Re: how to diagnose a potential bottleneck
Russ Michaels wrote: doing debugging and load testing on a live production server is generally a bad idea. On general principles, sure... although I'd say that a diagnostic reporter like F-R belongs first and foremost on a production box. To the OP... it sounds like you are stuck, so how good is your error reporting? Assuming errors are being thrown at all (you said the server slowed which doesn't necessarily mean its erroring) are you capturing them for review? If not you should put something in to troll and see what comes up. Maybe something unexpected is hanging up threads? If error trapping is out, what about timing the execution of pages and seeing who the hogs are? variables.CFMstart=gettickcount(); ... stuff ... variables.CFMTook=int(gettickcount()-variables.CFMstart); Put start in Application, stop in OnRequestEnd and output to a very small db record that also includes, say, cgi.script_name and cgi.query_string. Leave it up for an hour or three and see what it finds. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359742 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: how to diagnose a potential bottleneck
If you want code samples on the error dumping stuff let me know. I worked something up for an article years ago but its grown up since. A breadcrumb array kept in the session scope has been key. Stores everything the user does and gets dumped to the error file. --m@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359744 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: how to diagnose a potential bottleneck
Russ Michaels wrote: I think you are incorrectly assuming that FusionReactor is a debugging and load testing tool, No not at all. Thats why I called it a 'diagnostic reporter' earlier on. Something I don't need at all for the most part but need desperately when things aren't going right and I haven't figured out why yet. Thx by the way for the load testing tools link. Don (Dan?) wrote Am curious as to what you did there. Would you mind sharing how you did that? ( I dont need code ) just your idea(s) explained with some more detail. Sure, but dumping out the code is probably faster than explaining it :-) in Application.cfm I define a 2D session-scope array if not isdefined. Next I build a variables-scope struct that contains the following cgi scope info: cgi.https, cgi.http_referer, cgi.remote_addr, cgi.request_method, cgi.server_name. You can skip the last one if you are tracking only one domain. Next I define a variables-scope struct containing all form scope fieldnames and their contents, if any exist. After that I define a variables-scope 1D array that contains 5 items in this order: 1. date/time to the second 2. cfid+_+cftoken values 3. The complete url including query string (built for another purpose and re-used here). 4. the form variables struct created above 5. The cgi variables struct created above. Lastly I arrayAppend the 1D array created above to the 2d session-scoped array, which is the actual breadcrumb trail. What you get in the end is a visually compact, chronological display of what the user did, complete with how long they paused between moves, form inputs made etc. There is enough info in this to re-create a genuine user session manually yourself to watch what goes wrong, or just spot a bot up to no good. This is delivered to me in an error report that holds a dump of all desired scopes so this is part of a more comprehensive reference that I can look up as needed. Looking at this I can see a couple of things I could do better. No need to store the cfid/cftoken on every step. Should be at 1st item only and thats it. Also the cgi.server_name is redundant since I am outputting the entire url. Its created in pieces and assembled at the end to minimize need for cflocks, which are named and not session scoped. Execution time is only a few ms, using the timer I noted in the previous post. Forget what it comes out to exactly as its been some time since i put this into play. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359753 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: how to diagnose a potential bottleneck
No I don't. It all sits in memory unused. But if an error occurs this info gets dumped out via my error handler where it can be used post-mortem. Generally my error handler loops over a pre-defined list of scopes and dumps them all out. Depending on the setting I've made, the dump is either to a db record (Access memo fields aren't large enough for this) or to a disk file. I prefer a browser-readable disk file - a large query or similar sitting in the variables scope can make these files very large. 500k to 1mb files are common. Dumping out scopes like this has security implications so you need to address that when storing/viewing this info. --m@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359755 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: how to diagnose a potential bottleneck
I run a financial service site that has very complex pathways running
through it. This has saved me an enormous amount of time trying to figure
out how a series of user actions could uncover some sort of hole in the
code.
This thread got me tinkering and I did some tweaking. For starters when I
wrote it I had not yet switched to jsessionIDs. I think this is all of it
here:
// initialize. reqUID is a UUID that lives as long as each page request.
lock name=#request.reqUID# type=exclusive timeout=10 {
if (not isDefined (session.crumbs)) {
session.crumbs=arrayNew(2);
variables.SessionIDs=arrayNew(1);
variables.SessionIDs[1]=client.cfid;
variables.SessionIDs[2]=client.cftoken;
variables.SessionIDs[3]=session.sessionID;
temp=arrayAppend(session.crumbs,variables.SessionIDs);
}
}
variables.cgiBits=structNew();
structInsert(variables.cgiBits,https,cgi.https);
structInsert(variables.cgiBits,http_referer,cgi.http_referer);
structInsert(variables.cgiBits,remote_addr,cgi.remote_addr);
structInsert(variables.cgiBits,request_method,cgi.request_method);
variables.formBits=;
if (isdefined (form.fieldnames)) {
variables.formBits=structNew();
for (i=1; i lte listlen(form.fieldnames); i=i+1) {
fieldName=listGetAt(form.fieldnames,i);
structInsert(variables.formBits,fieldName,form[fieldname]);
}
}
// zoneNow is now() where time value is corrected to the time zone the site
owner prefers.
// variables.currPage is full current url with query string, built
elsewhere.
variables.crumb=arrayNew(1);
variables.crumb[1]=DateFormat(CreateODBCDate(request.zoneNow),-mm-dd)
TimeFormat(CreateODBCTime(request.zoneNow),HH:mm:ss);
variables.crumb[2]=variables.currPage;
variables.crumb[3]=variables.formBits;
variables.crumb[4]=variables.cgiBits;
lock name=#request.reqUID# type=exclusive timeout=10 {
temp=arrayAppend(session.crumbs,variables.crumb);
}
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359757
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Is time for a change?
Could not agree more with Russ' comments on CF hosting in his blog. I'll never go back to shared hosting. I've got a couple of Viviotech VPS' that I'm pretty happy with. One runs my personal stuff and old web site from when I was a developer. Another runs about 30 low-traffic sites that work with my business. A VPS is a great step up if you aren't ready to take the plunge and pay for a full-on server. Insofar as full-on servers are concerned, nothing can match the hardware that you get at Cybercon, but then again you are also expected to pretty much be self-sufficient, there. Think about doing a VPS instead of shared hosting. Just for starters you get to keep all the hosting fees. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359575 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 creating extra CFID/CFTOKEN cookies at the domain level
I went thru this special brand of misery back in March of this year. Here is the thread: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:64982 There's a lot more in that thread than here as to potential causes of this problem. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359511 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFTRY / CFCATCH not working
Any particular reason you are not using cfscript versions of try/catch?
