date:20120306


Hi all,

Apologies for the completely OT posting, but I'm in desperate need for a
solution.

Until recently I have been hosting a discussion maillist for one of my
customers.  Subscription is required for membership of the list and there is
also an opt-in option on the member profile.  So on a daily basis the
subscriber list is recompiled based on subscriptions.

I need to move the mail list off my own mail server and I am looking for a
host with an API (or some other interface, could be SOAP) facility to manage
the subscriber list.

Any ideas please?


Jenny Gavin-Wear
Fast Track Online
http://www.fasttrackonline.co.uk/



--
I am using the free version of SPAMfighter.
We are a community of 7 million users fighting spam.
SPAMfighter has removed 20465 of my spam emails to date.
Get the free SPAMfighter here: http://www.spamfighter.com/len

The Professional version does not have this message



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350244
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Maillist with API

2012-03-06 Thread Will Swain


We've looked at both MailChimp and Campaign Monitor, both of whom have
mature APIs and offer similar functionality. I'd recommend either.

Will

On 6 March 2012 11:29, Jenny Gavin-Wear jenn...@fasttrackonline.co.ukwrote:


 Hi all,

 Apologies for the completely OT posting, but I'm in desperate need for a
 solution.

 Until recently I have been hosting a discussion maillist for one of my
 customers.  Subscription is required for membership of the list and there
 is
 also an opt-in option on the member profile.  So on a daily basis the
 subscriber list is recompiled based on subscriptions.

 I need to move the mail list off my own mail server and I am looking for a
 host with an API (or some other interface, could be SOAP) facility to
 manage
 the subscriber list.

 Any ideas please?


 Jenny Gavin-Wear
 Fast Track Online
 http://www.fasttrackonline.co.uk/



 --
 I am using the free version of SPAMfighter.
 We are a community of 7 million users fighting spam.
 SPAMfighter has removed 20465 of my spam emails to date.
 Get the free SPAMfighter here: http://www.spamfighter.com/len

 The Professional version does not have this message



 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350245
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Maillist with API


+1 for either, but MailChimp is probably the easier option


On Tue, Mar 6, 2012 at 11:36 AM, Will Swain w...@hothorse.com wrote:


 We've looked at both MailChimp and Campaign Monitor, both of whom have
 mature APIs and offer similar functionality. I'd recommend either.

 Will

 On 6 March 2012 11:29, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk
 wrote:

 
  Hi all,
 
  Apologies for the completely OT posting, but I'm in desperate need for a
  solution.
 
  Until recently I have been hosting a discussion maillist for one of my
  customers.  Subscription is required for membership of the list and there
  is
  also an opt-in option on the member profile.  So on a daily basis the
  subscriber list is recompiled based on subscriptions.
 
  I need to move the mail list off my own mail server and I am looking for
 a
  host with an API (or some other interface, could be SOAP) facility to
  manage
  the subscriber list.
 
  Any ideas please?
 
 
  Jenny Gavin-Wear
  Fast Track Online
  http://www.fasttrackonline.co.uk/
 
 
 
  --
  I am using the free version of SPAMfighter.
  We are a community of 7 million users fighting spam.
  SPAMfighter has removed 20465 of my spam emails to date.
  Get the free SPAMfighter here: http://www.spamfighter.com/len
 
  The Professional version does not have this message
 
 
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350246
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Failed PCI Compliance test on CF9.01

2012-03-06 Thread DURETTE, STEVEN J


Just out of curiosity, why can't you have the entire session running under SSL? 
Ever since Firesheep came out it is actually suggested to be all encrypted all 
the time.

Steve


-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com] 
Sent: Tuesday, March 06, 2012 2:20 AM
To: cf-talk
Subject: Failed PCI Compliance test on CF9.01


So a site that I built failed PCI compliance testing because the jsessionid
cookie is not set securely.

I found this 
posthttp://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/that
shows how to force jrun to do always set the session cookies securely,
but the user loses their session state when they move between secure and
non-secure pages (the jsessionid is different for secure pages).  This is
obviously a big problem, since we can't have the entire user session
running under ssl.  Any ideas on how to get the jsessionid to be the same
on secure and non-secure pages?  I am a little lost here.

I am running cf9.01, with the app set to sessionmanagement=yes and
setclientcookies=no.  In the administrator, I have Cookie set as my
default client storage storage mechanism, and J2EE session variables
enabled.  I also have use UUID for cftoken enabled, but since I have
setclientcookies set to no, I don't think that matters.

*-RR*




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350247
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: (ot) Maillist with API


Hi Will and Russ,

Many thanks for your replies!

I was looking at Mailchimp, but is it only a broadcast/newsletter service or
does it support discussion lists with moderators, etc?  I can't find
anything about discussion mail lists on their site.

Jenny

-Original Message-
From: Will Swain [mailto:w...@hothorse.com]
Sent: 06 March 2012 11:36
To: cf-talk
Subject: Re: (ot) Maillist with API


We've looked at both MailChimp and Campaign Monitor, both of whom have
mature APIs and offer similar functionality. I'd recommend either.

Will

On 6 March 2012 11:29, Jenny Gavin-Wear
jenn...@fasttrackonline.co.ukwrote:


 Hi all,

 Apologies for the completely OT posting, but I'm in desperate need for
 a solution.

 Until recently I have been hosting a discussion maillist for one of my
 customers.  Subscription is required for membership of the list and
 there is also an opt-in option on the member profile.  So on a daily
 basis the subscriber list is recompiled based on subscriptions.

 I need to move the mail list off my own mail server and I am looking
 for a host with an API (or some other interface, could be SOAP)
 facility to manage the subscriber list.

 Any ideas please?


 Jenny Gavin-Wear
 Fast Track Online
 http://www.fasttrackonline.co.uk/



 --
 I am using the free version of SPAMfighter.
 We are a community of 7 million users fighting spam.
 SPAMfighter has removed 20465 of my spam emails to date.
 Get the free SPAMfighter here: http://www.spamfighter.com/len

 The Professional version does not have this message





~~
~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-
Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-
talk/message.cfm/messageid:350245
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-
talk/unsubscribe.cfm

--
I am using the free version of SPAMfighter.
We are a community of 7 million users fighting spam.
SPAMfighter has removed 20465 of my spam emails to date.
Get the free SPAMfighter here: http://www.spamfighter.com/len

The Professional version does not have this message



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350248
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

It's a video streaming site for members. I can't believe my only option is
to stream video across ssl. There must be another solution.

-RR

On Tue, Mar 6, 2012 at 7:46 AM, DURETTE, STEVEN J sd1...@att.com wrote:

Just out of curiosity, why can't you have the entire session running under
SSL? Ever since Firesheep came out it is actually suggested to be all
encrypted all the time.

Steve

-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com]
Sent: Tuesday, March 06, 2012 2:20 AM
To: cf-talk
Subject: Failed PCI Compliance test on CF9.01

So a site that I built failed PCI compliance testing because the jsessionid
cookie is not set securely.

I found this post
http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/
that
shows how to force jrun to do always set the session cookies securely,
but the user loses their session state when they move between secure and
non-secure pages (the jsessionid is different for secure pages). This is
obviously a big problem, since we can't have the entire user session
running under ssl. Any ideas on how to get the jsessionid to be the same
on secure and non-secure pages? I am a little lost here.

I am running cf9.01, with the app set to sessionmanagement=yes and
setclientcookies=no. In the administrator, I have Cookie set as my
default client storage storage mechanism, and J2EE session variables
enabled. I also have use UUID for cftoken enabled, but since I have
setclientcookies set to no, I don't think that matters.

*-RR*

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350249
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: CF 9 Mulit-Sever only uses default site

2012-03-06 Thread Eric Cobb


Thanks Russ!

I looked through everything you suggested, and I can't see anything wrong.  
Here's my wsconfig.properties file:

1=IIS,1,false,
1.srv=localhost,cfusion
1.cfmx=true,null
2=IIS,2,false,
2.srv=localhost,Test01
2.cfmx=true,null

So it looks like my #2 site is pointing to the correct Test01 CF 
instance.  

