Wednesday, August 18, 2010

Installing ColdFusion 9 Error

If you have been running into the error while installing CF9 on IIS7 64bit:

The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map.

Then head over to Codecurry: Installing ColdFusion on IIS 7 + Configure IIS for ColdFusion in Windows Vista and Windows Server 2008 for the solution. Its just a matter of enabling/ installing a few IIS options.

Friday, August 13, 2010

ColdFusion Tools & Resources

Charlie Arehart (whos an independent CF consultant) has a great  list of resources for ColdFusion developers that can be accessed from:

ColdFusion 8 performance tuning

Kunal Saini of Adobe has posted a very good article on performance tuning ColdFusion 8. The article covers foll: aspects:
  • Performance tuning with Java Virtual Machine parameters
  • Performance tuning with ColdFusion Administrator
  • Coding best practices for ColdFusion performance
The article ends with a case study of BlogCFC. The article can be accessed from

Tuesday, May 04, 2010

ColdFusion .NET Integration Service on Multi-Server configuration

If you try to use the coldfusion dotnet integration that comes with CF8 and up on a multi-server instance of ColdFusion, you may encounter a java.lang.ClassNotFoundException error.

This is especially true when you run your app under the non-admin instance (ie you create a new instance and run the app under this new instance of CF).

The cause becomes obvious when you look at the error.log file in the "ColfFusion8DotNetservice" folder.

.NET exception = System.IO.FileNotFoundException

.NET exception message = Could not find file 'C:\JRun4\servers\MM2\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\dotnet_coreproxy.config'.

.NET-side stack trace = at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)

at com.jnbridge.jnbproxy.JNBProxy.Main(String[] args)

The missing dotnet_coreproxy.config file can be found in the default install of CF. which would typically be C:\JRun4\servers\cfusion\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\dotnet_coreproxy.config

Just locate the file and copy it over to the new location. This should resolve the issue.
Web technology solutions for small and medium enterprises.

Tuesday, January 19, 2010

Session Fixation issue in ColdFusion

Most web applications that use cookies to persist sessions are prone to session fixation security flaw.
The Open Web Application Security Project (OWASP) defines session fixation as:

Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Session fixation vulnerabilities occur when:
  1. A web application authenticates a user without first invalidating the existing session ID, thereby continuing to use the session ID already associated with the user.
  2. An attacker is able to force a known session ID on a user so that, once the user authenticates, the attacker has access to the authenticated session. 

To resolve this in ColdFusion, you could take the foll. steps:

index.cfm posts login credentials to checkLogin.cfm. I expire the exisitng jsessionid cookie on this page. And then make a cfhttp call to verify.cfm; I also pass the login crediantials to verify.cfm. Verify.cfm authenticates the user and sets session variables for the user. Once checkLogin.cfm gets the return back;
I parse out the jsessionid from the cookie header and set a new jsessionid cookie on checkLogin.cfm page.

We can also wrap the logic in onSessionStart().

Also see this post by Jason Dean on the same issue.

If anyone has had any other approach to this, I would love to hear from you.