Old version of CF?
try {
code goes here
}
catch(Any excpt) {
code goes here
}
Given any thought to a different image processor to see if you get a
different result? I'm thinking cfimage, assuming you are using at least
CF8.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359257
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFTRY / CFCATCH not working
Looks like the code you are using is bhImgInfo() from cflib, with only very slight changes. There's more than one way to skin that cat: https://gist.github.com/vikaskanani/6256084 looks more robust in the catch department. Maybe a little too robust, but it also separates out the file read from the createObject statement. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359261 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Do you have admin control of this server or is it a shared host? If its a server you control then its a simple matter to lock down the mail server, right? Require smtp auth for all senders and then use smtp auth in your cfmail statements in your code. That would be just step 1 of a hardening process that should have more than this layer to it. I realize this doesn't bear on your discovery question but if this is happening at all it points to a hole in security in at least one place. And if its a shared host then the situation may not be in your control in the first place. On Mon, Aug 18, 2014 at 1:12 PM, G T tran.ga...@gmail.com wrote: Hi Robert - Thanks for the reply, yes of course let me explain a bit more. While checking our sent mail logs, logged by coldfusion, we noticed emails were being sent out that was not directly sent through our own pages. Spam emails that were sent to different outside emails. So we can see that spam emails were sent outbound, but as of yet, we have no source of where they're coming from (ie. which pages are compromised). From what I've been researching, one way this is done by email inject - where they use form submissions to inject their own coldfusion code to form their own 'cfmail' sends. http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm Please let me know if you need additional info Can you explain a bit more what you mean by email injection attack? Do you mean someone is spamming forms that generate forms email, or is someone using some application you have to generate spam? Can you provide a slightly better explanation of what's happening? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter. com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359133 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
To try and directly answer your question: I don't believe there are any logs that nail down what template a bit of mail is sent from. mailsent.log only says, for example: Information,scheduler-3,01/03/14,18:32:18,,Mail: 'Subject Goes Here' From:'whoe...@wherever.com' To:'vic...@spamworld.com' was successfully sent using mail.openrelay.com If you are a glutton for punishment you can still do it: Synch the mail sent time in mailsent.log with your web server log's template execution times and you should probably find a correlation that way. However, if it were me, I'd concentrate on solving the root problem and forget about where it might be happening. Do a global search for every instance of /cfmail will show you every template that sends mail. Start cleaning up your code from there. Although the mail server itself is probably the first place you should start. On Mon, Aug 18, 2014 at 1:16 PM, Byron Mann byronos...@gmail.com wrote: Make sure the cfmail option for logging sent mail is enabled via the CFAdmin. This will tell you if CF is actually sending the mail. The log file will be in your CF root under logs. I think it's mailsent.log. Most likely one of two things. You have a web form that sends through another template using the cfmail tag which does no human checking, like a Captcha or checking the delay between page load and send request. Or you have an open relay with the mail server that is being used by CF to send mail, and CF is not actually the issue. Your mail server logs can log this, log location will vary based on the server used. There are several online tools to check if your mail server has an open relay. http://mxtoolbox.com/diagnostic.aspx ~Byron On Mon, Aug 18, 2014 at 3:56 PM, Garry Tran tran.ga...@gmail.com wrote: Hi All - Recently we've been under a email injection attack where we have unauthorized emails being sent through our coldfusion application. At this point we are unsure if it is through an email injection attack or not but if anybody has any advice on how to figure out where the attack is coming from it would be very helpful. My first question is - is there a way to trace back to which page cfmail is being called from? Are there any logs that I can view that would allow us to track down what pages are being hijacked? Much appreciated, thanks! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359136 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Regarding the 'h.cfm' issue, go to the bathroom first (your upholstery will thank me) and THEN sit down and read this. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat and the two follow-on blog entries linked at page bottom. This did quite a job of rocking many worlds and if you are just hearing about it, pray you aren't vulnerable or infected. As for email, here's one of mine: cfmail to=#variables.scrubbedEmail# from=#server.AdminEmail# BCC=#server.developerEmail# subject=#variables.scrubbedSubject# username=#server.adminUsername# password=#server.adminPassword# server=#server.emailServer# port=#server.emailServerPort# type=HTML If users are inputting data into your mail headers (i.e. a your Email field and you are taking their input) then you need to scrub that input before its put into a cfmail parameter. Something like an isEmail() function for the 'to' if it is an address that is user-submitted. If for example its the email subject then strip out things like linefeeds and breaks. I don't like putting in auth info into the CF administrator (I put dummy info there, in fact). I prefer to put it in via the CF template, but I keep the actual account info in a cf template that is actually not on the web root, and cfincluded into the application via a relative path in Application.cfm. The point of doing that is the file and its sensitive contents is a lot harder to find a way to read if its not web-accessible. I also send mail from CF via a nonstandard port. My mail server is config'd to listen for incoming mail on that additional port and only accept from the CF server's IP. IP-specific holes are poked in firewalls accordingly. This step may not be available with your MS 365 mail server. If MS 365 has frequency filters that spot mail in quantity being sent from User X and takes action if it exceeds a certain threshold, then you want to fire that layer of protection up. All of this is imperfect but as a package its pretty solid. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359142 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
if sending by CF but not using your code that could mean they are running cf code you didn't write. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359145 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Emails MIA
I think the failto address is not used by CF to bounce messages, only to provide a Return-Path: address in the message header, and the bounce is generated by the destinee server, not CF. Thats how I use it as well. Failto is used by the recipient to send back a failure. I add in plus addressing to include a variable CF can parse and use. To the OP: You say email arrives to the client OK and the BCC arrives to you OK... Is the sending mail server the same server that your respective mail clients pick up the mail from? i.e. is mail sent from cfsen...@domain.com and you are picking up mail via your account on that same server? develo...@domain.com? If thats the case nothing is actually leaving the building, so to speak. Without SMTP logs you are going to be chasing your tail forever. Figure out a way to get logs. You could set up a Viviotech virtual host for $35 and install Smartermail's free version for $0. An hour of your time to configure it and the client's domain records so the server is allowed to send mail for that domain will get you a sanitized mail server that you can use to debug your problem in detail. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359115 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Does Not Contain Number
Speaking of learning regexes, Ben Forta's book comes to mind. I used it myself to get started, and not so long ago bought one for an employee who needed a Square 1 intro to them. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358384 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Heap and RAM
Along the lines of Dave's original recommendation, here is a big leg up on using StAX (not a spelling error... StAX = same idea as SAX to make long story short) http://jochem.vandieten.net/tag/stax/ The thread Jochem is referring to in his post was mine, and I used his code and example to give me the ability to quickly and simply process a large daily xml file roughly 295 mb in size, among others. If you are accustomed to the processing times that go with large xml files, you can knock that down by perhaps an order of magnitude or more. This a vastly superior method on many fronts. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358331 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Moving part of my hosting business - thoughts about my plan please ...