The CFM handlers in IIS are pointing to C:\JRun4\lib\wsconfig\jrun_iis6.dll 
for both of my sites.  Is that correct, or should site #2 be pointing 
somewhere else?  

Something else that I noticed is, whenever I spin off a new CF instance 
none of the datasources seem to be carried over to the new instance.  I 
have to add them manually.  I'm not sure if this is related or not.  

I've tried deleting and recreating my instances several times, and still no 
luck.  Do you have any other suggestions? 

Thanks,

Eric



From: Russ Michaels r...@michaels.me.uk
Sent: Thursday, February 23, 2012 11:49 AM
To: cf-talk cf-talk@houseoffusion.com
Subject: Re: CF 9 Mulit-Sever only uses default site

Eric,

check the .CFM handlers in iis and make sure they link to the right
connectors.
if they do, then check the wsconfig.properties in the wsconfig folder

this should specify which connector is for which site/instance

should look like this.

1=IIS,0,false,
1.srv=localhost,cfusion
1.cfmx=true,C:/Inetpub/wwwroot
2=IIS,7605,false,
2.srv=localhost,anorak
2.cfmx=true,null
3=IIS,2714,false,
3.srv=localhost,CFMX10120
3.cfmx=true,null
5=IIS,1851,false,
5.srv=localhost,CFMX10158
5.cfmx=true,null

the number is the connector in your wsconfig folder
e.g

wsconfig/1
wsconfig/2

the first entry for each number tells you the web server type and siteID
the 2nd entry is the host and instance name
the 3rd entry specifies that cf handlers are enabled

--

Russ Michaels

www.bluethunderinternet.com  : Business hosting services  solutions
www.cfmldeveloper.com: ColdFusion developer community
www.michaels.me.uk   : my blog
www.cfsearch.com : ColdFusion search engine
**
*skype me* : russmichaels



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350250
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: CF 9 Mulit-Sever only uses default site

2012-03-06 Thread Steve 'Cutter' Blades


Eric,

This used to happen, on occasion. You can delete your current connectors 
and establish new ones using the config tool:

C:\JRun4\bin\wsconfig.exe

You might have a deeper issue, but sometimes it really is that simple. 
It usually was for us. (Reminds me just how much I love Apache...)

Steve 'Cutter' Blades
Adobe Community Professional
Adobe Certified Expert
Advanced Macromedia ColdFusion MX 7 Developer

http://cutterscrossing.com


Co-Author Learning Ext JS 3.2 Packt Publishing 2010
https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book

The best way to predict the future is to help create it


On 3/6/2012 8:37 AM, Eric Cobb wrote:
 Thanks Russ!

 I looked through everything you suggested, and I can't see anything wrong.
 Here's my wsconfig.properties file:

 1=IIS,1,false,
 1.srv=localhost,cfusion
 1.cfmx=true,null
 2=IIS,2,false,
 2.srv=localhost,Test01
 2.cfmx=true,null

 So it looks like my #2 site is pointing to the correct Test01 CF
 instance.

 The CFM handlers in IIS are pointing to C:\JRun4\lib\wsconfig\jrun_iis6.dll
 for both of my sites.  Is that correct, or should site #2 be pointing
 somewhere else?

 Something else that I noticed is, whenever I spin off a new CF instance
 none of the datasources seem to be carried over to the new instance.  I
 have to add them manually.  I'm not sure if this is related or not.

 I've tried deleting and recreating my instances several times, and still no
 luck.  Do you have any other suggestions?

 Thanks,

 Eric

 

 From: Russ Michaelsr...@michaels.me.uk
 Sent: Thursday, February 23, 2012 11:49 AM
 To: cf-talkcf-talk@houseoffusion.com
 Subject: Re: CF 9 Mulit-Sever only uses default site

 Eric,

 check the .CFM handlers in iis and make sure they link to the right
 connectors.
 if they do, then check the wsconfig.properties in the wsconfig folder

 this should specify which connector is for which site/instance

 should look like this.

 1=IIS,0,false,
 1.srv=localhost,cfusion
 1.cfmx=true,C:/Inetpub/wwwroot
 2=IIS,7605,false,
 2.srv=localhost,anorak
 2.cfmx=true,null
 3=IIS,2714,false,
 3.srv=localhost,CFMX10120
 3.cfmx=true,null
 5=IIS,1851,false,
 5.srv=localhost,CFMX10158
 5.cfmx=true,null

 the number is the connector in your wsconfig folder
 e.g

 wsconfig/1
 wsconfig/2

 the first entry for each number tells you the web server type and siteID
 the 2nd entry is the host and instance name
 the 3rd entry specifies that cf handlers are enabled

 --

 Russ Michaels

 www.bluethunderinternet.com  : Business hosting services  solutions
 www.cfmldeveloper.com: ColdFusion developer community
 www.michaels.me.uk   : my blog
 www.cfsearch.com : ColdFusion search engine
 **
 *skype me* : russmichaels



 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350251
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


 It's a video streaming site for members.  I can't believe my only
 option is to stream video across ssl.  There must be another
 solution.

There is: take the main site out of scope for compliance.  The only
parts of a system that have to be PCI compliant are the ones that
handle credit card information, usually an online store or
subscription system.  There is no technical reason I can think of that
would require your billing system and video streaming servers to share
infrastructure.  Separating the billing system out on to its own
infrastructure means the rest of the system goes out of scope and then
you can do whatever you want with your cookies on the main part of the
site.  Keep the billing system isolated and your headaches will be
greatly reduced.


-Justin Sco

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350252
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly.  There must be a
fairly quick solution to this problem.  Surely, I can't be the first to
deal with this.

On Tue, Mar 6, 2012 at 8:44 AM, Justin Scott leviat...@darktech.org wrote:


  It's a video streaming site for members.  I can't believe my only
  option is to stream video across ssl.  There must be another
  solution.

 There is: take the main site out of scope for compliance.  The only
 parts of a system that have to be PCI compliant are the ones that
 handle credit card information, usually an online store or
 subscription system.  There is no technical reason I can think of that
 would require your billing system and video streaming servers to share
 infrastructure.  Separating the billing system out on to its own
 infrastructure means the rest of the system goes out of scope and then
 you can do whatever you want with your cookies on the main part of the
 site.  Keep the billing system isolated and your headaches will be
 greatly reduced.


 -Justin Sco

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350253
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Che Vilnonis


Robert, a product like Fuseguard from Pete Freitag or a Web Application
Firewall (or a plugin type of filter to your existing firewall) may help.
I'm currently going through a similar process and thought these options
might help.

Ché

-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com] 
Sent: Tuesday, March 06, 2012 9:08 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01


Justin, thanks for the reply, and I get your point, but I can't break out
the registration process into a standalone site quickly.  There must be a
fairly quick solution to this problem.  Surely, I can't be the first to deal
with this.



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350254
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Donnie Bachan (Gmail)


Robert,

This is odd that you are losing the session, are you using CF in
multiserver mode or standalone? The article you referenced was for CF8,
however, we're currently running CF9 Ent in multiserver mode and we've not
had this issue crop up. We are however using a DB with client cookies for
managing state across CF instances.

Best Regards,
Donnie Bachan
Nitendo Vinces - By Striving You Shall Conquer
==
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.


On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote:


 Robert, a product like Fuseguard from Pete Freitag or a Web Application
 Firewall (or a plugin type of filter to your existing firewall) may help.
 I'm currently going through a similar process and thought these options
 might help.

 Ché

 -Original Message-
 From: Robert Rhodes [mailto:rrhode...@gmail.com]
 Sent: Tuesday, March 06, 2012 9:08 AM
 To: cf-talk
 Subject: Re: Failed PCI Compliance test on CF9.01


 Justin, thanks for the reply, and I get your point, but I can't break out
 the registration process into a standalone site quickly.  There must be a
 fairly quick solution to this problem.  Surely, I can't be the first to
 deal
 with this.



