It has been a well known fact for many years (to some of us at least) that ColdFusion (or rather the JRE) caches DNS look-ups forever until the service is next restarted.

The caveat of this is that if any domain name you are connecting to from CFML has had a DNS change such as a change of IP address then code will suddenly stop working until you next restart CF.

Areas that will affect include:-

• SMTP servers in the CFADMIN
• Database Servers in your Datasources
• CFHTTP calls
• Web Services
• CFFTP, CFPOP, CFEXCHANGEMAIL, CFIMAP, CFMAIL

Plus any other tag, CFX tag, java class that allows you to connect to a remote server.

This has never really caused us any major issues, occasionally we had had a customer complain that CFHTTP calls have mysteriously stopped working, or that they could no longer connect to their payment gateway after the provider made some updates, but it has been so rare that restarting CF was an acceptable solution.

Recently we got a notice from our payment gateway provider (SagePay formerly ProtX) telling us that their IP addresses would change. Knowing this would affect CF and that we have several customers who also used SagePay I knew we would have to restart CF on every server to make sure their ecommerce stores did not break.

This prompted me to look into this problem, find out why the JRE cached DNS look-ups and see if I could change it.

After some investigation I learned that the class used to lookup host names for HTTP operation is the Java InetAddress class

If You read the above page you can see that the result of positive host name resolutions is cached forever, it also advises how to override the default behaviour with the following property.

networkaddress.cache.ttl
Indicates the caching policy for successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the successful lookup. The default setting is to cache for an implementation specific period of time. 

In a standard ColdFusion installation you would find this in the following file:-

C:\ColdFusion8\runtime\jre\lib\security\java.security

If you are using a custom JRE in a J2EE type installation then the path may be something like:-

C:\Program Files\Java\jdk1.6.0_12\jre\lib\security\java.security

In a CF multi-server installation:-

C:\JRun4\jre\lib\security\java.security

Find the following line

#networkaddress.cache.ttl=-1 

and change it to

networkaddress.cache.ttl=14400

This sets the TTL to 14400 seconds (4 hours).

Now you will note that there are various warnings about DNS cache poisoning and the security manager which may scare you. So also note that InetAddress by default resolves against localhost, so if there was a cache poisoning problem then the problem is with your local machine or DNS server thus any application that resolves DNS lookup-up against localhost will be affected, which includes ASP, PHP, local services etc, so ColdFusion/Java is really not where you area of concern should be when it comes to DNS, but rather that your local machine is secure and that your DNS server is protected against cache  poisoning. Plus the problem would still exist when you restart CF anyway, and this is probably a fairly common occurrence  for most people, so I personally would not worry about it and I think this is a pretty daft and pointless reason for this default setting. Some may disagree, but hey that's their prerogative.

I upgraded a CF8 server to CF9 the other day and thought everything had gone fine, but today I received an email from a user saying his Microsoft Access DSN was no longer working.

The error was:

[Macromedia][SequeLink JDBC Driver]TCP/IP error, connection refused

First course of action was to google the error as usual, which turned up nothing useful, so then started my own investigations using a bit of common sense.

I checked the SequeLink ODBC services and they were running, so I tried to restart and they would not.

It was at this point that I noticed all the CF8 services were still running, which was odd, because while CF9 leaves CF8 intact it should disable and stop all the services. This has been the case since CF7 in fact that the previous version is left intact.

Thinking back on my install I remembered CF informing me that it had detected CF8 was installed and had changed a couple of ports for some reason, I thought nothing of it at the time as I presumed it would not cause a problem, but in hindsight I should have known better as whenever CF has ever used alternative ports for anything in the past it has always caused issues.

I also did not stop all the CF8 services prior to installing CF9, as the installer always does this for you anyway, but I guess in this case it did not and thus detected a conflict. So a lesson learned there, always stop all services prior to an upgrade.

So anyway I was sure the problem was with the ODBC service, so the next step was to hunt for the tcp settings, this actually proved to be quite simple in the end.

I first checked the windows service and see where the exe file is located, which pointed me to
D:\ColdFusion9\db\slserver54\bin\swagent.exe "ColdFusion 9 ODBC Agent"
Ah now my memory was starting to clear, this is where the SeqeuLink drivers are.

1. Look for config files that may contain tcp port settings.
   This led me to the following file
   D:\ColdFusion9\db\slserver54\cfg\swandm.ini
2. Now look for TCP port references, which led me the following lines in this file
   ServiceConnectInfo=tcp://LOCALHOST.19999
   ServiceConnectInfo=tcp://LOCALHOST.20000
   
3. I then compared this to the CF8 settings, which showed
   ServiceConnectInfo=tcp://LOCALHOST.19997
   ServiceConnectInfo=tcp://LOCALHOST.19998
   
4. So clearly CF had indeed changed the ports due to a conflict. So I simply set the ports back to 19997 and 19998 in that order, stopped and disabled all the CF8 services, and started the CF9 ODBC services and voila everything was fixed.