Having been there/done that myself, I would follow Cameron's described route. You don't want to be debugging so many different issues at once on an OS you aren't intimately familiar with (and maybe not familiar at all). You mentioned you are on Win2003. Have you by chance missed out on running CF on a 64-bit Win OS? That was like manna from heaven when I first switched. Consider a Windows VPS from Viviotech. They can license you a copy of CF Enterprise *very* inexpensively. They are surprisingly robust for the prices charged, they are CF-literate and an excellent firm on general principles. From there consider leasing another Windows VPS and put Railo on it (Viviotech will do this for you for a small setup fee or for free IIRC). Then tinker away, migrate a low-profile site over when you're ready etc. This is what I did with my personal sites. You could take it a step further and after mastering Railo, retire the Windows/Railo VPS, fire up one with linux and start over again on the tinkering so you limit your issues to that part of the change. If you need more horsepower and have the budget for a CF license, look at the blade servers at Cybercon; check out their hardware configs. I don't see how you can beat those prices. My servers there have been absolutely reliable. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358179 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
If you let your nephew install a server and don't bother to double check his work, that is *your* fault, no one else. What does this matter when the bad juju blows back publicly on the product itself? Blaming the customer for problems in other channels typically doesn't tend to end well for the seller. Thats what I am seeing here. I know you're right... but is that relevant to long term sales growth? I'm no longer a full-time CF developer. I run a company whose focus has to be on customer service. I cannot imagine an approach like that surviving in my marketplace for long. So I'm not looking at this from a technical perspective. At its root this is not a tech problem at all. Its a problem with consumer perception of the product. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358178 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Dave wrote But I think there's an important difference in expectations between providing services and selling tools. My customers expect me to know how to do things right - to understand how my tools work. When you buy a tool, you are expected to know how to use the tool, and there is only so much the tool vendor can do to prevent you from misusing the tool. Dave as usual you are right ;-). BUT my counterpoint is your rightness in this point doesn't matter to the overall outcome: CF is still getting sucker-punched. And you cannot stop it from happening by pointing out - to the media who is delivering the blows - that someone else deserves that fist to the face. You further cannot stop it by insisting that only grownups buy and use the product. I had a retail product that needed a default url and a default path hand-input into Application.cfm, along with a couple other settings that decided how the app behaved. How tough can it be to type in a path on your own server? That you know already? And I wrote tons of comments into the file's code so it had a complete instruction manual inside, with examples, options... the works. All the 'developer' had to do was spend two minutes in that file and poof they had a fully working app. 3 how that went... I have to type whut? Where? Why? A path you say? What line is that on? The fact is to BE a developer in the first place they needed the skill to edit a CF file. It didn't matter. I sucked it up, acknowledged reality, wrote the installer and ... problem solved.. CF is in that boat now. --m@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358184 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I recently found the reason we were seeing two sets of cfid and cftoken cookies. We had code similar to this running: cfif myvars.KillSessionOnClose and IsDefined(cookie.CFID) cfset variables.LocalCFID=cookie.CFID cfset variables.LocalCFToken=cookie.CFToken cfcookie name=CFID value=#variables.LocalCFID# cfcookie name=CFToken value=#variables.LocalCFToken# /cfif Should be a familiar bit of code to everyone - it converts the browser cookies to session cookies so closing the browser kills the session. Once I flipped the setting to shut this off I stopped seeing the second set of cfid/cftokens (If I had named the domain in the cfcookie statement this may also have served the same purpose). However, overall the 'rotating' sessions no longer seem to be occurring based on user reports etc. so this was causing no problems currently, and it certainly never caused problems for many years before the rollover described earlier in this thread. On Wed, Mar 19, 2014 at 1:58 PM, Nick Gleason n.glea...@citysoft.comwrote: We finally resolved this issue. First, a big thanks as always to everyone who commented and helped us along on this thread. Second, here is the resolution. In our case, the problem was some enhanced security filters that we put place recently. One of the scopes being scanned was the cookie scope. This was working for the most part but would result in these sporadic failures which were hard to pinpoint. The key clue was that we realized that the cookie.jsessionid was remaining persistent but the session.sessionid variable was not sticking - those two should be the same. Once we started focusing more on the cookies, we eventually realized what the problem was. This issue may not be applicable to others, but if your sessions are resetting with every request, you may want to take a closer look at your cookies and how they are tied to your sessionid. I still don't truly understand how a sessionid could change without a change to the underlying cookie, but that appears to be what happened. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358136 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I won't try to re-hash the entirely valid points Dave, Ben and others make regarding the needed skill set that a server admin should have, nor where the blame lies if a server is left unprotected/unpatched etc. Consider this counterpoint: When a situation like the current one arises... what do the headlines read? is it along the lines of Idiots Get What They Deserve or is it Big Company Screws Up Like it or not, ColdFusion's reputation and marketability suffers when such easy targets of opportunity exist. The media will never pin the blame where it belongs, and that oh-so-public blame will hound CF and Adobe for a long time to come. Wil's post above looks like a good start with respect to a feature set. And I would further add that a good feature that may help sales would be an upgrade installer that tries to harden an existing site along the lines of the lockdown guide. Imagine all of the server admins out there that would buy a CF upgrade they otherwise wouldn't if it let them click 'Continue' to secure their servers. --m@Robertson-- Janitor, The Robertson Team ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358137 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
Someone has to say it: I came across my first ColdFusion is dying thread when I was considering upgrading my server to ... CF 3.1. That was here I think. Maybe it was the Allaire forum. Too many dead brain cells between then and now to be sure. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358051 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
On Tue, Mar 11, 2014 at 11:52 AM, Dave Watts wrote: No, I think you should only have the one cookie for jsessionid. I'm not sure why you have the other two. As you can imagine I did some reading on jsession vars after I opened up this thread. Look at the comparison table here: http://goo.gl/Hsxvaa also referenced in the table here http://goo.gl/GFJfx3 If you use one of the urltokens you are going to still see CFID and CFToken. Sounds like Nick is describing my exact problem, inconsistencies and all. I frankly wound up throwing everything against the wall I could think of. Rolling the site back was not an option given SEO issues that had already gone into motion. I'm about to call the site functional based on a few days of solidity, at which point I'll begin removing a piece at a time to try and see when the behavior reverts again (which is maddeningly difficult given the inconsistent client behavior). Steps taken: - Adjusted the JVM to remove session fixation protection - Switched on J2EE sessions - For the area where session must be maintained, client.urltoken passed via the url (!) - setdomaincookies=yes in cfapplication statement - cookies wiped per code similar to the 3rd post in this thread, in OnRequestEnd.cfm. I'm going after (expires=now) domain cookies expressly in that code. I am naturally not happy with the use of client.urltoken in the url but those pages are behind a form post. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357971 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I think it was pretty clear that code he listed was being used solely to diagnose a problem Precisely. Its the production environment but not the production site. I'm testing with some old in-office desktops that mimic the problem reported to us by users when this site was live for roughly 24 hrs before I pulled it. The best solution, in my opinion, is to switch to J2EE sessions, assuming you can invest the time and effort to do that. Seeing as my efforts on this seem to be going nowhere (old browsers will occasionally start working but always revert after a TBD period of inactivity) that sounds like good advice. Working on that now. And its all happening on a CF-based site that has been humming along in its present form since 2006... all we did was make it prettier... re-skinned it with a different front end. And it still works fine for the majority of visitors. Any chance you are using Chrome in Incognito mode? Nope. The only place I can replicate the issue is on IE8 running on XP. Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. On Fri, Mar 7, 2014 at 11:44 AM, Carl Von Stetten vonner.li...@vonner.netwrote: I forgot about the persistence issue. Personally, I consider the lack of session persistence to be a security benefit. But not everyone will agree. -Carl V. On 3/7/2014 11:17 AM, Dave Watts wrote: If you're not directly referencing CFID and CFTOKEN in your code, and you're not relying on the default persistence of CF session cookies, you should be able to just enable that option. By the default persistence of CF session cookies, I mean that CF's session cookies by default don't get deleted when the browser is closed. J2EE session cookies do. So, if a user logs into your app, closes the browser, then opens it back up, the user will have to log in again if you're using J2EE sessions even if the session would not have expired otherwise. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357887 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
I was thinking html code but yes thats a possibility as well. However a) my test units are plain vanilla XP/IE8 wkstns and b) the CF code in question has been running fine for years on these same desktops. We use the web site in-house on a daily basis. Worth noting: The demo code you were seeing was on a 'new.' subdomain. But the problem evidenced itself on the 'www.'... We just moved it offline to the 'new.' subdomain when the problem and its severity was identified. On Fri, Mar 7, 2014 at 12:43 PM, Carl Von Stetten vonner.li...@vonner.netwrote: I think by add on he might have been referring to a browser add-on or plugin that the users have installed into Internet Explorer. -Carl V. Or maybe you have an add on that is killing cookies. That was my very first thought and I went straight to the design team who swore that we weren't doing anything genuinely different. Nonetheless we pulled a bunch of stuff out with no success. To finally clear that I wrote up the bare bones page (previous post) and it too is evidencing the problem. I'm in full control of the server and there's nothing server-side changed at the server level. BTW it is CF9 with all patches. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357890 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Are you sure no cfpatches have been installed, specifically the one in the link I sent earlier. Well earlier I said ...it is CF9 with all patches. But I should have said it is *9.01* with all patches. So yes APSB11-04 was definitely one of them. I subscribe to Foundeo's monthly (?) security probe and double checked. --M@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357892 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Speaking of that linked article, I disabled the session fixation patch via Pete's instructions (-Dcoldfusion.session.protectfixation=false in the JVM) and so far I've got proper functionality. I've had inconsistent results before this so I'm not declaring temporary victory just yet but this is promising. Even if this is the solution I need to move to J2EE sessions methinks. --M@-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357893 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF session management suddenly not sticking ...
