(ot) Maillist with API
Hi all, Apologies for the completely OT posting, but I'm in desperate need for a solution. Until recently I have been hosting a discussion maillist for one of my customers. Subscription is required for membership of the list and there is also an opt-in option on the member profile. So on a daily basis the subscriber list is recompiled based on subscriptions. I need to move the mail list off my own mail server and I am looking for a host with an API (or some other interface, could be SOAP) facility to manage the subscriber list. Any ideas please? Jenny Gavin-Wear Fast Track Online http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350244 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
We've looked at both MailChimp and Campaign Monitor, both of whom have mature APIs and offer similar functionality. I'd recommend either. Will On 6 March 2012 11:29, Jenny Gavin-Wear jenn...@fasttrackonline.co.ukwrote: Hi all, Apologies for the completely OT posting, but I'm in desperate need for a solution. Until recently I have been hosting a discussion maillist for one of my customers. Subscription is required for membership of the list and there is also an opt-in option on the member profile. So on a daily basis the subscriber list is recompiled based on subscriptions. I need to move the mail list off my own mail server and I am looking for a host with an API (or some other interface, could be SOAP) facility to manage the subscriber list. Any ideas please? Jenny Gavin-Wear Fast Track Online http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350245 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
+1 for either, but MailChimp is probably the easier option On Tue, Mar 6, 2012 at 11:36 AM, Will Swain w...@hothorse.com wrote: We've looked at both MailChimp and Campaign Monitor, both of whom have mature APIs and offer similar functionality. I'd recommend either. Will On 6 March 2012 11:29, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi all, Apologies for the completely OT posting, but I'm in desperate need for a solution. Until recently I have been hosting a discussion maillist for one of my customers. Subscription is required for membership of the list and there is also an opt-in option on the member profile. So on a daily basis the subscriber list is recompiled based on subscriptions. I need to move the mail list off my own mail server and I am looking for a host with an API (or some other interface, could be SOAP) facility to manage the subscriber list. Any ideas please? Jenny Gavin-Wear Fast Track Online http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350246 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Failed PCI Compliance test on CF9.01
Just out of curiosity, why can't you have the entire session running under SSL? Ever since Firesheep came out it is actually suggested to be all encrypted all the time. Steve -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 2:20 AM To: cf-talk Subject: Failed PCI Compliance test on CF9.01 So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this posthttp://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement=yes and setclientcookies=no. In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350247 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: (ot) Maillist with API
Hi Will and Russ, Many thanks for your replies! I was looking at Mailchimp, but is it only a broadcast/newsletter service or does it support discussion lists with moderators, etc? I can't find anything about discussion mail lists on their site. Jenny -Original Message- From: Will Swain [mailto:w...@hothorse.com] Sent: 06 March 2012 11:36 To: cf-talk Subject: Re: (ot) Maillist with API We've looked at both MailChimp and Campaign Monitor, both of whom have mature APIs and offer similar functionality. I'd recommend either. Will On 6 March 2012 11:29, Jenny Gavin-Wear jenn...@fasttrackonline.co.ukwrote: Hi all, Apologies for the completely OT posting, but I'm in desperate need for a solution. Until recently I have been hosting a discussion maillist for one of my customers. Subscription is required for membership of the list and there is also an opt-in option on the member profile. So on a daily basis the subscriber list is recompiled based on subscriptions. I need to move the mail list off my own mail server and I am looking for a host with an API (or some other interface, could be SOAP) facility to manage the subscriber list. Any ideas please? Jenny Gavin-Wear Fast Track Online http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350245 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
It's a video streaming site for members. I can't believe my only option is to stream video across ssl. There must be another solution. -RR On Tue, Mar 6, 2012 at 7:46 AM, DURETTE, STEVEN J sd1...@att.com wrote: Just out of curiosity, why can't you have the entire session running under SSL? Ever since Firesheep came out it is actually suggested to be all encrypted all the time. Steve -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 2:20 AM To: cf-talk Subject: Failed PCI Compliance test on CF9.01 So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this post http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement=yes and setclientcookies=no. In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350249 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Mulit-Sever only uses default site
Thanks Russ! I looked through everything you suggested, and I can't see anything wrong. Here's my wsconfig.properties file: 1=IIS,1,false, 1.srv=localhost,cfusion 1.cfmx=true,null 2=IIS,2,false, 2.srv=localhost,Test01 2.cfmx=true,null So it looks like my #2 site is pointing to the correct Test01 CF instance. The CFM handlers in IIS are pointing to C:\JRun4\lib\wsconfig\jrun_iis6.dll for both of my sites. Is that correct, or should site #2 be pointing somewhere else? Something else that I noticed is, whenever I spin off a new CF instance none of the datasources seem to be carried over to the new instance. I have to add them manually. I'm not sure if this is related or not. I've tried deleting and recreating my instances several times, and still no luck. Do you have any other suggestions? Thanks, Eric From: Russ Michaels r...@michaels.me.uk Sent: Thursday, February 23, 2012 11:49 AM To: cf-talk cf-talk@houseoffusion.com Subject: Re: CF 9 Mulit-Sever only uses default site Eric, check the .CFM handlers in iis and make sure they link to the right connectors. if they do, then check the wsconfig.properties in the wsconfig folder this should specify which connector is for which site/instance should look like this. 1=IIS,0,false, 1.srv=localhost,cfusion 1.cfmx=true,C:/Inetpub/wwwroot 2=IIS,7605,false, 2.srv=localhost,anorak 2.cfmx=true,null 3=IIS,2714,false, 3.srv=localhost,CFMX10120 3.cfmx=true,null 5=IIS,1851,false, 5.srv=localhost,CFMX10158 5.cfmx=true,null the number is the connector in your wsconfig folder e.g wsconfig/1 wsconfig/2 the first entry for each number tells you the web server type and siteID the 2nd entry is the host and instance name the 3rd entry specifies that cf handlers are enabled -- Russ Michaels www.bluethunderinternet.com : Business hosting services solutions www.cfmldeveloper.com: ColdFusion developer community www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350250 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Mulit-Sever only uses default site