 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350255
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Phillip Duba


I'll echo what Donnie said. We're actually running CF 8 with the DB client
settings and did not have any issues with the cookies in our PCI audit,

Phil

On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) 
donnie.bac...@gmail.com wrote:


 Robert,

 This is odd that you are losing the session, are you using CF in
 multiserver mode or standalone? The article you referenced was for CF8,
 however, we're currently running CF9 Ent in multiserver mode and we've not
 had this issue crop up. We are however using a DB with client cookies for
 managing state across CF instances.

 Best Regards,
 Donnie Bachan
 Nitendo Vinces - By Striving You Shall Conquer
 =



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350256
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


On Tue, Mar 6, 2012 at 9:07 AM, Robert Rhodes rrhode...@gmail.com wrote:

 Justin, thanks for the reply, and I get your point, but I can't break out
 the registration process into a standalone site quickly.  There must be a
 fairly quick solution to this problem.  Surely, I can't be the first to
 deal with this.


I think that the quick solution is to put everything under SSL.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350257
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


 Justin, thanks for the reply, and I get your point, but I can't break out
 the registration process into a standalone site quickly.  There must be a
 fairly quick solution to this problem.  Surely, I can't be the first to
 deal with this.

Another option might be to ask your scanning vendor for an exception
to that scanning rule.  If you can demonstrate to them that no credit
card information is accessible through the user's account (e.g. the
card number isn't visible anywhere, etc., and it really doesn't matter
if the session is hijacked from the standpoint of credit card
security) and explain the situation, they are generally willing to
work with you on this kind of thing.  Remember, their scanning rules
are designed to cover the widest possible threat model.  If you have
specific needs that don't fit into that model but have compensating
controls in place, it shouldn't be a problem (e.g. this used to be an
issue with the incremental session IDs which the scanners check for,
but paired with the random session token as a compensating control
they would always make an exception for this rule when asked).


-Justin Sco

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350258
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

(ot) Places to post a CF opening

2012-03-06 Thread Gerald Guido


We have an opening for someone with CF Experience. We advertised it as a
DBA with CF Experience and posted on some free sites and Craig's list and
have not had any bites locally. The powers that be do not want to nut up to
post it to Monster or career builder.

I know that there is the CF-Jobs list but where else can we post for free
that will get us more coverage?

As always many TIA.

G!

-- 
Gerald Guido
http://www.myinternetisbroken.com


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350259
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Donnie Bachan (Gmail)


Justin, I don't think that would work though, depending on the level of
compliance and the SAQ being completed I don't think any vendor will allow
that exemption regardless of if credit card information is visible or not.
If an attacker is allowed any access to a user session and can harvest any
personally identifiable information it could affect security of any credit
card entered into the site.

Best Regards,


Donnie Bachan
Nitendo Vinces - By Striving You Shall Conquer
==
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.


On Tue, Mar 6, 2012 at 2:41 PM, Justin Scott leviat...@darktech.org wrote:


  Justin, thanks for the reply, and I get your point, but I can't break out
  the registration process into a standalone site quickly.  There must be a
  fairly quick solution to this problem.  Surely, I can't be the first to
  deal with this.

 Another option might be to ask your scanning vendor for an exception
 to that scanning rule.  If you can demonstrate to them that no credit
 card information is accessible through the user's account (e.g. the
 card number isn't visible anywhere, etc., and it really doesn't matter
 if the session is hijacked from the standpoint of credit card
 security) and explain the situation, they are generally willing to
 work with you on this kind of thing.  Remember, their scanning rules
 are designed to cover the widest possible threat model.  If you have
 specific needs that don't fit into that model but have compensating
 controls in place, it shouldn't be a problem (e.g. this used to be an
 issue with the incremental session IDs which the scanners check for,
 but paired with the random session token as a compensating control
 they would always make an exception for this rule when asked).


 -Justin Sco

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350260
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Places to post a CF opening


go to houseoffusion.com

On Tue, Mar 6, 2012 at 10:11 AM, Gerald Guido gerald.gu...@gmail.com wrote:

 We have an opening for someone with CF Experience. We advertised it as a
 DBA with CF Experience and posted on some free sites and Craig's list and
 have not had any bites locally. The powers that be do not want to nut up to
 post it to Monster or career builder.

 I know that there is the CF-Jobs list but where else can we post for free
 that will get us more coverage?

 As always many TIA.

 G!

 --
 Gerald Guido
 http://www.myinternetisbroken.com


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350261
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


 Justin, I don't think that would work though, depending on the level of
 compliance and the SAQ being completed I don't think any vendor will
 allow that exemption regardless of if credit card information is visible or
 not. If an attacker is allowed any access to a user session and can
 harvest any personally identifiable information it could affect security
 of any credit card entered into the site.

Perhaps, though you'd be surprised what they will sign off on with
proper compensating controls in place.  It can't hurt to ask, in any
case.  Ultimately, my advice in this situation is to isolate the
billing system so that the rest of the system isn't in scope for
compliance.  Trying to find a quick fix when it comes to PCI
compliance is just asking for problems.


-Justin

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350262
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Places to post a CF opening


 I know that there is the CF-Jobs list but where else can we post for
 free that will get us more coverage?

There is the HoF CF-Jobs mailing list, as mentioned.  I would also
recommend contacting Ricardo Parente at http://cfdevelopers.net/ as he
runs a ColdFusion job site/blog that gets pretty good coverage.


-Justin Scott

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350263
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Places to post a CF opening

2012-03-06 Thread Roger Austin


 Gerald Guido gerald.gu...@gmail.com wrote: 
 
 We have an opening for someone with CF Experience. We advertised it as a
 DBA with CF Experience and posted on some free sites and Craig's list and
 have not had any bites locally. The powers that be do not want to nut up to
 post it to Monster or career builder.
 
 I know that there is the CF-Jobs list but where else can we post for free
 that will get us more coverage?
 
 As always many TIA.
 
 G!
 
 -- 
 Gerald Guido
 http://www.myinternetisbroken.com

You might put it on the LinkedIn CF groups under Jobs.
--
LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60
Twitter:  http://twitter.com/RogerTheGeek
Google+:  https://plus.google.com/117357905892731200369


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350264
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


For both Phillip and Donnie -- I just set the site up for database storage
for the client session in the cf admin (server settings - client
variables), and I see data going in those two tables, but I am still losing
the session state when moving from https to http.  I have this set in my
application.cfm:

clientmanagement=Yes
sessionmanagement=Yes
setclientcookies=No
clientstorage=MyDSN

What am I doing wrong?

I did remove the change I made to jrun to force session cookies to be set
securely, but I doubt that matters now, because set client cookies is set
to no.

I am running cf 9.01 standard.

-RR

On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) 
donnie.bac...@gmail.com wrote:


 Robert,

 This is odd that you are losing the session, are you using CF in
 multiserver mode or standalone? The article you referenced was for CF8,
 however, we're currently running CF9 Ent in multiserver mode and we've not
 had this issue crop up. We are however using a DB with client cookies for
 managing state across CF instances.

 Best Regards,
 Donnie Bachan
 Nitendo Vinces - By Striving You Shall Conquer
 ==
 The information transmitted is intended only for the person or entity to
 which it is addressed and may contain confidential and/or privileged
 material. Any review, retransmission, dissemination or other use of, or
 taking of any action in reliance upon, this information by persons or
 entities other than the intended recipient is prohibited. If you received
 this in error, please contact the sender and delete the material from any
 computer.


 On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote:

 
  Robert, a product like Fuseguard from Pete Freitag or a Web Application
  Firewall (or a plugin type of filter to your existing firewall) may
 help.
  I'm currently going through a similar process and thought these options
  might help.
 
  Ché
 
  -Original Message-
  From: Robert Rhodes [mailto:rrhode...@gmail.com]
  Sent: Tuesday, March 06, 2012 9:08 AM
  To: cf-talk
  Subject: Re: Failed PCI Compliance test on CF9.01
 
 
  Justin, thanks for the reply, and I get your point, but I can't break out
  the registration process into a standalone site quickly.  There must be a
  fairly quick solution to this problem.  Surely, I can't be the first to
  deal
  with this.
 