New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357868 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357870 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Nope I was down to one pair, and it was the pair just generated via the cflocation. The code was doing its job. Another repeatable mystery: If I turn down IE8's security from the default of Medium-High to Medium it will always fix the problem. Same as with Private Browsing. On Thu, Mar 6, 2014 at 4:19 PM, Russ Michaels r...@michaels.me.uk wrote: so if you check the cookies after running your code, is there only one cfid and cftoken, or is there still 2 On Fri, Mar 7, 2014 at 12:17 AM, Money Pit websitema...@gmail.com wrote: Well you were right I had multiple values, but problem persists. Ran code below in OnRequestEnd.cfm and verified it was doing its job as expected (deleting existing cookies, page reloads with new cfid and cftoken, and the cReset cookie keeps it from happening all over again). The code didn't hurt desktops that didn't have a problem, but it didn't help the ones that did, unfortunately. never seen anything like this... I usually don't mess with cookies. cfif not isdefined(cookie.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop cfcookie name=cReset value=1 cflocation url=#variables.CleanURL# addtoken=No On Thu, Mar 6, 2014 at 2:22 PM, Russ Michaels r...@michaels.me.uk wrote: check the cookies that have been set in the browser, there are addons that will show you this. see if there are multiple cfid/cftoken cookies set. if so, that is likely the issues, and deleting all cookies should solve it. On Thu, Mar 6, 2014 at 10:09 PM, Money Pit websitema...@gmail.com wrote: New site version running at http://new.lelandwest.com On some older browsers (XP wkstns w/IE8 are definitely vulnerable) the site will not maintain state - i.e. cfid and cftoken get new values on every page visit (they're displayed on screen right now). It doesn't always happen, even on the same workstation... if I get a value to stick it will stay for the session, but I came back to one workstation this afternoon it was back to cycling cfid's again. Opening a private browser window will always solve the problem. With that in mind, whats the best way to reset cookies on session start? I am using application.cfm. What could cause this? Underlying CF code from the current site has barely changed. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357872 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF session management suddenly not sticking ...
Yup I'm doing that. Put together a test page so as to take all of my code out of the picture... although that back end has been fine for years... The redesign was just a re-skin. But to be thorough I made this: cfapplication name=test_0915 sessionmanagement=Yes clientmanagement=Yes sessiontimeout=#CreateTimeSpan(0,0,5,0)# applicationtimeout=#CreateTimeSpan(0,2,0,0)# setclientcookies=Yes setdomaincookies=No cfif isdefined(url.cReset) cfloop item=name collection=#cookie# cfcookie name=#name# value= expires=now /cfloop /cfif htmlheadtitlenew.lelandwest.com/test/hello.cfm /title/headbody cfoutput p#now()#/p a href=#cgi.script_name#?creset=1Clear cookie scope reload page/a p client:br#client.CFID# #client.cftoken#br cflock scope=SESSION type=readonly timeout=10 session:br#session.CFID# #session.cftoken#br /cflock cookie:br#cookie.CFID# #cookie.cftoken# /cfoutput /p cfdump var=#cookie# /body/html From the above I have learned that no matter what cfdump gives me two cfid's and two cftokens. but only for the old workstations running XP/IE8. Don't have good diagnostics installed yet to see complete cookie data. After some tinkering (i.e. getting desperate) I put in the setclientcookies and setdomaincookies entries and things now seem to be working across all test machines (4 of them). But I have had this turn around on me before so I'll revisit tomorrow when I get back in. :-| Thanks for your help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357874 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
Nick you are correct, strictly speaking. That simple example is harmless, it runs only one time and is 'visible' only to the single client. Consider what happens if the payload that is executed is nowhere nearly as benign. At that point, code of some kind is being executed on your server that does something you don't intend, and regardless of the fact it only executes once, it could make all sorts of mischief depending on its level of sophistication. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357816 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
To clarify, I was oversimplifying above when I said 'code is being executed on your server'. Pete's script example would of course need to link up with some other vulnerability for that to happen (i.e. an unpatched exploit of some kind). Since you can't predict such things, you minimize the number of liberties someone can take with your server's tender innocence. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357817 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Viviotech?
Jordan, Thanks for chiming in. I'll pass along the above to my colleague. If either of us Twitter'd (or chirped or whatever the term is) we'd have known the score :-). Do want to mention for your own info that I was logged into my VPS and saw it go down within a couple of minutes of the shutdown. Called and got the busy signal. No surprise that people would be flooding in with questions. But tried some time later and it was a *fast* busy. Implying a service interruption. Thats when I posted here. Cheers, --Matt-- -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357520 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Viviotech?
Anyone hear anything from them? They've been completely off the air for about an hour. Fast busy signal on the phone. Was originally just 'busy' so I'm wondering if someone got thru to them before the phone went down. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357506 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Viviotech?