Eric, This used to happen, on occasion. You can delete your current connectors and establish new ones using the config tool: C:\JRun4\bin\wsconfig.exe You might have a deeper issue, but sometimes it really is that simple. It usually was for us. (Reminds me just how much I love Apache...) Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it On 3/6/2012 8:37 AM, Eric Cobb wrote: Thanks Russ! I looked through everything you suggested, and I can't see anything wrong. Here's my wsconfig.properties file: 1=IIS,1,false, 1.srv=localhost,cfusion 1.cfmx=true,null 2=IIS,2,false, 2.srv=localhost,Test01 2.cfmx=true,null So it looks like my #2 site is pointing to the correct Test01 CF instance. The CFM handlers in IIS are pointing to C:\JRun4\lib\wsconfig\jrun_iis6.dll for both of my sites. Is that correct, or should site #2 be pointing somewhere else? Something else that I noticed is, whenever I spin off a new CF instance none of the datasources seem to be carried over to the new instance. I have to add them manually. I'm not sure if this is related or not. I've tried deleting and recreating my instances several times, and still no luck. Do you have any other suggestions? Thanks, Eric From: Russ Michaelsr...@michaels.me.uk Sent: Thursday, February 23, 2012 11:49 AM To: cf-talkcf-talk@houseoffusion.com Subject: Re: CF 9 Mulit-Sever only uses default site Eric, check the .CFM handlers in iis and make sure they link to the right connectors. if they do, then check the wsconfig.properties in the wsconfig folder this should specify which connector is for which site/instance should look like this. 1=IIS,0,false, 1.srv=localhost,cfusion 1.cfmx=true,C:/Inetpub/wwwroot 2=IIS,7605,false, 2.srv=localhost,anorak 2.cfmx=true,null 3=IIS,2714,false, 3.srv=localhost,CFMX10120 3.cfmx=true,null 5=IIS,1851,false, 5.srv=localhost,CFMX10158 5.cfmx=true,null the number is the connector in your wsconfig folder e.g wsconfig/1 wsconfig/2 the first entry for each number tells you the web server type and siteID the 2nd entry is the host and instance name the 3rd entry specifies that cf handlers are enabled -- Russ Michaels www.bluethunderinternet.com : Business hosting services solutions www.cfmldeveloper.com: ColdFusion developer community www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
It's a video streaming site for members. I can't believe my only option is to stream video across ssl. There must be another solution. There is: take the main site out of scope for compliance. The only parts of a system that have to be PCI compliant are the ones that handle credit card information, usually an online store or subscription system. There is no technical reason I can think of that would require your billing system and video streaming servers to share infrastructure. Separating the billing system out on to its own infrastructure means the rest of the system goes out of scope and then you can do whatever you want with your cookies on the main part of the site. Keep the billing system isolated and your headaches will be greatly reduced. -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. On Tue, Mar 6, 2012 at 8:44 AM, Justin Scott leviat...@darktech.org wrote: It's a video streaming site for members. I can't believe my only option is to stream video across ssl. There must be another solution. There is: take the main site out of scope for compliance. The only parts of a system that have to be PCI compliant are the ones that handle credit card information, usually an online store or subscription system. There is no technical reason I can think of that would require your billing system and video streaming servers to share infrastructure. Separating the billing system out on to its own infrastructure means the rest of the system goes out of scope and then you can do whatever you want with your cookies on the main part of the site. Keep the billing system isolated and your headaches will be greatly reduced. -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350253 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Failed PCI Compliance test on CF9.01
Robert, a product like Fuseguard from Pete Freitag or a Web Application Firewall (or a plugin type of filter to your existing firewall) may help. I'm currently going through a similar process and thought these options might help. Ché -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 9:08 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350254 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Robert, This is odd that you are losing the session, are you using CF in multiserver mode or standalone? The article you referenced was for CF8, however, we're currently running CF9 Ent in multiserver mode and we've not had this issue crop up. We are however using a DB with client cookies for managing state across CF instances. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote: Robert, a product like Fuseguard from Pete Freitag or a Web Application Firewall (or a plugin type of filter to your existing firewall) may help. I'm currently going through a similar process and thought these options might help. Ché -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 9:08 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350255 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
I'll echo what Donnie said. We're actually running CF 8 with the DB client settings and did not have any issues with the cookies in our PCI audit, Phil On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Robert, This is odd that you are losing the session, are you using CF in multiserver mode or standalone? The article you referenced was for CF8, however, we're currently running CF9 Ent in multiserver mode and we've not had this issue crop up. We are however using a DB with client cookies for managing state across CF instances. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer = ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350256 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