 
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350265
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Phillip Duba


Are all your sites running under CF or do you have another Java-based app
server, like Tomcat/JBoss, running portions of your site as well? That
happened to me. Someone turned on sessions for a Tomcat app that didn't
need it and users would drop sessions as they moved around the site from
the CF side to the Tomcat side,

Phil

On Tue, Mar 6, 2012 at 10:33 AM, Robert Rhodes rrhode...@gmail.com wrote:


 For both Phillip and Donnie -- I just set the site up for database storage
 for the client session in the cf admin (server settings - client
 variables), and I see data going in those two tables, but I am still losing
 the session state when moving from https to http.  I have this set in my
 application.cfm:

 clientmanagement=Yes
 sessionmanagement=Yes
 setclientcookies=No
 clientstorage=MyDSN

 What am I doing wrong?

 I did remove the change I made to jrun to force session cookies to be set
 securely, but I doubt that matters now, because set client cookies is set
 to no.

 I am running cf 9.01 standard.

 -RR

 On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) 
 donnie.bac...@gmail.com wrote:

 
  Robert,
 
  This is odd that you are losing the session, are you using CF in
  multiserver mode or standalone? The article you referenced was for CF8,
  however, we're currently running CF9 Ent in multiserver mode and we've
 not
  had this issue crop up. We are however using a DB with client cookies for
  managing state across CF instances.
 
  Best Regards,
  Donnie Bachan
  Nitendo Vinces - By Striving You Shall Conquer
  ==
  The information transmitted is intended only for the person or entity to
  which it is addressed and may contain confidential and/or privileged
  material. Any review, retransmission, dissemination or other use of, or
  taking of any action in reliance upon, this information by persons or
  entities other than the intended recipient is prohibited. If you received
  this in error, please contact the sender and delete the material from any
  computer.
 
 
  On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote:
 
  
   Robert, a product like Fuseguard from Pete Freitag or a Web Application
   Firewall (or a plugin type of filter to your existing firewall) may
  help.
   I'm currently going through a similar process and thought these options
   might help.
  
   Ché
  
   -Original Message-
   From: Robert Rhodes [mailto:rrhode...@gmail.com]
   Sent: Tuesday, March 06, 2012 9:08 AM
   To: cf-talk
   Subject: Re: Failed PCI Compliance test on CF9.01
  
  
   Justin, thanks for the reply, and I get your point, but I can't break
 out
   the registration process into a standalone site quickly.  There must
 be a
   fairly quick solution to this problem.  Surely, I can't be the first to
   deal
   with this.
  
  
  
  
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350266
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


Nope.  Just CF on this sever, and just this one site running.

On Tue, Mar 6, 2012 at 10:37 AM, Phillip Duba phild...@gmail.com wrote:


 Are all your sites running under CF or do you have another Java-based app
 server, like Tomcat/JBoss, running portions of your site as well? That
 happened to me. Someone turned on sessions for a Tomcat app that didn't
 need it and users would drop sessions as they moved around the site from
 the CF side to the Tomcat side,

 Phil

 On Tue, Mar 6, 2012 at 10:33 AM, Robert Rhodes rrhode...@gmail.com
 wrote:

 
  For both Phillip and Donnie -- I just set the site up for database
 storage
  for the client session in the cf admin (server settings - client
  variables), and I see data going in those two tables, but I am still
 losing
  the session state when moving from https to http.  I have this set in my
  application.cfm:
 
  clientmanagement=Yes
  sessionmanagement=Yes
  setclientcookies=No
  clientstorage=MyDSN
 
  What am I doing wrong?
 
  I did remove the change I made to jrun to force session cookies to be set
  securely, but I doubt that matters now, because set client cookies is set
  to no.
 
  I am running cf 9.01 standard.
 
  -RR
 
  On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) 
  donnie.bac...@gmail.com wrote:
 
  
   Robert,
  
   This is odd that you are losing the session, are you using CF in
   multiserver mode or standalone? The article you referenced was for CF8,
   however, we're currently running CF9 Ent in multiserver mode and we've
  not
   had this issue crop up. We are however using a DB with client cookies
 for
   managing state across CF instances.
  
   Best Regards,
   Donnie Bachan
   Nitendo Vinces - By Striving You Shall Conquer
   ==
   The information transmitted is intended only for the person or entity
 to
   which it is addressed and may contain confidential and/or privileged
   material. Any review, retransmission, dissemination or other use of, or
   taking of any action in reliance upon, this information by persons or
   entities other than the intended recipient is prohibited. If you
 received
   this in error, please contact the sender and delete the material from
 any
   computer.
  
  
   On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote:
  
   
Robert, a product like Fuseguard from Pete Freitag or a Web
 Application
Firewall (or a plugin type of filter to your existing firewall) may
   help.
I'm currently going through a similar process and thought these
 options
might help.
   
Ché
   
-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com]
Sent: Tuesday, March 06, 2012 9:08 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01
   
   
Justin, thanks for the reply, and I get your point, but I can't break
  out
the registration process into a standalone site quickly.  There must
  be a
fairly quick solution to this problem.  Surely, I can't be the first
 to
deal
with this.
   
   
   
   
  
  
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350267
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Donnie Bachan (Gmail)


Hi Robert,

I'm not sure if I'm missing something but shouldn't you have
setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the
url on each request.

Best Regards,
Donnie Bachan
Nitendo Vinces - By Striving You Shall Conquer
==
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.


On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote:


 For both Phillip and Donnie -- I just set the site up for database storage
 for the client session in the cf admin (server settings - client
 variables), and I see data going in those two tables, but I am still losing
 the session state when moving from https to http.  I have this set in my
 application.cfm:

 clientmanagement=Yes
 sessionmanagement=Yes
 setclientcookies=No
 clientstorage=MyDSN

 What am I doing wrong?




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350268
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


I just put back the jrun setting to pass cookies securely, and am sending
the jsessionid securely again.  And I am set up to use the database for
client storage.

It's still losing the session when I switch between http and https.

I do have setclientcookies to no, because that sets cfid and cftoken
insecurely which is what caused the PCI test failure.

This really should not be this hard.  I an't be the only person dealing
with this issue.  :(


On Tue, Mar 6, 2012 at 10:44 AM, Donnie Bachan (Gmail) 
donnie.bac...@gmail.com wrote:


 Hi Robert,

 I'm not sure if I'm missing something but shouldn't you have
 setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the
 url on each request.

 Best Regards,
 Donnie Bachan
 Nitendo Vinces - By Striving You Shall Conquer
 ==
 The information transmitted is intended only for the person or entity to
 which it is addressed and may contain confidential and/or privileged
 material. Any review, retransmission, dissemination or other use of, or
 taking of any action in reliance upon, this information by persons or
 entities other than the intended recipient is prohibited. If you received
 this in error, please contact the sender and delete the material from any
 computer.


 On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote:

 
  For both Phillip and Donnie -- I just set the site up for database
 storage
  for the client session in the cf admin (server settings - client
  variables), and I see data going in those two tables, but I am still
 losing
  the session state when moving from https to http.  I have this set in my
  application.cfm:
 
  clientmanagement=Yes
  sessionmanagement=Yes
  setclientcookies=No
  clientstorage=MyDSN
 
  What am I doing wrong?
 
 


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350269
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Places to post a CF opening


http://cfdevelopers.net/page.cfm/job-offers is where you post it.

On Tue, Mar 6, 2012 at 10:26 AM, Justin Scott leviat...@darktech.org wrote:

 I know that there is the CF-Jobs list but where else can we post for
 free that will get us more coverage?

 There is the HoF CF-Jobs mailing list, as mentioned.  I would also
 recommend contacting Ricardo Parente at http://cfdevelopers.net/ as he
 runs a ColdFusion job site/blog that gets pretty good coverage.