Yup sure enough mine just came back up too. I've noticed the same thing over the years, re: the phones go down when they do as they're all on some sort of shared platform. I have two VPN's with them and talked to a colleague; we were all down so whatever it was it was widespread. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357508 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hosting... Again
I've got both Viviotech VPS' and another alternative you should consider - Cybercon.com - for dedicated hosting. Cybercon was actually my first dedicated host years ago but - while their uptime and hardware specs were absolutely top-drawer... so was their pricing. They were very expensive. Several months ago checked their pricing on a whim and was shocked to see they now have blade servers - with really really beefy specs - at prices that worked out to be less than my Viviotech VPS accounts (which I had beefed up to hold quite a few sites, which in turn raised my costs). I still recommend Viviotech as a great company with great people working there. Their VPS' with CF Enterprise are an excellent deal. But if you are comfortable managing a dedicated server yourself I'd consider Cybercon. Prices are amazing now. On Mon, Jan 13, 2014 at 9:47 AM, Bryan Stevenson br...@electricedgesystems.com wrote: +1 for Viviotech as well for the same reasons - and they have a good sense of humor too! ;-) *Bryan Stevenson*B.Comm. President CEO Electric Edge Systems Group Inc. - makers of FACTS^(TM) phone: 250.480.0642 cell: 250.920.8830 e-mail: br...@electricedgesystems.com mailto: br...@electricedgesystems.com web: www.electricedgesystems.com http://www.electricedgesystems.com and www.fisheryfacts.com http://www.fisheryfacts.com Please consider the environment before printing this e-mail -CONFIDENTIALITY-- This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. On 14-01-13 07:02 AM, Jon Clausen wrote: +1 for Viviotech. I've never had anything but excellent support and turnaround times from them. I've heard some great things about Edge Web Hosting, too, but never had a reason to switch from Viviotech. On Jan 10, 2014, at 8:22 AM, Robert Harrison rob...@austin-williams.com wrote: Hi All, I've got a lot of large CF sites I have to move because my host is not up to what we've grown to be. Love the guy and been with him for years, but now I have to go. I've asked this before (in October), but now that I'm no longer in denial I'm looking for CF hosting recommendations again. I have the previous recommendations which I'm listing below. If anyone has comments about any of the hosts below, or better recommendations, please provide your feedback. I'm about to move a boatload of serous sites. So far, I've gotten recommendations for: Hostek Viviotech CrystalTech http://www.kickassvps.com/ Please let me know if you have additional recommendations or feedback on these hosts. Thanks, Robert ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357418 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with data formatting in CFINSERT
IMO the worst problem with CFINSERT or CFUPDATE is that you have to supply the list of all form fields I'm afraid you can add to that chasing your tail for no reason thanks to creating a semi-opaque layer between yourself and JDBC/SQL If you use CFINSERT/CFUPDATE the above seems, sooner or later, to put you over the edge so you swear the tool off and write SQL by hand. I have robot updaters and inserters too (made all the more robotic with the help of cfdbinfo figuring out the field types), but I keep them on a short leash for the identical reason. Debugging is miserable with a layer of code in the middle and straightforward without. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357028 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with data formatting in CFINSERT
Perhaps. Every time I flirt with cfinsert/cfupdate I learn to love them all over again and then some stupid thing like what the OP is experiencing ruins my afternoon and I remember why I swore them off in the first place. When I write straight SQL I experience extra wear on my fingertips but my blood pressure stays lower. So I take the lesser of two evils. I'll try and actually make a useful suggestion insofar as debugging the OP's actual problem is concerned: When faced with these types of errors I have found that by writing SQL I can oftentimes find what I typed wrong in the cfinsert statement, assuming the error was my own (for gigantic inserts I may write code a field at a time and test at each field addition until the code either breaks in the middle or is completed). If not, by the time I am done I have a replacement for the code thats throwing me off and I can move on. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357030 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hosting
Years ago I used Cybercon for full on dedicated servers. Then I moved to CrystalTech for lower cost. THEN I moved to Viviotech and took advantage of their killer-deal CF Enterprise VPS' (or they'll install Railo if you ask for $0 monthly). Recently I went back to Cybercon for some of my big stuff as they now have blade servers at amazing prices. 16gb RAM, RAID1 SAS drives, 30mbps pipe, 8 IPs for about $200/month. A version with 4GB and a single SAS drive is half that. On Mon, Oct 21, 2013 at 11:13 AM, Rick Faircloth r...@whitestonemedia.comwrote: Ditto... I had a VPS with them for a few years, then moved to a VDS (Virtual Dedicated Server) about a year ago. Support couldn't be better and they're a great group. I've had almost no problems with the service for the entire time I've been with them. And any issues were promptly addressed. And, no, I make no money for my promotion. Rick -Original Message- From: Rob Voyle [mailto:robvo...@voyle.com] Sent: Monday, October 21, 2013 1:42 PM To: cf-talk Subject: Re: Hosting Ive been truly blessed by Kickassvps http://www.kickassvps.com/ Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 21 Oct 2013 at 9:04, Robert Harrison wrote: I know this has been asked 100 times before, but it looks like I need a new cf hosts that can host enterprise level sites. Any recommendations? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356958 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: best portable db for ColdFusion
If you are OK with not building it yourself, I'll put in another vote for Evernote. I put it on every device I have (home desktop, office desktop, laptop, phone and tablet). I can update my grocery list on my tablet while sitting on the couch and when I get to the store, my shopping list is right there on my phone as I walk the aisles. One nice feature is marking items as 'offline' so they are stored locally on each device. Handy if I have no connectivity; I don't lose my ability to view or edit my notes. HtH, -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356830 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 404 issues - a new kind of problem?
Solved. http://stackoverflow.com/a/18927484/2788098 Once a custom template is specified in IIS, it uses that template exclusively and the CFAdmin-set global template is completely ignored by IIS. However the local template is fullyi functional so, while its a royal pain to have to do a template per site, at least the functionality remains. On Thu, Sep 19, 2013 at 1:55 PM, Money Pit websitema...@gmail.com wrote: installed to another server (VPS) with identical OS - fresh install of CF but same win2k8R2/64 and config and identical problem. At this point I'm at a loss to do anything but downgrade to CF9 and wait for CF11. I hate to throw away all that work but at some point you just have to cut your losses. I've found one developer online with the same issue but so far its as if nobody else has the problem. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356815 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 404 issues - a new kind of problem?
installed to another server (VPS) with identical OS - fresh install of CF but same win2k8R2/64 and config and identical problem. At this point I'm at a loss to do anything but downgrade to CF9 and wait for CF11. I hate to throw away all that work but at some point you just have to cut your losses. I've found one developer online with the same issue but so far its as if nobody else has the problem. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356814 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 404 issues - a new kind of problem?