On Tue, Mar 6, 2012 at 9:07 AM, Robert Rhodes rrhode...@gmail.com wrote: Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. I think that the quick solution is to put everything under SSL. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350257 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. Another option might be to ask your scanning vendor for an exception to that scanning rule. If you can demonstrate to them that no credit card information is accessible through the user's account (e.g. the card number isn't visible anywhere, etc., and it really doesn't matter if the session is hijacked from the standpoint of credit card security) and explain the situation, they are generally willing to work with you on this kind of thing. Remember, their scanning rules are designed to cover the widest possible threat model. If you have specific needs that don't fit into that model but have compensating controls in place, it shouldn't be a problem (e.g. this used to be an issue with the incremental session IDs which the scanners check for, but paired with the random session token as a compensating control they would always make an exception for this rule when asked). -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350258 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
(ot) Places to post a CF opening
We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350259 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, I don't think that would work though, depending on the level of compliance and the SAQ being completed I don't think any vendor will allow that exemption regardless of if credit card information is visible or not. If an attacker is allowed any access to a user session and can harvest any personally identifiable information it could affect security of any credit card entered into the site. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:41 PM, Justin Scott leviat...@darktech.org wrote: Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. Another option might be to ask your scanning vendor for an exception to that scanning rule. If you can demonstrate to them that no credit card information is accessible through the user's account (e.g. the card number isn't visible anywhere, etc., and it really doesn't matter if the session is hijacked from the standpoint of credit card security) and explain the situation, they are generally willing to work with you on this kind of thing. Remember, their scanning rules are designed to cover the widest possible threat model. If you have specific needs that don't fit into that model but have compensating controls in place, it shouldn't be a problem (e.g. this used to be an issue with the incremental session IDs which the scanners check for, but paired with the random session token as a compensating control they would always make an exception for this rule when asked). -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
go to houseoffusion.com On Tue, Mar 6, 2012 at 10:11 AM, Gerald Guido gerald.gu...@gmail.com wrote: We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350261 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, I don't think that would work though, depending on the level of compliance and the SAQ being completed I don't think any vendor will allow that exemption regardless of if credit card information is visible or not. If an attacker is allowed any access to a user session and can harvest any personally identifiable information it could affect security of any credit card entered into the site. Perhaps, though you'd be surprised what they will sign off on with proper compensating controls in place. It can't hurt to ask, in any case. Ultimately, my advice in this situation is to isolate the billing system so that the rest of the system isn't in scope for compliance. Trying to find a quick fix when it comes to PCI compliance is just asking for problems. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350262 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? There is the HoF CF-Jobs mailing list, as mentioned. I would also recommend contacting Ricardo Parente at http://cfdevelopers.net/ as he runs a ColdFusion job site/blog that gets pretty good coverage. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350263 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
Gerald Guido gerald.gu...@gmail.com wrote: We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com You might put it on the LinkedIn CF groups under Jobs. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350264 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? I did remove the change I made to jrun to force session cookies to be set securely, but I doubt that matters now, because set client cookies is set to no. I am running cf 9.01 standard. -RR On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Robert, This is odd that you are losing the session, are you using CF in multiserver mode or standalone? The article you referenced was for CF8, however, we're currently running CF9 Ent in multiserver mode and we've not had this issue crop up. We are however using a DB with client cookies for managing state across CF instances. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote: Robert, a product like Fuseguard from Pete Freitag or a Web Application Firewall (or a plugin type of filter to your existing firewall) may help. I'm currently going through a similar process and thought these options might help. Ché -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 9:08 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Are all your sites running under CF or do you have another Java-based app server, like Tomcat/JBoss, running portions of your site as well? That happened to me. Someone turned on sessions for a Tomcat app that didn't need it and users would drop sessions as they moved around the site from the CF side to the Tomcat side, Phil On Tue, Mar 6, 2012 at 10:33 AM, Robert Rhodes rrhode...@gmail.com wrote: For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? I did remove the change I made to jrun to force session cookies to be set securely, but I doubt that matters now, because set client cookies is set to no. I am running cf 9.01 standard. -RR On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Robert, This is odd that you are losing the session, are you using CF in multiserver mode or standalone? The article you referenced was for CF8, however, we're currently running CF9 Ent in multiserver mode and we've not had this issue crop up. We are however using a DB with client cookies for managing state across CF instances. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote: Robert, a product like Fuseguard from Pete Freitag or a Web Application Firewall (or a plugin type of filter to your existing firewall) may help. I'm currently going through a similar process and thought these options might help. Ché -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 9:08 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Nope. Just CF on this sever, and just this one site running. On Tue, Mar 6, 2012 at 10:37 AM, Phillip Duba phild...@gmail.com wrote: Are all your sites running under CF or do you have another Java-based app server, like Tomcat/JBoss, running portions of your site as well? That happened to me. Someone turned on sessions for a Tomcat app that didn't need it and users would drop sessions as they moved around the site from the CF side to the Tomcat side, Phil On Tue, Mar 6, 2012 at 10:33 AM, Robert Rhodes rrhode...