 -Justin Scott

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350270
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


On Tue, Mar 6, 2012 at 11:13 AM, Robert Rhodes rrhode...@gmail.com wrote:

 I just put back the jrun setting to pass cookies securely, and am sending
 the jsessionid securely again.  And I am set up to use the database for
 client storage.

 It's still losing the session when I switch between http and https.


sending securely means sending over HTTPS.  That is why non-SSL is losing
session.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350271
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: CF9/Win2008 CFDocument/PDF Chinese characters not showing if wrapped with an HTML tag

2012-03-06 Thread James Dodge


 I believe you should wrap your data with cfprocessingdirective tag.

I tried cfprocessingdirective with the following pageencodings with no change 
in behavior: windows-1252, windows-950, windows-936, big5, utf-8.  Same thing 
happens - if I put any sort of html tag around the Chinese characters, they 
don't display in cfdocument's PDF output.  If I leave the characters unwrapped, 
they show in the PDF just fine.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350272
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: Failed PCI Compliance test on CF9.01

2012-03-06 Thread DURETTE, STEVEN J


Your issue is more likely the fact that you are switching between https and 
http. I don't believe that the cookies can cross that barrier.

However as to your cookies not being secure check out the article by Pete 
Freitag : Adobe developer connection / ColdFusion Developer center / Securing 
your applications using HttpOnly cookies with ColdFusion.  (sorry I don't have 
the url) It has a section on using secure cookies with https/ssl.

Steve


-Original Message-
From: Robert Rhodes [mailto:rrhode...@gmail.com] 
Sent: Tuesday, March 06, 2012 11:13 AM
To: cf-talk
Subject: Re: Failed PCI Compliance test on CF9.01


I just put back the jrun setting to pass cookies securely, and am sending
the jsessionid securely again.  And I am set up to use the database for
client storage.

It's still losing the session when I switch between http and https.

I do have setclientcookies to no, because that sets cfid and cftoken
insecurely which is what caused the PCI test failure.

This really should not be this hard.  I an't be the only person dealing
with this issue.  :(


On Tue, Mar 6, 2012 at 10:44 AM, Donnie Bachan (Gmail) 
donnie.bac...@gmail.com wrote:


 Hi Robert,

 I'm not sure if I'm missing something but shouldn't you have
 setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the
 url on each request.

 Best Regards,
 Donnie Bachan
 Nitendo Vinces - By Striving You Shall Conquer
 ==
 The information transmitted is intended only for the person or entity to
 which it is addressed and may contain confidential and/or privileged
 material. Any review, retransmission, dissemination or other use of, or
 taking of any action in reliance upon, this information by persons or
 entities other than the intended recipient is prohibited. If you received
 this in error, please contact the sender and delete the material from any
 computer.


 On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote:

 
  For both Phillip and Donnie -- I just set the site up for database
 storage
  for the client session in the cf admin (server settings - client
  variables), and I see data going in those two tables, but I am still
 losing
  the session state when moving from https to http.  I have this set in my
  application.cfm:
 
  clientmanagement=Yes
  sessionmanagement=Yes
  setclientcookies=No
  clientstorage=MyDSN
 
  What am I doing wrong?
 
 


 



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350273
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: CF9/Win2008 CFDocument/PDF Chinese characters not showing if wrapped with an HTML tag

2012-03-06 Thread James Dodge


 I believe you should wrap your data with cfprocessingdirective tag.

I tried cfprocessingdirective with the following pageencodings with no change 
in behavior: windows-1252, windows-950, windows-936, big5, utf-8.  Same thing 
happens - if I put any sort of html tag around the Chinese characters, they 
don't display in cfdocument's PDF output.  If I leave the characters unwrapped, 
they show in the PDF just fine. 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350274
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

2012-03-06 Thread Pete Freitag

Hi Robert,

You are caught in a bit of a catch 22 here. If you want to set the secure
attribute on session cookies delivered over SSL, but also have it use the
same cookie values over non-ssl - then that defeats the purpose of adding
the secure attribute. If you want to do that you can't use the secure
attribute on the cookies.

The secure attribute says only send this cookie over SSL, so when you make
a request to a non-ssl url the browser will not send the cookie, this
causes ColdFusion to issue a new session.

The best solution is to run all on SSL as Cameron suggested, here's a good
read on the performance of SSL and TLS:
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main
point being that SSL is not as computationally expensive as you may think.

If that's not going to fly then you need to build something to share data
between the sessions, while making sure that the non-ssl data is not
privileged - it can get complicated to ensure that your not opening
yourself up to security issues over non-ssl.

--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?

On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes rrhode...@gmail.com wrote:

So a site that I built failed PCI compliance testing because the jsessionid
cookie is not set securely.

*-RR*

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350275
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Maillist with API


sorry must have misread, if your looking for discussion lists then there is
always google apps which gives you google groups using your own domain.


On Tue, Mar 6, 2012 at 12:51 PM, Jenny Gavin-Wear 
jenn...@fasttrackonline.co.uk wrote:


 Hi Will and Russ,

 Many thanks for your replies!

 I was looking at Mailchimp, but is it only a broadcast/newsletter service
 or
 does it support discussion lists with moderators, etc?  I can't find
 anything about discussion mail lists on their site.

 Jenny

 -Original Message-
 From: Will Swain [mailto:w...@hothorse.com]
 Sent: 06 March 2012 11:36
 To: cf-talk
 Subject: Re: (ot) Maillist with API
 
 
 We've looked at both MailChimp and Campaign Monitor, both of whom have
 mature APIs and offer similar functionality. I'd recommend either.
 
 Will
 
 On 6 March 2012 11:29, Jenny Gavin-Wear
 jenn...@fasttrackonline.co.ukwrote:
 
 
  Hi all,
 
  Apologies for the completely OT posting, but I'm in desperate need for
  a solution.
 
  Until recently I have been hosting a discussion maillist for one of my
  customers.  Subscription is required for membership of the list and
  there is also an opt-in option on the member profile.  So on a daily
  basis the subscriber list is recompiled based on subscriptions.
 
  I need to move the mail list off my own mail server and I am looking
  for a host with an API (or some other interface, could be SOAP)
  facility to manage the subscriber list.
 
  Any ideas please?
 
 
  Jenny Gavin-Wear
  Fast Track Online
  http://www.fasttrackonline.co.uk/
 
 
 
  --
  I am using the free version of SPAMfighter.
  We are a community of 7 million users fighting spam.
  SPAMfighter has removed 20465 of my spam emails to date.
  Get the free SPAMfighter here: http://www.spamfighter.com/len
 
  The Professional version does not have this message
 
 
 
 
 