Steve 'Cutter' Blades said And, as a side, you can use an application level CF request 404 handler by using the onMissingTemplate() method in Application.cfc. Unfortunately this is a legacy site with an Application.cfm. I've looked at converting it to a .cfc specifically to take advantage of that handler but its a bit of a monster. I'd probably spend more time doing that than I would removing CF10 and going back to CF9 (I have a license I can use if I must). All of this has been working fine in CF9. Same OS and version. Only change is CF version and cf9 lockdown vs. cf10 lockdown. Russ Michaels said In the cfadmin youbyou set the missing and error templates as /filename.cfm and put it in the root of the site. The root of the SITE? Interesting as I have always kept the sitewide error handler and the missing template handler in the coldfusion root: c:\coldfusion9\wwwroot. I would then specify /missingtemplate.cfm and /sitewideError.cfm in the cf admin. My IIS site roots are in c:\other\place\siteroot. But you reminded me I did it differently on another server with one site on it: In cfadmin I mapped 'c:\other\place\siteroot' to '/siteroot'. Then in the spots for missing template/error handlers, I specified '/siteroot/missingtemplate.cfm' and /siteroot/sitewideError.cfm ... worked great. Tried that here and ... does not work. I also set IIS back to default 404 handling to take that variable out of the picture. The IIS request trace says that the failed 'foo.cfm' url is http://[domain]:80/jakarta/isapi_redirect.dll. If I have a CF missing template handler in place, I would think the IIS failed request trace wouldn't fire at all, since CF handles the 404. I am surmising that since IIS sees a 404 even with default error handling, CF's missing template handler isn't being recognized. Oh also in IIS I have tried setting the cfmhandler to File (as recommended in the Lockdown guide) or 'unspecified', which is supposed to be the analog of unchecking the old IIS6 'check to see that file exists' setting. Same failure in both instances. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356812 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF10 404 issues - a new kind of problem?
debugging marches on... I took IIS 404 behavior back to default to simplify debugging. So ignoring the weirdness I described earlier re: the IIS 404 handler, if I just concentrate on the CF handler, I am saddled with a template that is not firing. I put up a thread on Stack Overflow. One suggestion was to set error page properties to 'detailed error pages' and this did in fact let the CF template run... but it also displays detailed error pages onscreen on all other types of errors. CF9 works fine with IIS set to 'Detailed errors for local requests and custom error pages for remote requests' Another solution offered in the same thread suggested I turn off HTTP status codes in CF Admin. This too solved the problem and the template fired... but when you do that the only code returned by CF is a 200 that you can't redress with a cfheader. Very bad for SEO. A third suggestion was to stick a cfmail statement into the error template to demonstrate the template was in fact firing, but IIS is keeping it from being displayed. Working cfmail code was inserted and ... no mail was sent, which seems to reinforce the impression that the template is not firing at all. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356813 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF10 404 issues - a new kind of problem?
I've seen and dealt with plenty of CF10 404 issues since my install yesterday, but this appears to be a new one: This is my first CF10 installation. I am running with Update 11 in place. Win2k8 R2/64bit. 1. CF Admin's missing template handler residing in the cfusion wwwroot is nonfunctional. The site wide template handler in the same location works fine. 2. The err404.cfm 404 handler I have executing via IIS works, but get this... the url is supposed to be relative to *site* root, right? In IIS, on a site that is not the default web site, where CF is using its default web root location and IIS is using an entirely different one (nonstandard on a different folder tree) *the IIS 404 page is executing from the CF web root*. That shouldn't be possible. Took me hours to realize it was happening. I have ensured that I have unique filenames in place and can't see any reason why IIS - in this one case - treats the 'site root' as the default cf webroot location. Here is my missing template handler, kept simple: cfheader statuscode=404 statustext=Not Found h1404/h1pPage not found/p cfoutput#now()#/cfoutput There's more. The IIS missing template handler works fine for non-CF pages. For foo.htm I get display and 404 header as expected. For foo.CFM I get... nothing (with a 200 status code). I have IIS doing failed request traces and for foo.htm I get a failed url of http://[domain]:80/foo.htm but foo.cfm's request trace gives the failed url of http://[domain]:80/jakarta/isapi_redirect.dll Anyone? I have been all over stack overflow and it has helped me through other issues (adding /jakarta virtual directory etc.) but this has me stumped. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356807 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: database driven mail server
I rolled my own solution with CF coupled to Smartermail's support of Plus-addressing. If you aren't familar with it, its pretty powerful. Lets say my email is u...@domain.com. I send mail with CF as usual and set CFMAIL's FailTo parameter to 'failedmail+1...@domain.com', where 1234 is the primary key ID number for the user record. So bounces come back and plus addressing puts every failure into failedm...@domain.com. I use CFPOP with GETHEADERSONLY (!) to read that mailbox periodically and parse thru returned emails, figuring out what happened from the headers and doing stuff accordingly. Sound like what you're after? A quick snippet to illustrate the maintenance process (which I cfschedule): cfpop server=#servername# username=#failUser# password=#failPwd# action=GETHEADERONLY name=GetHeaders cfloop query=getHeaders !--- this header identifies the email --- cfset variables.emailID=getHeaders.UID !--- this pulls out the user ID from the return address. Note if the email itself is stored in a db then this next step is unnecessary and so is plus addressing as you could just log the user id with the email record --- cfset variables.usrID=listLast(listFirst(getHeaders.to,@),+) !--- run tests here, as detailed as you like. For example I keep track of failure counts and scrub emails from my list if they reach three strikes. --- cfif findNoCase(fail,getHeaders.subject,1) blah /cfif cfif findNoCase(error,getHeaders.subject,1) woof /cfif !--- do more clever stuff here as needed. Then delete the failed email from the inbox and continue. --- cfpop server=#servername# username=#failUser# password=#failPwd# action=DELETE uid=#variables.emailID# /cfloop -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356692 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfthread execution slowdown
Dave Phelan wrote: What I see is that the server load remains pretty consistent, it's the number of requests completed that is dropping. Precisely, but in marked stages Dave Phelan wrote: This could be an indication that the pages become more complex as the process continues, or it may indicate that the faster running threads are all completed leaving the longer running threads at the end. Its neither I'm afraid. I have two jobs I am doing this in. One builds image pages for for-sale vehicles in a multiple listing service. Each listing can, at random, have one, two or dozens of images and thus dozens of pages needing to be built in its thread. Lots of variability there but I am not measuring thread completion rates. I'm watching the speed of the page requests, which should remain roughly constant over time. Each page is pretty much identical to the next in terms of CF load. All single-record key lookups. More telling: I have a separate job that creates the vehicle listing pages - the parent of the aforementioned image pages. This is always a 1-page thread/request, is always roughly the same job/load, and only 14,000-20,000 pages are made vs. 350,000-400,000. This smaller routine evidences the same staged decline in performance. The completion rates are different as the nature of the pages are different, but FusionReactor shows the same staged decline in output. Dave Phelan wrote: My suggestion would be to do some time monitoring on the loops. I think you'll find that the average completion time for each thread increases as the number of completed requests decreases. I did that, and more on that in a bit, but I must be missing your point on rates. Thread completion time is going to be widely variable as one thread is spawned per vehicle listing, and each can have any number of images (from one to a couple hundred, averaging I believe around 40). What I am measuring however is the rate of page completion and that should - I would think - remain constant across the job unless some resource somewhere is hitting a limit. Loop monitoring: The original test code stored a db record at the start and stop of each loop completed. The 'stop' record gave me a count of how many pages were made and let me calc duration. That much db activity slowed things down so the job was slower than its single-threaded predecessor. In the end all it showed me was that things were slowing down proportionately, in stages, just like FusionReactor pointed out in its request list. Is this apache or IIS? IIS 7.5 On Fri, Jul 26, 2013 at 12:05 PM, Mark A Kruger mkru...