@gmail.com wrote: For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? I did remove the change I made to jrun to force session cookies to be set securely, but I doubt that matters now, because set client cookies is set to no. I am running cf 9.01 standard. -RR On Tue, Mar 6, 2012 at 9:24 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Robert, This is odd that you are losing the session, are you using CF in multiserver mode or standalone? The article you referenced was for CF8, however, we're currently running CF9 Ent in multiserver mode and we've not had this issue crop up. We are however using a DB with client cookies for managing state across CF instances. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:17 PM, Che Vilnonis ch...@asitv.com wrote: Robert, a product like Fuseguard from Pete Freitag or a Web Application Firewall (or a plugin type of filter to your existing firewall) may help. I'm currently going through a similar process and thought these options might help. Ché -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 9:08 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Hi Robert, I'm not sure if I'm missing something but shouldn't you have setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the url on each request. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote: For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
I just put back the jrun setting to pass cookies securely, and am sending the jsessionid securely again. And I am set up to use the database for client storage. It's still losing the session when I switch between http and https. I do have setclientcookies to no, because that sets cfid and cftoken insecurely which is what caused the PCI test failure. This really should not be this hard. I an't be the only person dealing with this issue. :( On Tue, Mar 6, 2012 at 10:44 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Hi Robert, I'm not sure if I'm missing something but shouldn't you have setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the url on each request. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote: For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
http://cfdevelopers.net/page.cfm/job-offers is where you post it. On Tue, Mar 6, 2012 at 10:26 AM, Justin Scott leviat...@darktech.org wrote: I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? There is the HoF CF-Jobs mailing list, as mentioned. I would also recommend contacting Ricardo Parente at http://cfdevelopers.net/ as he runs a ColdFusion job site/blog that gets pretty good coverage. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
On Tue, Mar 6, 2012 at 11:13 AM, Robert Rhodes rrhode...@gmail.com wrote: I just put back the jrun setting to pass cookies securely, and am sending the jsessionid securely again. And I am set up to use the database for client storage. It's still losing the session when I switch between http and https. sending securely means sending over HTTPS. That is why non-SSL is losing session. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9/Win2008 CFDocument/PDF Chinese characters not showing if wrapped with an HTML tag
I believe you should wrap your data with cfprocessingdirective tag. I tried cfprocessingdirective with the following pageencodings with no change in behavior: windows-1252, windows-950, windows-936, big5, utf-8. Same thing happens - if I put any sort of html tag around the Chinese characters, they don't display in cfdocument's PDF output. If I leave the characters unwrapped, they show in the PDF just fine. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350272 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Failed PCI Compliance test on CF9.01
Your issue is more likely the fact that you are switching between https and http. I don't believe that the cookies can cross that barrier. However as to your cookies not being secure check out the article by Pete Freitag : Adobe developer connection / ColdFusion Developer center / Securing your applications using HttpOnly cookies with ColdFusion. (sorry I don't have the url) It has a section on using secure cookies with https/ssl. Steve -Original Message- From: Robert Rhodes [mailto:rrhode...@gmail.com] Sent: Tuesday, March 06, 2012 11:13 AM To: cf-talk Subject: Re: Failed PCI Compliance test on CF9.01 I just put back the jrun setting to pass cookies securely, and am sending the jsessionid securely again. And I am set up to use the database for client storage. It's still losing the session when I switch between http and https. I do have setclientcookies to no, because that sets cfid and cftoken insecurely which is what caused the PCI test failure. This really should not be this hard. I an't be the only person dealing with this issue. :( On Tue, Mar 6, 2012 at 10:44 AM, Donnie Bachan (Gmail) donnie.bac...@gmail.com wrote: Hi Robert, I'm not sure if I'm missing something but shouldn't you have setClientCookies to Yes? Otherwise you'd have to pass the JSESSIONID in the url on each request. Best Regards, Donnie Bachan Nitendo Vinces - By Striving You Shall Conquer == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 3:33 PM, Robert Rhodes rrhode...@gmail.com wrote: For both Phillip and Donnie -- I just set the site up for database storage for the client session in the cf admin (server settings - client variables), and I see data going in those two tables, but I am still losing the session state when moving from https to http. I have this set in my application.cfm: clientmanagement=Yes sessionmanagement=Yes setclientcookies=No clientstorage=MyDSN What am I doing wrong? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9/Win2008 CFDocument/PDF Chinese characters not showing if wrapped with an HTML tag
I believe you should wrap your data with cfprocessingdirective tag. I tried cfprocessingdirective with the following pageencodings with no change in behavior: windows-1252, windows-950, windows-936, big5, utf-8. Same thing happens - if I put any sort of html tag around the Chinese characters, they don't display in cfdocument's PDF output. If I leave the characters unwrapped, they show in the PDF just fine. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Hi Robert, You are caught in a bit of a catch 22 here. If you want to set the secure attribute on session cookies delivered over SSL, but also have it use the same cookie values over non-ssl - then that defeats the purpose of adding the secure attribute. If you want to do that you can't use the secure attribute on the cookies. The secure attribute says only send this cookie over SSL, so when you make a request to a non-ssl url the browser will not send the cookie, this causes ColdFusion to issue a new session. The best solution is to run all on SSL as Cameron suggested, here's a good read on the performance of SSL and TLS: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main point being that SSL is not as computationally expensive as you may think. If that's not going to fly then you need to build something to share data between the sessions, while making sure that the non-ssl data is not privileged - it can get complicated to ensure that your not opening yourself up to security issues over non-ssl. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes rrhode...@gmail.com wrote: So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this post http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement=yes and setclientcookies=no. In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