 ~~
 ~~~|
 Order the Adobe Coldfusion Anthology now!
 http://www.amazon.com/Adobe-Coldfusion-
 Anthology/dp/1430272155/?tag=houseoffusion
 Archive: http://www.houseoffusion.com/groups/cf-
 talk/message.cfm/messageid:350245
 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
 Unsubscribe: http://www.houseoffusion.com/groups/cf-
 talk/unsubscribe.cfm

 --
 I am using the free version of SPAMfighter.
 We are a community of 7 million users fighting spam.
 SPAMfighter has removed 20465 of my spam emails to date.
 Get the free SPAMfighter here: http://www.spamfighter.com/len

 The Professional version does not have this message



 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350276
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01

I hear you, but there are issues preventing me from going all https. It's
a long story.

Is there a way to copy, with some code in the application.cfm, the
jsessionid between http and https so we don't lose the session state?

-rr

On Tue, Mar 6, 2012 at 11:24 AM, Pete Freitag p...@foundeo.com wrote:

Hi Robert,

The secure attribute says only send this cookie over SSL, so when you make
a request to a non-ssl url the browser will not send the cookie, this
causes ColdFusion to issue a new session.

--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?

On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes rrhode...@gmail.com wrote:

So a site that I built failed PCI compliance testing because the
jsessionid
cookie is not set securely.

I found this post

http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/
that
shows how to force jrun to do always set the session cookies securely,
but the user loses their session state when they move between secure and
non-secure pages (the jsessionid is different for secure pages). This is
obviously a big problem, since we can't have the entire user session
running under ssl. Any ideas on how to get the jsessionid to be the same
on secure and non-secure pages? I am a little lost here.

*-RR*

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350277
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Places to post a CF opening

2012-03-06 Thread Rick Mason


Make certain that the job is posted on indeed.com .  If you're not familiar
with the site they scan all the major job sites and listings on major corp
sites.  But they've added the ability for employers to directly post
jobs on the site.

Concerning your opening are they open to telecommuting?  If not, why not?



Rick

On Tue, Mar 6, 2012 at 10:11 AM, Gerald Guido gerald.gu...@gmail.comwrote:


 We have an opening for someone with CF Experience. We advertised it as a
 DBA with CF Experience and posted on some free sites and Craig's list and
 have not had any bites locally. The powers that be do not want to nut up to
 post it to Monster or career builder.

 I know that there is the CF-Jobs list but where else can we post for free
 that will get us more coverage?

 As always many TIA.

 G!

 --
 Gerald Guido
 http://www.myinternetisbroken.com


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350278
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com wrote:

 I hear you, but there are issues preventing me from going all https.  It's
 a long story.

 Is there a way to copy, with some code in the application.cfm, the
 jsessionid between http and https so we don't lose the session state?


You could make this work, but then you would be exactly where you currently
are, and would again fail the PCI audit. I know you are looking for a
quick answer, but there isn't really a great easy option here. Many shops
spend literally months getting compliant, so this code change really
doesn't seem so huge in comparison, even though I know if feel like it is.

You best solution, in the long term as well as the short run, is to make
the code changes and just spend the time and money on it so it's right.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350279
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: CF 9 Mulit-Sever only uses default site


the regular cf handlers that point to jrun_iis6.dll actually do nothing,
they don't even work.
the Wildcard handler jrun_iis_wildcard.dll is the only one you actually
need and which works, so this is the one you need to check is point to the
right connector.
If you still can't get it working contact me offlist with remote desktop
access details and I will login and take a look for you.





 On 3/6/2012 8:37 AM, Eric Cobb wrote:
  Thanks Russ!
 
  I looked through everything you suggested, and I can't see anything
 wrong.
  Here's my wsconfig.properties file:
 
  1=IIS,1,false,
  1.srv=localhost,cfusion
  1.cfmx=true,null
  2=IIS,2,false,
  2.srv=localhost,Test01
  2.cfmx=true,null
 
  So it looks like my #2 site is pointing to the correct Test01 CF
  instance.
 
  The CFM handlers in IIS are pointing to
 C:\JRun4\lib\wsconfig\jrun_iis6.dll
  for both of my sites.  Is that correct, or should site #2 be pointing
  somewhere else?
 
  Something else that I noticed is, whenever I spin off a new CF instance
  none of the datasources seem to be carried over to the new instance.  I
  have to add them manually.  I'm not sure if this is related or not.
 
  I've tried deleting and recreating my instances several times, and still
 no
  luck.  Do you have any other suggestions?
 
  Thanks,
 
  Eric
 
  
 
  From: Russ Michaelsr...@michaels.me.uk
  Sent: Thursday, February 23, 2012 11:49 AM
  To: cf-talkcf-talk@houseoffusion.com
  Subject: Re: CF 9 Mulit-Sever only uses default site
 
  Eric,
 
  check the .CFM handlers in iis and make sure they link to the right
  connectors.
  if they do, then check the wsconfig.properties in the wsconfig folder
 
  this should specify which connector is for which site/instance
 
  should look like this.
 
  1=IIS,0,false,
  1.srv=localhost,cfusion
  1.cfmx=true,C:/Inetpub/wwwroot
  2=IIS,7605,false,
  2.srv=localhost,anorak
  2.cfmx=true,null
  3=IIS,2714,false,
  3.srv=localhost,CFMX10120
  3.cfmx=true,null
  5=IIS,1851,false,
  5.srv=localhost,CFMX10158
  5.cfmx=true,null
 
  the number is the connector in your wsconfig folder
  e.g
 
  wsconfig/1
  wsconfig/2
 
  the first entry for each number tells you the web server type and siteID
  the 2nd entry is the host and instance name
  the 3rd entry specifies that cf handlers are enabled
 
  --
 
  Russ Michaels
 
  www.bluethunderinternet.com  : Business hosting services  solutions
  www.cfmldeveloper.com: ColdFusion developer community
  www.michaels.me.uk   : my blog
  www.cfsearch.com : ColdFusion search engine
  **
  *skype me* : russmichaels
 
 
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350280
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Places to post a CF opening


you could also try
www.odesk.com
www.freelancers.com


On Tue, Mar 6, 2012 at 5:30 PM, Rick Mason rhma...@gmail.com wrote:


 Make certain that the job is posted on indeed.com .  If you're not
 familiar
 with the site they scan all the major job sites and listings on major corp
 sites.  But they've added the ability for employers to directly post
 jobs on the site.

 Concerning your opening are they open to telecommuting?  If not, why not?



 Rick

 On Tue, Mar 6, 2012 at 10:11 AM, Gerald Guido gerald.gu...@gmail.com
 wrote:

 
  We have an opening for someone with CF Experience. We advertised it as a
  DBA with CF Experience and posted on some free sites and Craig's list and
  have not had any bites locally. The powers that be do not want to nut up
 to
  post it to Monster or career builder.
 
  I know that there is the CF-Jobs list but where else can we post for free
  that will get us more coverage?
 
  As always many TIA.
 
  G!
 
  --
  Gerald Guido
  http://www.myinternetisbroken.com
 
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350281
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


Ok, I am going to try to make the site work all ssl.  I am concerned about
the video streaming over ssl, but I guess we will see how it goes.

On a related subject:  is there a way to make the jsessionid cookie secure
without making the jrun change?  I ask because doing so affects all sites
on the server, and I had planed to run other sites on this particular
server.

On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress camer...@gmail.comwrote:


 On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com
 wrote:

  I hear you, but there are issues preventing me from going all https.
  It's
  a long story.
 
  Is there a way to copy, with some code in the application.cfm, the
  jsessionid between http and https so we don't lose the session state?
 

 You could make this work, but then you would be exactly where you currently
 are, and would again fail the PCI audit. I know you are looking for a
 quick answer, but there isn't really a great easy option here. Many shops
 spend literally months getting compliant, so this code change really
 doesn't seem so huge in comparison, even though I know if feel like it is.

 You best solution, in the long term as well as the short run, is to make
 the code changes and just spend the time and money on it so it's right.

 -Cameron

 --
 Cameron Childress
 --
 p:   678.637.5072
 im: cameroncf
 facebook http://www.facebook.com/cameroncf |
 twitterhttp://twitter.com/cameronc |
 google+ https://profiles.google.com/u/0/117829379451708140985


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350282
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


Yes. If it were me, I would turn setClientCookies=false in the
Applciation.cfc|cfm and then set them manually using:

cfcookie name=cfid value=#session.cfid# secure=true/
cfcookie name=cftoken value=#session.cftoken# secure=true/

If you google around a bit you can probably find some sample code for doing
this.  If you are using JSessionIDs (not cfid/cftoken) you'll be just
setting that cookie but I would expect it to work in that case as well.

Whole you're at it you might also pop open Chrome debugging or the like and
verify that those are the only cookies being sent, just to make sure you
don't have something else that trips you up.

-Cameron

On Tue, Mar 6, 2012 at 1:47 PM, Robert Rhodes rrhode...@gmail.com wrote:


 Ok, I am going to try to make the site work all ssl.  I am concerned about
 the video streaming over ssl, but I guess we will see how it goes.

 On a related subject:  is there a way to make the jsessionid cookie secure
 without making the jrun change?  I ask because doing so affects all sites
 on the server, and I had planed to run other sites on this particular
 server.

 On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress camer...@gmail.com
 wrote:

 
  On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com
  wrote:
 
   I hear you, but there are issues preventing me from going all https.
   It's
   a long story.
  
   Is there a way to copy, with some code in the application.cfm, the
   jsessionid between http and https so we don't lose the session state?
  
 
  You could make this work, but then you would be exactly where you
 currently
  are, and would again fail the PCI audit. I know you are looking for a
  quick answer, but there isn't really a great easy option here. Many
 shops
  spend literally months getting compliant, so this code change really
  doesn't seem so huge in comparison, even though I know if feel like it
 is.
 
  You best solution, in the long term as well as the short run, is to make
  the code changes and just spend the time and money on it so it's right.
 
  -Cameron
 
  --
  Cameron Childress
  --
  p:   678.637.5072
  im: cameroncf
  facebook http://www.facebook.com/cameroncf |
  twitterhttp://twitter.com/cameronc |
  google+ https://profiles.google.com/u/0/117829379451708140985
 
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350283
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Maillist with API

2012-03-06 Thread Dave Watts


 sorry must have misread, if your looking for discussion lists then there is
 always google apps which gives you google groups using your own domain.

Yes, and Apps does have an API that lets you do quite a bit.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350284
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


That works for cfid and cftoken, thanks.  But it won't work for jsessionid,
because once that is selected in the administrator, it shows up as an
unsecure cookie, even if you have setclientcookies turned off.  That's a
bummer, I wanted to use jsessionids.

On Tue, Mar 6, 2012 at 1:59 PM, Cameron Childress camer...@gmail.comwrote:


 Yes. If it were me, I would turn setClientCookies=false in the
 Applciation.cfc|cfm and then set them manually using:

 cfcookie name=cfid value=#session.cfid# secure=true/
 cfcookie name=cftoken value=#session.cftoken# secure=true/

 If you google around a bit you can probably find some sample code for doing
 this.  If you are using JSessionIDs (not cfid/cftoken) you'll be just
 setting that cookie but I would expect it to work in that case as well.

 Whole you're at it you might also pop open Chrome debugging or the like and
 verify that those are the only cookies being sent, just to make sure you
 don't have something else that trips you up.

 -Cameron

 On Tue, Mar 6, 2012 at 1:47 PM, Robert Rhodes rrhode...@gmail.com wrote:

 
  Ok, I am going to try to make the site work all ssl.  I am concerned
 about
  the video streaming over ssl, but I guess we will see how it goes.
 
  On a related subject:  is there a way to make the jsessionid cookie
 secure
  without making the jrun change?  I ask because doing so affects all sites
  on the server, and I had planed to run other sites on this particular
  server.
 
  On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress camer...@gmail.com
  wrote:
 
  
   On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com
   wrote:
  
I hear you, but there are issues preventing me from going all https.
It's
a long story.
   
Is there a way to copy, with some code in the application.cfm, the
jsessionid between http and https so we don't lose the session state?
   
  
   You could make this work, but then you would be exactly where you
  currently
   are, and would again fail the PCI audit. I know you are looking for a
   quick answer, but there isn't really a great easy option here. Many
  shops
   spend literally months getting compliant, so this code change really
   doesn't seem so huge in comparison, even though I know if feel like it
  is.
  
   You best solution, in the long term as well as the short run, is to
 make
   the code changes and just spend the time and money on it so it's right.
  
   -Cameron
  
   --
   Cameron Childress
   --
   p:   678.637.5072
   im: cameroncf
   facebook http://www.facebook.com/cameroncf |
   twitterhttp://twitter.com/cameronc |
   google+ https://profiles.google.com/u/0/117829379451708140985
  
  
  
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350285
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


Try this:

http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH

-Cameron

On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote:

 That works for cfid and cftoken, thanks.  But it won't work for jsessionid,
 because once that is selected in the administrator, it shows up as an
 unsecure cookie, even if you have setclientcookies turned off.  That's a
 bummer, I wanted to use jsessionids.



-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350286
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


...also - make sure you've cleared out cookies in your browser after you've
made CF code changes.  Old cookies could be hanging out and screwing up
your testing.

-Cameron

On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote:

 That works for cfid and cftoken, thanks.  But it won't work for jsessionid,
 because once that is selected in the administrator, it shows up as an
 unsecure cookie, even if you have setclientcookies turned off.  That's a
 bummer, I wanted to use jsessionids.


-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350287
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


 On a related subject:  is there a way to make the jsessionid cookie
 secure without making the jrun change?  I ask because doing so
 affects all sites on the server, and I had planed to run other sites
 on this particular server.

Be careful with this... if your billing system is on this server and
other sites share the same server and aren't properly sandboxed, they
are technically in-scope for compliance as well as they offer other
roads into the server which could lead to the compromise of your
billing system.  All the more reason to isolate it now while you still
can. :)


-Just

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350288
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


Yes, I saw that.  But he does not say how he made the new jsession id
string.  I am sure it is not some random string he pro
grammatically generated.  So, there must be a way to get at the jsessionid
even if you don't have jsessionidenabled in the administrator.

On Tue, Mar 6, 2012 at 2:44 PM, Cameron Childress camer...@gmail.comwrote:


 Try this:


 http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH

 -Cameron

 On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote:
 
  That works for cfid and cftoken, thanks.  But it won't work for
 jsessionid,
  because once that is selected in the administrator, it shows up as an
  unsecure cookie, even if you have setclientcookies turned off.  That's a
  bummer, I wanted to use jsessionids.



 --
 Cameron Childress
 --
 p:   678.637.5072
 im: cameroncf
 facebook http://www.facebook.com/cameroncf |
 twitterhttp://twitter.com/cameronc |
 google+ https://profiles.google.com/u/0/117829379451708140985


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350289
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes rrhode...@gmail.com wrote:

 Yes, I saw that.  But he does not say how he made the new jsession id
 string.  I am sure it is not some random string he pro
 grammatically generated.  So, there must be a way to get at the jsessionid
 even if you don't have jsessionidenabled in the administrator.


I'd say, enable it in the CFAdmin, tell CF not to set cookies automatically
(via code), then set it yourself.  Are you sure it's getting set as
nonsecure?  That is very suprising to me.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook http://www.facebook.com/cameroncf |
twitterhttp://twitter.com/cameronc |
google+ https://profiles.google.com/u/0/117829379451708140985


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350290
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Failed PCI Compliance test on CF9.01


If jsessionids are enabled, CF appears to set that cookie, no matter what.
 I know of no way to prevent that from happening.

And yes, even those the site being loaded by https, the jsessionid cookie
is still being set insecurely.

As I said before, this should be easier than it is.  Or maybe it's just
because I am missing something obvious.

-RR

On Tue, Mar 6, 2012 at 3:00 PM, Cameron Childress camer...@gmail.comwrote:


 On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes rrhode...@gmail.com wrote:

  Yes, I saw that.  But he does not say how he made the new jsession id
  string.  I am sure it is not some random string he pro
  grammatically generated.  So, there must be a way to get at the
 jsessionid
  even if you don't have jsessionidenabled in the administrator.


 I'd say, enable it in the CFAdmin, tell CF not to set cookies automatically
 (via code), then set it yourself.  Are you sure it's getting set as
 nonsecure?  That is very suprising to me.

 -Cameron

 --
 Cameron Childress
 --
 p:   678.637.5072
 im: cameroncf
 facebook http://www.facebook.com/cameroncf |
 twitterhttp://twitter.com/cameronc |
 google+ https://profiles.google.com/u/0/117829379451708140985


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350291
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: (ot) Maillist with API


Hi Dave,

I had a look at Google Groups hoping for an API.

It seems they are revamping it and there is currently no API.  There is an
option to use the all new and sparkling Google Groups, but much of the
interface is still in development.

Jenny

-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 06 March 2012 19:14
To: cf-talk
Subject: Re: (ot) Maillist with API


 sorry must have misread, if your looking for discussion lists then
 there is always google apps which gives you google groups using your own
domain.

Yes, and Apps does have an API that lets you do quite a bit.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA
Schedule, and provides the highest caliber vendor-authorized instruction
at
our training centers, online, or onsite.

~~
~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-
Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-
talk/message.cfm/messageid:350284
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-
talk/unsubscribe.cfm

--
I am using the free version of SPAMfighter.
We are a community of 7 million users fighting spam.
SPAMfighter has removed 22364 of my spam emails to date.
Get the free SPAMfighter here: http://www.spamfighter.com/len

The Professional version does not have this message



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350292
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Maillist with API


I used Topica for many clients... Pricing and whitelisting is about
the same as mailchimp or api.jangomail.com

On Tue, Mar 6, 2012 at 7:35 PM, Jenny Gavin-Wear
jenn...@fasttrackonline.co.uk wrote:

 Hi Dave,

 I had a look at Google Groups hoping for an API.

 It seems they are revamping it and there is currently no API.  There is an
 option to use the all new and sparkling Google Groups, but much of the
 interface is still in development.

 Jenny

-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 06 March 2012 19:14
To: cf-talk
Subject: Re: (ot) Maillist with API


 sorry must have misread, if your looking for discussion lists then
 there is always google apps which gives you google groups using your own
domain.

Yes, and Apps does have an API that lets you do quite a bit.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA
Schedule, and provides the highest caliber vendor-authorized instruction
 at
our training centers, online, or onsite.

~~
~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-
Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-
talk/message.cfm/messageid:350284
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-
talk/unsubscribe.cfm

 --
 I am using the free version of SPAMfighter.
 We are a community of 7 million users fighting spam.
 SPAMfighter has removed 22364 of my spam emails to date.
 Get the free SPAMfighter here: http://www.spamfighter.com/len

 The Professional version does not have this message



 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350293
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: (ot) Maillist with API


Hi Brian,

I looked at Topica, but it appears to be a marketing mail list service, not
discussion mail list, or am I wrong?

Also, I couldn't see any evidence of an API?

Many thanks,

Jenny

-Original Message-
From: Brian Thornton [mailto:br...@cfdeveloper.com]
Sent: 07 March 2012 00:38
To: cf-talk
Subject: Re: (ot) Maillist with API


I used Topica for many clients... Pricing and whitelisting is about the
same as
mailchimp or api.jangomail.com

On Tue, Mar 6, 2012 at 7:35 PM, Jenny Gavin-Wear
jenn...@fasttrackonline.co.uk wrote:

 Hi Dave,

 I had a look at Google Groups hoping for an API.

 It seems they are revamping it and there is currently no API.  There
 is an option to use the all new and sparkling Google Groups, but much
 of the interface is still in development.

 Jenny

-Original Message-
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 06 March 2012 19:14
To: cf-talk
Subject: Re: (ot) Maillist with API


 sorry must have misread, if your looking for discussion lists then
 there is always google apps which gives you google groups using
 your own
domain.

Yes, and Apps does have an API that lets you do quite a bit.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA
Schedule, and provides the highest caliber vendor-authorized
instruction
 at
our training centers, online, or onsite.