@cfwebtools.comwrote: Is this apache or IIS? -Original Message- From: Money Pit [mailto:websitema...@gmail.com] Sent: Friday, July 26, 2013 11:41 AM To: cf-talk Subject: cfthread execution slowdown I need another set of eyeballs on this. I can't see what I'm doing wrong. I'm building many thousands of static pages. I turned to cfthread to speed things up. Each thread can output one page or more than one depending on info retrieved. I use an array to manage the number of threads in use at any one time. It works great, but I am seeing CF slow down - in fixed stages - throughout the life of the process. Take a look at this image taken from FusionReactor to see what I mean: http://205.210.189.205/images/screenshot081.jpg Its not a curve but rather three distinct stages of output. Stage 1 is about 2900 pages per minute, Stage 2 is around 2400 and Stage 3 - where the routine stabilizes - is about 1200. On a second server building differently-composed pages, I see exactly the same thing. CF isn't bogging down from load... its flat out not working as hard. Its as if it decided it didn't want to work as hard, so it eases off. Never seen anything like it. Here's the code in a nutshell. Can anyone see something I am doing that is causing this work slowdown? cfset variables.threadArray=arrayNew(1) cfset variables.threadCount=4 cfquery name=getData datasource=#variables.dsn# [sql goes here] /cfquery cfset variables.loopCounter=0 cfloop condition=variables.loopCounter LT getData.recordCount cfset variables.threadsLive=arrayLen(variables.threadArray) cfif variables.threadsLive lt variables.threadCount cfset variables.loopCounter=variables.loopCounter+1 cfset variables.thisThreadID=createUUID() cfset temp=arrayAppend(variables.threadArray,variables.thisThreadID) cfthread name=#variables.thisThreadID# action=run !--- cfhttp pulls local CF pages and stores as html, queries determine if child pages need building etc. --- cfset temp=arrayDeleteAt(variables.threadArray,arrayFindNoCase(variables.threadArr ay,variables.thisThreadID)) /cfthread !--- may or may not do a cfthread join if I want to retrieve
cfthread execution slowdown
I need another set of eyeballs on this. I can't see what I'm doing wrong. I'm building many thousands of static pages. I turned to cfthread to speed things up. Each thread can output one page or more than one depending on info retrieved. I use an array to manage the number of threads in use at any one time. It works great, but I am seeing CF slow down - in fixed stages - throughout the life of the process. Take a look at this image taken from FusionReactor to see what I mean: http://205.210.189.205/images/screenshot081.jpg Its not a curve but rather three distinct stages of output. Stage 1 is about 2900 pages per minute, Stage 2 is around 2400 and Stage 3 - where the routine stabilizes - is about 1200. On a second server building differently-composed pages, I see exactly the same thing. CF isn't bogging down from load... its flat out not working as hard. Its as if it decided it didn't want to work as hard, so it eases off. Never seen anything like it. Here's the code in a nutshell. Can anyone see something I am doing that is causing this work slowdown? cfset variables.threadArray=arrayNew(1) cfset variables.threadCount=4 cfquery name=getData datasource=#variables.dsn# [sql goes here] /cfquery cfset variables.loopCounter=0 cfloop condition=variables.loopCounter LT getData.recordCount cfset variables.threadsLive=arrayLen(variables.threadArray) cfif variables.threadsLive lt variables.threadCount cfset variables.loopCounter=variables.loopCounter+1 cfset variables.thisThreadID=createUUID() cfset temp=arrayAppend(variables.threadArray,variables.thisThreadID) cfthread name=#variables.thisThreadID# action=run !--- cfhttp pulls local CF pages and stores as html, queries determine if child pages need building etc. --- cfset temp=arrayDeleteAt(variables.threadArray,arrayFindNoCase(variables.threadArray,variables.thisThreadID)) /cfthread !--- may or may not do a cfthread join if I want to retrieve variables from inside of the thread --- /cfif /cfloop -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356329 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Safety for image uploads
I would rather keep files out of the web root entirely than risk having an executable make it 'under the wire' so to speak. If I allow that, then some other non-CF hack I haven't been savvy or prompt enough to patch - or which is still unpatched - could let an attacker rename that file and poof... An accessible executable exists whose arrival I helped facilitate. Just last week I found some smartypants trolling my sites looking for fckeditor's upload test page; assumedly to see if I left one of its protocols enabled. On Mon, Jun 17, 2013 at 12:29 AM, Russ Michaels r...@michaels.me.uk wrote: You simply check the extension on the filename, you can do this prior to upload, it doesn't require any special cf specific functionality, its just validating a filename. If you are allowing people to upload files and them change the extension then you would have a security problem. Russ Michaels www.michaels.me.uk On 17 Jun 2013 03:03, Dave Watts dwa...@figleaf.com wrote: if your only dealing with images and are stopping all other file types being uploaded then what is the issue with allowing them to be uploaded to the website ? I'm not sure what you mean by stopping all other file types being uploaded, but CF doesn't include functionality to validate that a file is what its extension says it is. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355957 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF running out of steam
On Wed, Mar 13, 2013 at 9:24 PM, Maureen wrote: I moved 77 sites from Abode CF If CF is dying, I wouldn't think that an engine using CFML is going to be flourishing in its stead. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355014 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl wrote: Did you have a problem with timeouts or out of memory errors? I have quite a bit of records A loop like that shouldn't have any issues. Now, with that said I haven't used generateSecretKey() for generating salt. Wouldn't surprise me a bit if it was resource-intensive. Personally I always used createUUID() to salt my records. In fact, I make it a practice on general principles to keep an indexed UUID-containing field in every table and find it often comes in handy for a variety of things. Years ago I wrote up a system called AccessMonger. The Lite version is free and still on the Exchange http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailloc=en_usextid=1002753 It does all the stuff you are talking about. Stores salted, hashed pwds, supports pwd expiry and automated warnings (your pwd will expire in 10 days, change it or perish in flames), has user-driven password reset (not recovery) via hint/answer etc. Its old code but it works and if nothing else will give you a feature set and basis to write up your own system. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354911 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: 32 vs 64 bit CF and DSNs
Don't have an example handy cuz I don't use Access, but what about using dbtype 'Other' and manually specifying the strings? the way we used to have to do when mySQL support was dropped a few years back? 64-bit CF vs. 32-bit is so much more capable I'd do whatever it takes to NOT go back to 32-bit if I were you. p.s. notice how I didn't say anything snotty about using Access? :-) -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354913 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9 Enterprise. Max heap recommendation?
Got it. Thx! -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353958 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF9 Enterprise. Max heap recommendation?
I am running a slew of VPS instances at Viviotech. Each VPS runs CF9 Enterprise. The VPS has 6GB of RAM available, and I have the JVM max heap set to 2GB. Did some research on this some time ago and (right or wrong) the consensus I found was that 2Gb was about the max that you wanted to go. On one of the high traffic instances, I ran out of heap space today. Hosting tech's solution was to increase heap size to 2.5G. Any thoughts on whether this new value is in fact over a line/out of comfort zone? Anyone have a good link to jvm tuning settings? I'm presently using -server -Dsun.io.useCanonCaches=false -XX:MaxPermSize=256m -XX:+UseParallelGC -Xbatch -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353943 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF9 Enterprise. Max heap recommendation?