sorry must have misread, if your looking for discussion lists then there is always google apps which gives you google groups using your own domain. On Tue, Mar 6, 2012 at 12:51 PM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi Will and Russ, Many thanks for your replies! I was looking at Mailchimp, but is it only a broadcast/newsletter service or does it support discussion lists with moderators, etc? I can't find anything about discussion mail lists on their site. Jenny -Original Message- From: Will Swain [mailto:w...@hothorse.com] Sent: 06 March 2012 11:36 To: cf-talk Subject: Re: (ot) Maillist with API We've looked at both MailChimp and Campaign Monitor, both of whom have mature APIs and offer similar functionality. I'd recommend either. Will On 6 March 2012 11:29, Jenny Gavin-Wear jenn...@fasttrackonline.co.ukwrote: Hi all, Apologies for the completely OT posting, but I'm in desperate need for a solution. Until recently I have been hosting a discussion maillist for one of my customers. Subscription is required for membership of the list and there is also an opt-in option on the member profile. So on a daily basis the subscriber list is recompiled based on subscriptions. I need to move the mail list off my own mail server and I am looking for a host with an API (or some other interface, could be SOAP) facility to manage the subscriber list. Any ideas please? Jenny Gavin-Wear Fast Track Online http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350245 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 20465 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350276 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
I hear you, but there are issues preventing me from going all https. It's a long story. Is there a way to copy, with some code in the application.cfm, the jsessionid between http and https so we don't lose the session state? -rr On Tue, Mar 6, 2012 at 11:24 AM, Pete Freitag p...@foundeo.com wrote: Hi Robert, You are caught in a bit of a catch 22 here. If you want to set the secure attribute on session cookies delivered over SSL, but also have it use the same cookie values over non-ssl - then that defeats the purpose of adding the secure attribute. If you want to do that you can't use the secure attribute on the cookies. The secure attribute says only send this cookie over SSL, so when you make a request to a non-ssl url the browser will not send the cookie, this causes ColdFusion to issue a new session. The best solution is to run all on SSL as Cameron suggested, here's a good read on the performance of SSL and TLS: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html the main point being that SSL is not as computationally expensive as you may think. If that's not going to fly then you need to build something to share data between the sessions, while making sure that the non-ssl data is not privileged - it can get complicated to ensure that your not opening yourself up to security issues over non-ssl. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Tue, Mar 6, 2012 at 2:19 AM, Robert Rhodes rrhode...@gmail.com wrote: So a site that I built failed PCI compliance testing because the jsessionid cookie is not set securely. I found this post http://thinkinglemur.com/index.php/2009/02/setting-secure-attribute-of-jsessionid-cookie-in-coldfusion-8/ that shows how to force jrun to do always set the session cookies securely, but the user loses their session state when they move between secure and non-secure pages (the jsessionid is different for secure pages). This is obviously a big problem, since we can't have the entire user session running under ssl. Any ideas on how to get the jsessionid to be the same on secure and non-secure pages? I am a little lost here. I am running cf9.01, with the app set to sessionmanagement=yes and setclientcookies=no. In the administrator, I have Cookie set as my default client storage storage mechanism, and J2EE session variables enabled. I also have use UUID for cftoken enabled, but since I have setclientcookies set to no, I don't think that matters. *-RR* ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350277 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
Make certain that the job is posted on indeed.com . If you're not familiar with the site they scan all the major job sites and listings on major corp sites. But they've added the ability for employers to directly post jobs on the site. Concerning your opening are they open to telecommuting? If not, why not? Rick On Tue, Mar 6, 2012 at 10:11 AM, Gerald Guido gerald.gu...@gmail.comwrote: We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350278 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com wrote: I hear you, but there are issues preventing me from going all https. It's a long story. Is there a way to copy, with some code in the application.cfm, the jsessionid between http and https so we don't lose the session state? You could make this work, but then you would be exactly where you currently are, and would again fail the PCI audit. I know you are looking for a quick answer, but there isn't really a great easy option here. Many shops spend literally months getting compliant, so this code change really doesn't seem so huge in comparison, even though I know if feel like it is. You best solution, in the long term as well as the short run, is to make the code changes and just spend the time and money on it so it's right. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350279 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 9 Mulit-Sever only uses default site
