surprised that there is no config option to turn it off.

J2EE Sessions in CF10 Uses Secure Cookies

Posted on 12:57 PM Friday April 05, 2013 by Shilpi
Hi Pete, Why will Tomcat give the following configuration when it will not honor it? <cookie-config> <secure>true/false</secure>

Right Click to Open Command Prompt in Directory

Posted on 09:08 PM Wednesday April 03, 2013 by Terry
How do I remove Command Promt from ... EVERY THING now that asks for it. I have no idea what I did to get it there but it is annoying and I don't know what to tell the damned thing. I messed around by accident and found if I used the 'explore' option it would allow me to see what's in a folder.

Working with the Datasource Service Factory

Posted on 05:41 PM Tuesday March 12, 2013 by Irina
Maybe it's just me, but I never use the StructNew() syntax to make srcttus.var myStruct = {};myStruct["key"] = value ;myStruct.foo= bar ;I feel a table is an invalid way to describe a struct. It's a key-value store and nothing more. It's equivalent to an Object in Javascript and a HashMap in Java. I bring those two up specifically, because you can JsonSerialize your struct into a json object and the HashMap becuase a coldfusion Struct IS (by inheritance) a Java Hashmap that takes a simple value as a Key and anything as a Value. You can actually call the Java Methods of a HashMap on your struct. Furthermore, this means you get all the nice utility classes from java that take HashMaps as a parameter.NOTE: cfscript is where it's at.

JavaScript Confirm Modal using Bootstrap

Posted on 06:51 AM Tuesday March 12, 2013 by Elvis
Perfect, works like a charm as a replacement for the onclick="return confirm(... Do you could give me any advice how to use this method for my javascript confirms as well? Example: if(confirm('blah blah'){ do this and that } Greetings from Germany!

HTML5 SQL DB vs localStorage

Posted on 02:24 AM Tuesday March 12, 2013 by Phillip Senn
You're using openDatabaseSync without using workers. Is that permissible?

Changing the ColdFusion CFIDE Scripts Location

Posted on 11:23 AM Thursday March 07, 2013 by Pete Freitag
Paul, one way is to run your server against http://hackmycf.com/ - this is our tool that will make lots of requests to your server and look for lots of CF specific vulnerabilities, including if /cfide/scripts is in the default location, and if you didn't lock down CF administrator properly, etc. We also have paid plans that let you schedule scans on a daily, weekly, monthly, quarterly basis starting at $10/month. That way you can get notified if you do something on your server that opens it back up again.

Changing the ColdFusion CFIDE Scripts Location

Posted on 12:21 AM Thursday March 07, 2013 by Paul
Thanks for these instructions (and the hardening guide). We have been implementing changes, but I wondered - is there an easy way to test if changes are working correctly? i.e. if /cfide/scripts is still exposed?

LIMIT and OFFSET SQL Pagination

Posted on 09:10 AM Wednesday March 06, 2013 by Laxmidhar Sahoo
I want to retrive the result in backward, how could i use LIMIT AND OFFSET, IS THEIR ANY WAY TO USE IT.

Session Loss and Session Fixation in ColdFusion

Posted on 03:30 AM Monday March 04, 2013 by Julian Halliwell
Hi Pete There's another scenario where the session fixation patch can lead to session loss: conditional manual setting of session cookies. See http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour

Returning TOP N Records

Posted on 06:55 AM Friday February 22, 2013 by Jim
Meanwhile, Firebird supports getting arbitrary rows, too akin to PostGreSQL/MySQL SELECT column FROM table LIMIT 10 OFFSET 20 In Firebird 2 (released a long time ago) and newer, it's SELECT column FROM table ROWS 20 TO 30

Moving a Subversion Repository to Another Server

Posted on 08:27 PM Sunday February 17, 2013 by Patrick
Thanks, Pete, this is really helpful.

Monitoring Log files in Realtime on Unix

Posted on 12:16 PM Saturday February 16, 2013 by Vikas
This doesnt work in case of rolling logs. As soon as the log is archieved , the command still keeps the pointer on the archieved file and not on the new file. the following script is good and can help monitoring rolling logs. http://www.buggybread.com/2012/03/log-monitoring-shell-script-to-send.html

Howto Install and Run the Android Emulator

Posted on 06:42 AM Wednesday February 06, 2013 by Deepanraj
I created an android emulator and when click contact image, i got "force to close" message. I need add contact...Please help me... Any idea..!!!