~~~
~~~
~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-
Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-
talk/message.cfm/messageid:350284
Subscription:
http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-
talk/unsubscribe.cfm

 --
 I am using the free version of SPAMfighter.
 We are a community of 7 million users fighting spam.
 SPAMfighter has removed 22364 of my spam emails to date.
 Get the free SPAMfighter here: http://www.spamfighter.com/len

 The Professional version does not have this message





~~
~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-
Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-
talk/message.cfm/messageid:350293
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-
talk/unsubscribe.cfm

--
I am using the free version of SPAMfighter.
We are a community of 7 million users fighting spam.
SPAMfighter has removed 22364 of my spam emails to date.
Get the free SPAMfighter here: http://www.spamfighter.com/len

The Professional version does not have this message


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350294
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: (ot) Places to post a CF opening

2012-03-06 Thread andy matthews


You can pay a small fee to post it on Ben Nadel's job board. I believe he
donates the money to charity.


andy 

-Original Message-
From: Gerald Guido [mailto:gerald.gu...@gmail.com] 
Sent: Tuesday, March 06, 2012 9:12 AM
To: cf-talk
Subject: (ot) Places to post a CF opening


We have an opening for someone with CF Experience. We advertised it as a DBA
with CF Experience and posted on some free sites and Craig's list and have
not had any bites locally. The powers that be do not want to nut up to post
it to Monster or career builder.

I know that there is the CF-Jobs list but where else can we post for free
that will get us more coverage?

As always many TIA.

G!

--
Gerald Guido
http://www.myinternetisbroken.com




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350295
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: (ot) Maillist with API


this is probably the most widely used open source solution.
http://www.gnu.org/software/mailman/index.html



On Wed, Mar 7, 2012 at 1:03 AM, Jenny Gavin-Wear 
jenn...@fasttrackonline.co.uk wrote:


 Hi Brian,

 I looked at Topica, but it appears to be a marketing mail list service, not
 discussion mail list, or am I wrong?

 Also, I couldn't see any evidence of an API?

 Many thanks,

 Jenny

 -Original Message-
 From: Brian Thornton [mailto:br...@cfdeveloper.com]
 Sent: 07 March 2012 00:38
 To: cf-talk
 Subject: Re: (ot) Maillist with API
 
 
 I used Topica for many clients... Pricing and whitelisting is about the
 same as
 mailchimp or api.jangomail.com
 
 On Tue, Mar 6, 2012 at 7:35 PM, Jenny Gavin-Wear
 jenn...@fasttrackonline.co.uk wrote:
 
  Hi Dave,
 
  I had a look at Google Groups hoping for an API.
 
  It seems they are revamping it and there is currently no API.  There
  is an option to use the all new and sparkling Google Groups, but much
  of the interface is still in development.
 
  Jenny
 
 -Original Message-
 From: Dave Watts [mailto:dwa...@figleaf.com]
 Sent: 06 March 2012 19:14
 To: cf-talk
 Subject: Re: (ot) Maillist with API
 
 
  sorry must have misread, if your looking for discussion lists then
  there is always google apps which gives you google groups using
  your own
 domain.
 
 Yes, and Apps does have an API that lets you do quite a bit.
 
 Dave Watts, CTO, Fig Leaf Software
 http://www.figleaf.com/
 http://training.figleaf.com/
 
 Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA
 Schedule, and provides the highest caliber vendor-authorized
 instruction
  at
 our training centers, online, or onsite.
 