the regular cf handlers that point to jrun_iis6.dll actually do nothing, they don't even work. the Wildcard handler jrun_iis_wildcard.dll is the only one you actually need and which works, so this is the one you need to check is point to the right connector. If you still can't get it working contact me offlist with remote desktop access details and I will login and take a look for you. On 3/6/2012 8:37 AM, Eric Cobb wrote: Thanks Russ! I looked through everything you suggested, and I can't see anything wrong. Here's my wsconfig.properties file: 1=IIS,1,false, 1.srv=localhost,cfusion 1.cfmx=true,null 2=IIS,2,false, 2.srv=localhost,Test01 2.cfmx=true,null So it looks like my #2 site is pointing to the correct Test01 CF instance. The CFM handlers in IIS are pointing to C:\JRun4\lib\wsconfig\jrun_iis6.dll for both of my sites. Is that correct, or should site #2 be pointing somewhere else? Something else that I noticed is, whenever I spin off a new CF instance none of the datasources seem to be carried over to the new instance. I have to add them manually. I'm not sure if this is related or not. I've tried deleting and recreating my instances several times, and still no luck. Do you have any other suggestions? Thanks, Eric From: Russ Michaelsr...@michaels.me.uk Sent: Thursday, February 23, 2012 11:49 AM To: cf-talkcf-talk@houseoffusion.com Subject: Re: CF 9 Mulit-Sever only uses default site Eric, check the .CFM handlers in iis and make sure they link to the right connectors. if they do, then check the wsconfig.properties in the wsconfig folder this should specify which connector is for which site/instance should look like this. 1=IIS,0,false, 1.srv=localhost,cfusion 1.cfmx=true,C:/Inetpub/wwwroot 2=IIS,7605,false, 2.srv=localhost,anorak 2.cfmx=true,null 3=IIS,2714,false, 3.srv=localhost,CFMX10120 3.cfmx=true,null 5=IIS,1851,false, 5.srv=localhost,CFMX10158 5.cfmx=true,null the number is the connector in your wsconfig folder e.g wsconfig/1 wsconfig/2 the first entry for each number tells you the web server type and siteID the 2nd entry is the host and instance name the 3rd entry specifies that cf handlers are enabled -- Russ Michaels www.bluethunderinternet.com : Business hosting services solutions www.cfmldeveloper.com: ColdFusion developer community www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350280 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
you could also try www.odesk.com www.freelancers.com On Tue, Mar 6, 2012 at 5:30 PM, Rick Mason rhma...@gmail.com wrote: Make certain that the job is posted on indeed.com . If you're not familiar with the site they scan all the major job sites and listings on major corp sites. But they've added the ability for employers to directly post jobs on the site. Concerning your opening are they open to telecommuting? If not, why not? Rick On Tue, Mar 6, 2012 at 10:11 AM, Gerald Guido gerald.gu...@gmail.com wrote: We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350281 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Ok, I am going to try to make the site work all ssl. I am concerned about the video streaming over ssl, but I guess we will see how it goes. On a related subject: is there a way to make the jsessionid cookie secure without making the jrun change? I ask because doing so affects all sites on the server, and I had planed to run other sites on this particular server. On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress camer...@gmail.comwrote: On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com wrote: I hear you, but there are issues preventing me from going all https. It's a long story. Is there a way to copy, with some code in the application.cfm, the jsessionid between http and https so we don't lose the session state? You could make this work, but then you would be exactly where you currently are, and would again fail the PCI audit. I know you are looking for a quick answer, but there isn't really a great easy option here. Many shops spend literally months getting compliant, so this code change really doesn't seem so huge in comparison, even though I know if feel like it is. You best solution, in the long term as well as the short run, is to make the code changes and just spend the time and money on it so it's right. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350282 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Yes. If it were me, I would turn setClientCookies=false in the Applciation.cfc|cfm and then set them manually using: cfcookie name=cfid value=#session.cfid# secure=true/ cfcookie name=cftoken value=#session.cftoken# secure=true/ If you google around a bit you can probably find some sample code for doing this. If you are using JSessionIDs (not cfid/cftoken) you'll be just setting that cookie but I would expect it to work in that case as well. Whole you're at it you might also pop open Chrome debugging or the like and verify that those are the only cookies being sent, just to make sure you don't have something else that trips you up. -Cameron On Tue, Mar 6, 2012 at 1:47 PM, Robert Rhodes rrhode...@gmail.com wrote: Ok, I am going to try to make the site work all ssl. I am concerned about the video streaming over ssl, but I guess we will see how it goes. On a related subject: is there a way to make the jsessionid cookie secure without making the jrun change? I ask because doing so affects all sites on the server, and I had planed to run other sites on this particular server. On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com wrote: I hear you, but there are issues preventing me from going all https. It's a long story. Is there a way to copy, with some code in the application.cfm, the jsessionid between http and https so we don't lose the session state? You could make this work, but then you would be exactly where you currently are, and would again fail the PCI audit. I know you are looking for a quick answer, but there isn't really a great easy option here. Many shops spend literally months getting compliant, so this code change really doesn't seem so huge in comparison, even though I know if feel like it is. You best solution, in the long term as well as the short run, is to make the code changes and just spend the time and money on it so it's right. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350283 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
sorry must have misread, if your looking for discussion lists then there is always google apps which gives you google groups using your own domain. Yes, and Apps does have an API that lets you do quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
That works for cfid and cftoken, thanks. But it won't work for jsessionid, because once that is selected in the administrator, it shows up as an unsecure cookie, even if you have setclientcookies turned off. That's a bummer, I wanted to use jsessionids. On Tue, Mar 6, 2012 at 1:59 PM, Cameron Childress camer...@gmail.comwrote: Yes. If it were me, I would turn setClientCookies=false in the Applciation.cfc|cfm and then set them manually using: cfcookie name=cfid value=#session.cfid# secure=true/ cfcookie name=cftoken value=#session.cftoken# secure=true/ If you google around a bit you can probably find some sample code for doing this. If you are using JSessionIDs (not cfid/cftoken) you'll be just setting that cookie but I would expect it to work in that case as well. Whole you're at it you might also pop open Chrome debugging or the like and verify that those are the only cookies being sent, just to make sure you don't have something else that trips you up. -Cameron On Tue, Mar 6, 2012 at 1:47 PM, Robert Rhodes rrhode...