On Wed, Jan 16, 2013 at 11:56 AM, DURETTE, STEVEN J wrote: I believe that 2 gig limit was 32 bit OS. I run at much higher on 64 bit OS. Ah I failed to mention it but I am running on Win 2k8/64 -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353945 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Things must be bad if they are issuing something that ominous-sounding without a solution. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353767 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Thanks for posting. I thought I had my stuff locked down pretty well but I screwed up and left a door open. The nature of this is almost unbelievably nasty. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353732 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anyone having issues with godaddy DNS? I can't even pull up their website.
Also 3rd party monitors detected no traffic telltales that would indicate an attack of that magnitude was in progress. So GD stepped on their own you-know-what and this was due to incompetence rather than incompetence+malice. Not sure I feel that much better about it. On Tue, Sep 11, 2012 at 12:31 PM, Casey Dougall - Uber Website Solutions ca...@uberwebsitesolutions.com wrote: On Tue, Sep 11, 2012 at 4:28 AM, Maureen mamamaur...@gmail.com wrote: Considering the way the hacker described this on twitter and the length of time between his initial taunt and when the sites went down, I suspect more to it than a DDOS. It sounds almost like he had his hand on the rhetorical switch and he turned it off. Well ends up we were all wrong and it was GoDaddy's fault the whole time. LOL http://www.foxnews.com/tech/2012/09/11/godaddy-outage-due-to-corrupt-router-tables-not-hackers/ We have determined the service outage was due to a series of internal network events that corrupted router data tables, Wagner said in a company statement. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352500 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: Thoughts on Hostek?
My experience with Viviotech has been nothing short of stellar. I think all told between myself and the people I am still responsible for, I have maybe 8 VPS' running a variety of things over there, including CF. I saved a fortune over my former discrete dedicated servers and paid almost no noticeable performance penalty. They did have one scary outage for a few hours not too long ago, but that was the only one over the last couple of years. In the typical cycle of hosting company growth (with the inevitable accompanying service+quality decay) Viviotech remains in that small-company/high-quality mode. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352415 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: detecting mobile devices
On Tue, Oct 4, 2011 at 2:39 PM, Dave Watts wrote: That looks like it's fun to maintain. Fortunately, there aren't ever any new mobile devices. With any luck its not so bad. That code is the CF version supplied by http://detectmobilebrowsers.com.. Last updated Feb 28 according to the site. The CF version can be had in txt form here http://detectmobilebrowsers.com/download/coldfusion A scheduled cfhttp and a few cfifs, followed by a little replace() magic and a conditional cffile write could keep an include with the latest regex in it updated on a given server. I have to sheepishly admit I have been using the same code for my own corporate site. And yes I compounded the sin by being too lazy to write an auto-updater. Looked into WURFL and at the time it didn't seem accessible enough to me for what I wanted to do in the time I had to do it. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351543 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF 10 upgrade from Adobe... Can anyone confirm I am hosed here?
Just spent a fair bit of time getting sent from customer service, to sales, to another sales guy, to customer service and then back to sales. All but the last said the next person would be able to handle this for me: Late March I buy a CF9 std upgr from CF8. Get it around April 1 and off I go. So CF10 comes out and of course I am hoping to get that upgrade. The Adobe web site says upgrading from CF9 is 749; CF8 is 899. You'd think I'd be able to do some sort of differential to get into CF10. i.e. take what I paid and back that off the 899 price. Not expecting a freebie. In the end I'm told no dice. Pay another $749. Really? There was a whole lot of uncertainty - and some I understand. I'm sure we can do that - on the other end of the phone. I would think if there was really no recourse this would be a powerful disincentive to buying a product late in its life cycle. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351356 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF 10 upgrade from Adobe... Can anyone confirm I am hosed here?
On Tue, May 29, 2012 at 2:43 PM, Brian Thornton wrote: do a charge back and buy it from scratch.. I thought of that. American Express might work with me. I spend a lot with them and they're pretty aggressive for their good customers, but I would rather not use a nuclear weapon on a valued source if I can avoid it. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351358 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Controlling Spiders
There is a robots.txt setting that may be of some use. User-agent: * Crawl-delay: 0.5 Tells all bots to only hit two pages per second. I'm pretty sure Google does not follow this particular command, and I know from sad experience that there are plenty of rogues out there who will either pay lip service to or ignore the setting. Google Webmaster's Tools has a setting inside of it that will allow you ask nicely to please consider throttling down some IIRC ... but the reality I have found is - if you have a lot of pages that are bot-popular... to truly solve the problem, you have to rethink what you are doing. A client of mine had a vehicle multiple listing service consisting of tens of thousands of units up for sale, where each unit generated three pages (a quick view, a full view and a picture page) and the units available changed quite a bit in a given day ... bots knew this and crawled and re-crawled him mercilessly despite all efforts to get them to tone it down. We kept throwing hardware at the problem after increasing efficiency everywhere we could think of, until the next step was a big one: Multiple CF Enterprise licenses and a cluster. We found another solution: Generation of static .html on the back end as pages change instead of gratuitous use of .cfm's to effectively no purpose, since the material only changed when the editor changed it (very infrequent compared to the number of pages views) or the feed from the third party came in overnight. This approach increases the server's capacity to handle concurrent traffic *immensely* but also poses multiple challenges. Maintaining session state is not the least of these, but also when dealing with daily mammoth CSV and XML feeds from third parties, we had tens of thousands of pages to generate or update (solution: use a second server on a cheap VPS dedicated to feed processing and page creation). Its definitely not for everyone. We got away with it and for that particular application it was a solution that allowed better overall performance and low operating cost. A rare win/win. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Controlling Spiders
On Mon, May 7, 2012 at 4:28 PM, .jonah jonah@creori.com wrote: Even some judicious just of cfcache will get you a long way. Yup. For us, the expensive stuff was unique per page, but also part of the problem that we never seemed to be able to get a handle on was the concurrency demands associated with having bots hit as many pages as they could with as many threads as you set the CF server to allow. For that matter, if there are common queries you can get an enormous amount of mileage out of short query caches of two or three seconds in duration. For example, on one of those listings, say the dealer info is a query. The bot could hit the dealer's listings as a block, so if you cache the dealer's data for lets say ten seconds, you can eliminate a ton of hits to the db... and since the cache is short lived, there's room for all of the other hundreds of dealers whose material is being accessed - and hopefully cached to good effect - at the same time. Turning CF into a backend processor-only is no small task. Its not something you can do without a whole lot of planning and effort, which is a good thing because unless you really need to, you shouldn't. Something else to consider is rel=nofollow and hope you can exert some control over redundant traffic flow. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351034 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe Solution?
I'm inferring from the use of Access 2007 that this is a customer with champagne tastes and a beer budget. One of my favorite - and most effective lines to clients borders on a mantra: Anything is possible given enough time and money. Followed closely by How bad do you want it and what are you willing to pay to get it? Next step: Demonstrate the hurdles for each approach. One is the easiest thing in the world, the other not so much, and is he willing to spring for a specialist to build this monster? Who knows... maybe it *is* possible and you aren't the right guy for the job. Give the client the client the service of laying your cards on the table and letting him decide how to proceed. Deal straight with the guy and oftentimes thats worth something to them. Its certainly worked out in my favor many times. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346215 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