 ~~~
 ~~~
 ~~~|
 Order the Adobe Coldfusion Anthology now!
 http://www.amazon.com/Adobe-Coldfusion-
 Anthology/dp/1430272155/?tag=houseoffusion
 Archive: http://www.houseoffusion.com/groups/cf-
 talk/message.cfm/messageid:350284
 Subscription:
 http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
 Unsubscribe: http://www.houseoffusion.com/groups/cf-
 talk/unsubscribe.cfm
 
  --
  I am using the free version of SPAMfighter.
  We are a community of 7 million users fighting spam.
  SPAMfighter has removed 22364 of my spam emails to date.
  Get the free SPAMfighter here: http://www.spamfighter.com/len
 
  The Professional version does not have this message
 
 
 
 
 
 ~~
 ~~~|
 Order the Adobe Coldfusion Anthology now!
 http://www.amazon.com/Adobe-Coldfusion-
 Anthology/dp/1430272155/?tag=houseoffusion
 Archive: http://www.houseoffusion.com/groups/cf-
 talk/message.cfm/messageid:350293
 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
 Unsubscribe: http://www.houseoffusion.com/groups/cf-
 talk/unsubscribe.cfm

 --
 I am using the free version of SPAMfighter.
 We are a community of 7 million users fighting spam.
 SPAMfighter has removed 22364 of my spam emails to date.
 Get the free SPAMfighter here: http://www.spamfighter.com/len

 The Professional version does not have this message


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350296
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Hibernate with other frameworks