@gmail.com wrote: Ok, I am going to try to make the site work all ssl. I am concerned about the video streaming over ssl, but I guess we will see how it goes. On a related subject: is there a way to make the jsessionid cookie secure without making the jrun change? I ask because doing so affects all sites on the server, and I had planed to run other sites on this particular server. On Tue, Mar 6, 2012 at 12:59 PM, Cameron Childress camer...@gmail.com wrote: On Tue, Mar 6, 2012 at 11:55 AM, Robert Rhodes rrhode...@gmail.com wrote: I hear you, but there are issues preventing me from going all https. It's a long story. Is there a way to copy, with some code in the application.cfm, the jsessionid between http and https so we don't lose the session state? You could make this work, but then you would be exactly where you currently are, and would again fail the PCI audit. I know you are looking for a quick answer, but there isn't really a great easy option here. Many shops spend literally months getting compliant, so this code change really doesn't seem so huge in comparison, even though I know if feel like it is. You best solution, in the long term as well as the short run, is to make the code changes and just spend the time and money on it so it's right. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Try this: http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH -Cameron On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote: That works for cfid and cftoken, thanks. But it won't work for jsessionid, because once that is selected in the administrator, it shows up as an unsecure cookie, even if you have setclientcookies turned off. That's a bummer, I wanted to use jsessionids. -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
...also - make sure you've cleared out cookies in your browser after you've made CF code changes. Old cookies could be hanging out and screwing up your testing. -Cameron On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote: That works for cfid and cftoken, thanks. But it won't work for jsessionid, because once that is selected in the administrator, it shows up as an unsecure cookie, even if you have setclientcookies turned off. That's a bummer, I wanted to use jsessionids. -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350287 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
On a related subject: is there a way to make the jsessionid cookie secure without making the jrun change? I ask because doing so affects all sites on the server, and I had planed to run other sites on this particular server. Be careful with this... if your billing system is on this server and other sites share the same server and aren't properly sandboxed, they are technically in-scope for compliance as well as they offer other roads into the server which could lead to the compromise of your billing system. All the more reason to isolate it now while you still can. :) -Just ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350288 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Yes, I saw that. But he does not say how he made the new jsession id string. I am sure it is not some random string he pro grammatically generated. So, there must be a way to get at the jsessionid even if you don't have jsessionidenabled in the administrator. On Tue, Mar 6, 2012 at 2:44 PM, Cameron Childress camer...@gmail.comwrote: Try this: http://www.12robots.com/index.cfm/2009/5/6/Making-the-JSESSIONID-Session-Token-Cookie-SECURE-and-HTTPOnly-and-settings-its-PATH -Cameron On Tue, Mar 6, 2012 at 2:39 PM, Robert Rhodes rrhode...@gmail.com wrote: That works for cfid and cftoken, thanks. But it won't work for jsessionid, because once that is selected in the administrator, it shows up as an unsecure cookie, even if you have setclientcookies turned off. That's a bummer, I wanted to use jsessionids. -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes rrhode...@gmail.com wrote: Yes, I saw that. But he does not say how he made the new jsession id string. I am sure it is not some random string he pro grammatically generated. So, there must be a way to get at the jsessionid even if you don't have jsessionidenabled in the administrator. I'd say, enable it in the CFAdmin, tell CF not to set cookies automatically (via code), then set it yourself. Are you sure it's getting set as nonsecure? That is very suprising to me. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350290 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
If jsessionids are enabled, CF appears to set that cookie, no matter what. I know of no way to prevent that from happening. And yes, even those the site being loaded by https, the jsessionid cookie is still being set insecurely. As I said before, this should be easier than it is. Or maybe it's just because I am missing something obvious. -RR On Tue, Mar 6, 2012 at 3:00 PM, Cameron Childress camer...@gmail.comwrote: On Tue, Mar 6, 2012 at 2:56 PM, Robert Rhodes rrhode...@gmail.com wrote: Yes, I saw that. But he does not say how he made the new jsession id string. I am sure it is not some random string he pro grammatically generated. So, there must be a way to get at the jsessionid even if you don't have jsessionidenabled in the administrator. I'd say, enable it in the CFAdmin, tell CF not to set cookies automatically (via code), then set it yourself. Are you sure it's getting set as nonsecure? That is very suprising to me. -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook http://www.facebook.com/cameroncf | twitterhttp://twitter.com/cameronc | google+ https://profiles.google.com/u/0/117829379451708140985 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350291 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: (ot) Maillist with API
Hi Dave, I had a look at Google Groups hoping for an API. It seems they are revamping it and there is currently no API. There is an option to use the all new and sparkling Google Groups, but much of the interface is still in development. Jenny -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 06 March 2012 19:14 To: cf-talk Subject: Re: (ot) Maillist with API sorry must have misread, if your looking for discussion lists then there is always google apps which gives you google groups using your own domain. Yes, and Apps does have an API that lets you do quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 22364 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350292 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
I used Topica for many clients... Pricing and whitelisting is about the same as mailchimp or api.jangomail.com On Tue, Mar 6, 2012 at 7:35 PM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi Dave, I had a look at Google Groups hoping for an API. It seems they are revamping it and there is currently no API. There is an option to use the all new and sparkling Google Groups, but much of the interface is still in development. Jenny -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 06 March 2012 19:14 To: cf-talk Subject: Re: (ot) Maillist with API sorry must have misread, if your looking for discussion lists then there is always google apps which gives you google groups using your own domain. Yes, and Apps does have an API that lets you do quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 22364 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350293 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: (ot) Maillist with API