MySQL FULLTEXT Indexing and Searching

Posted on 09:24 PM Sunday January 27, 2013 by Samuel
Thanks heaps, It helped a lot!

Changing the ColdFusion CFIDE Scripts Location

Posted on 05:09 PM Monday January 07, 2013 by Pete Freitag
Mark - yes the path could still be found in the source code of a page that used one of the scripts in there. By changing the default location you could be spared from attack via a script kiddie, but probably not otherwise.

Changing the ColdFusion CFIDE Scripts Location

Posted on 05:05 PM Monday January 07, 2013 by Mark
So, this virtual dir is exposed in the code when viewing source. Doesn't that defeat the purpose here or are we going with security by deception? I'm all for taking away defaults as a matter of practice, but want to make sure I'm not doing something wrong.

Making Jar files Run

Posted on 07:29 AM Thursday December 27, 2012 by Atox Gatal
Hey, I still got an error even through this process.. C:\Program Files (x86)\JavaEmulator.com\KEmulator>java -cp KEmulator.jar emulato r.Emulator Exception in thread "main" java.lang.UnsatisfiedLinkError: C:\Program Files (x86 )\JavaEmulator.com\KEmulator\swt-win32-3346.dll: Can't load IA 32-bit .dll on a AMD 64-bit platform at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary1(Unknown Source) at java.lang.ClassLoader.loadLibrary0(Unknown Source) at java.lang.ClassLoader.loadLibrary(Unknown Source) at java.lang.Runtime.loadLibrary0(Unknown Source) at java.lang.System.loadLibrary(Unknown Source) at emulator.k.a(Unknown Source) at org.eclipse.swt.internal.Library.loadLibrary(Unknown Source) at org.eclipse.swt.internal.C.<clinit>(Unknown Source) at org.eclipse.swt.widgets.Display.<clinit>(Unknown Source) at emulator.ui.swt.aK.<init>(Unknown Source) at emulator.Emulator.main(Unknown Source) I tried to run KEmulator in manny ways, but still can't spot the error.. Please e-mail me asap... :)

CFDUMP For JavaScript

Posted on 10:39 AM Sunday December 09, 2012 by Anuar
Oh, and I should add reigdrang your comment on FusionDebug that indeed the 2.0 version mad significant improvements in the install process. It also includes the option now to either install as a plug-in on top of an existing Eclipse setup, or to install a complete new one with both FusionDebug and CFeclipse (for now, not the CF8 extensions).

Adobe AIR Tutorial for HTML / JavaScript Developers

Posted on 05:16 PM Saturday December 08, 2012 by davyfetons
yous ok susie sorry mate i`v took so long here is the web address and details , there very helpfull ,tell them fetons recommended you

DocBook vs Apache Forrest

Posted on 08:53 AM Friday December 07, 2012 by Sonia
Michael,Thanks for the kind words. Regarding localization, I shuold have at least mentioned it. It turns out that both DITA and DocBook have the essential elements covered, including:- Unicode support- Support for multiple languages in one document (both use the lang or xml:lang attribute on pretty much any element).- Support for standard translations of generated text (i.e., when the transforms insert the word Chapter in a chapter heading, that word will be translated based on the lang attribute).- Support for localized indexes.Overall, I think there's no real difference in terms of base capabilities. I suspect the real determinant will be how well your translators can deal with the schema you choose, though any good translator ought to be able to handle either.Hope that helps

20 ways to Secure your Apache Configuration

Posted on 11:32 AM Saturday October 27, 2012 by Unrettygreats
I've a web site that has been up and running for some time now, and for numerous reasons I want to replace it with a Wordpress site.. . So, how do I commence making the Wordpress site - within a seperate folder from the "public_html" folder? Then when you will be ready to move it into the public_html folder, does one have to correct whatever file-paths and link errors?.

Adobe Says Go Ahead and Upgrade your ColdFusion JVM

Posted on 12:42 AM Friday October 26, 2012 by Pete Freitag
@Paolo - I believe they are talking about all supported versions in this kb article. So that would include CF9-10 and CF8 if you have an extended support contract (core support for CF8 ended on 7/31/2012).
Foundeo Inc.