So what initially seemed like it was going to be PITA problem actually only me less and 1 hour to resolve, and most of that was spent googling for a solution and finding nothing. Once I actually started my own investigation it actually took less than 30 minutes to diagnose and resolve, sods law.

If you are having some other type of SequeLink ODBC service errors that are not fixed by my solution then the following TechNote may also help you out.
http://kb2.adobe.com/cps/188/tn_18800.html

Technote here : http://kb2.adobe.com/cps/825/cpsid_82536.html

Bizzarely I cannot find any reference to this hotfix or tech note anywhere on the Adobe site, it is not on the below ColdFusion hotfixes or updates pages at the time of writing this, and is not in any of the ColdFusion RSS feeds. So not sure how people are supposed to find out about this. Very poor job Adobe, tut tut.

http://www.adobe.com/support/coldfusion/downloads_updates.html
http://kb2.adobe.com/cps/402/kb402604.html

SECURITY ALERT!

There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.

The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.

If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.

In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.

What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.

To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.

I was about the start compiling a list of useful links to info and tutorials for CF9 and CFBuilder, but it seems someone has beat me to it, so rather than re-invent the wheel I will just link to this chaps page and save myself some work :-) If you are looking for find out what is new in CF9 and how to do it, this is worth reading.

• CFML Language Enhancements Tutorials
• CFScript Enhancement Tutorials
• ColdFusion As a Serveice Tutorials
• Hibernate-based ORM Tutorials
• Microsoft SharePoint & Office Interoperability Tutorials
• Native JEE Portlets Tutorials
• Enhance and New UI Controls Tutorials
• Advance Caching Tutorials
• Apache Solr / Lucene Integration Tutorials
• Server Management Tool Tutorials
• Flex/AIR Integration Tutorials

A few of my favourite new features are below, of course I tend to look at things from a hosts perspective these days rather than a developer seeing as I don't do a lot of coding anymore.

Most of these improvements are especially great for me because I actually had discussion with Adobe some years ago about about what improvements needed to be made to ColdFusion to make it more suitable for shared hosting and explained how they needed to work, and these are areas I specifically addressed, so it seems that finally they did listen to me.

• View Undelivered Mail
  This new feature allows you to browse mail sitting in the undelivered folder and then delete or respool them. This is handy for manual checking or on a dev machine. Currently my company has a custom script that automatically respools all undelivered mail for 24 hours, and then deletes them, which is very useful in a shared hosting environment otherwise the undelivered folder regularly fills up. It is a shame Adobe didn't have the foresight to add this kind of automation as well, but at least the viewer allows an easy way to find missing emails.
• Application Specific Datasources
  This is a real code saver and somewhat of a security benefit as well. With this new "this.datasource" application property to can set an application wide datasource, thus negating the need to specify the DSN in every query. A full review of this feature can be found on Ben Nadel's blog.
• Server Manager
  ColdFusion 8 introduced server monitoring for single and multiple servers via a Flex based app which provided access to all sorts of ColdFusion internals, alerts, proactive problem management, and more.
  ColdFusion 9 takes this a big step further with a new tool called "ColdFusion Server Manager". This AIR based application allows you to monitor as many servers as needed (including individual ColdFusion instances on a multi-instance configuration) and even offers pop-up alerts when issues occur, it allows for remote server configuration (define a data source, for example), it also allows for settings to be applied to multiple servers at once, it can clear the template caches, it can upload hot-fixes to one or more servers, and it even allows you to select two ColdFusion servers to compare their configuration settings, highlighting any differences between them.
  Oh, and before you ask, here are answers to the three most commonly asked questions.
  
  
  1. No, this is not a separately sold utility, it is part of ColdFusion itself (and installed via a link in the ColdFusion Administrator).
  2. ColdFusion Server Manager uses APIs added to ColdFusion 9, so no, this will not work with ColdFusion 8 or earlier.
  3. Adobe have not made any decisions yet as to product edition, so no decision as to whether this is an Enterprise only feature or not.
• Server Security
  One of my big issues has always been ColdFusion's security, or rather lack thereof. You need the enterprise edition to get security sandboxes and these only sandbox CFML code, if someone writes some Java code into their CFML pages they can completely bypass the sandbox and do whatever they like, which actually makes ColdFusion one of the most insecure application servers out there in a shared hosting environment as PHP, ASP and .NET do not suffer from this problem.
  This has supposedly now been addressed with ColdFusion 9 now allowing you to restrict access to certain JAVA functionality. I have not yet looked into this, and as no-one else seems to have written an article on particular area yet I may as well do so, so a more detailed tutorial ont his subject will be coming soon.
• 64bit ColdFusion for all
  Up till now, 64bit ColdFusion has only been available to ColdFusion Enterprise customers. This will (thankfully) change in ColdFusion 9, and all customers will have access to 32bit or 64bit versions, regardless of edition. Groovy!