Hi Brian, I looked at Topica, but it appears to be a marketing mail list service, not discussion mail list, or am I wrong? Also, I couldn't see any evidence of an API? Many thanks, Jenny -Original Message- From: Brian Thornton [mailto:br...@cfdeveloper.com] Sent: 07 March 2012 00:38 To: cf-talk Subject: Re: (ot) Maillist with API I used Topica for many clients... Pricing and whitelisting is about the same as mailchimp or api.jangomail.com On Tue, Mar 6, 2012 at 7:35 PM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi Dave, I had a look at Google Groups hoping for an API. It seems they are revamping it and there is currently no API. There is an option to use the all new and sparkling Google Groups, but much of the interface is still in development. Jenny -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 06 March 2012 19:14 To: cf-talk Subject: Re: (ot) Maillist with API sorry must have misread, if your looking for discussion lists then there is always google apps which gives you google groups using your own domain. Yes, and Apps does have an API that lets you do quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~ ~~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 22364 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350293 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 22364 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350294 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: (ot) Places to post a CF opening
You can pay a small fee to post it on Ben Nadel's job board. I believe he donates the money to charity. andy -Original Message- From: Gerald Guido [mailto:gerald.gu...@gmail.com] Sent: Tuesday, March 06, 2012 9:12 AM To: cf-talk Subject: (ot) Places to post a CF opening We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350295 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
this is probably the most widely used open source solution. http://www.gnu.org/software/mailman/index.html On Wed, Mar 7, 2012 at 1:03 AM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi Brian, I looked at Topica, but it appears to be a marketing mail list service, not discussion mail list, or am I wrong? Also, I couldn't see any evidence of an API? Many thanks, Jenny -Original Message- From: Brian Thornton [mailto:br...@cfdeveloper.com] Sent: 07 March 2012 00:38 To: cf-talk Subject: Re: (ot) Maillist with API I used Topica for many clients... Pricing and whitelisting is about the same as mailchimp or api.jangomail.com On Tue, Mar 6, 2012 at 7:35 PM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: Hi Dave, I had a look at Google Groups hoping for an API. It seems they are revamping it and there is currently no API. There is an option to use the all new and sparkling Google Groups, but much of the interface is still in development. Jenny -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 06 March 2012 19:14 To: cf-talk Subject: Re: (ot) Maillist with API sorry must have misread, if your looking for discussion lists then there is always google apps which gives you google groups using your own domain. Yes, and Apps does have an API that lets you do quite a bit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~ ~~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 22364 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~~ ~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion- Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf- talk/message.cfm/messageid:350293 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf- talk/unsubscribe.cfm -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 22364 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350296 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Hibernate with other frameworks
Can I ask what were the pros and cons of hibernate with CF9 compared to other frameworks? I get that for instance coldbox integrates with hibernate but wanted to hear some feedback from the framework architecture, deployment and development time was handled. BT ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350297 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
Thank you all for your responses. To answer some inquiries, we are located in Tallahassee Fl. The skinny: It is a decent gig. Great bosses that look out for you. Good bennies. Very pleasant professional work environment. Good peeps all around. Mostly Intranet type development with enough new development to keep it interesting and challenging. Some maintenance programming but not all that much. Thanx again G! On Tue, Mar 6, 2012 at 9:00 PM, andy matthews li...@commadelimited.comwrote: You can pay a small fee to post it on Ben Nadel's job board. I believe he donates the money to charity. andy -Original Message- From: Gerald Guido [mailto:gerald.gu...@gmail.com] Sent: Tuesday, March 06, 2012 9:12 AM To: cf-talk Subject: (ot) Places to post a CF opening We have an opening for someone with CF Experience. We advertised it as a DBA with CF Experience and posted on some free sites and Craig's list and have not had any bites locally. The powers that be do not want to nut up to post it to Monster or career builder. I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? As always many TIA. G! -- Gerald Guido http://www.myinternetisbroken.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350298 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Maillist with API
I had a look at Google Groups hoping for an API. It seems they are revamping it and there is currently no API. There is an option to use the all new and sparkling Google Groups, but much of the interface is still in development. https://code.google.com/googleapps/domain/group_settings/v1/getting_started.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350299 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hibernate with other frameworks
I assume the other frameworks you're talking about are the MVC frameworks (ColdBox, Model-Glue, FW/1, Mach-II, etc.)? If so they really have nothing to do with each other. Some of them (like ColdBox) have optional features that work with Hibernate, but any of the MVC frameworks will work fine with Hibernate since they deal with different application layers. On Tue, Mar 6, 2012 at 9:32 PM, Brian Thornton br...@cfdeveloper.comwrote: Can I ask what were the pros and cons of hibernate with CF9 compared to other frameworks? I get that for instance coldbox integrates with hibernate but wanted to hear some feedback from the framework architecture, deployment and development time was handled. BT ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350300 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm