[Looking for Charlie's main web site?]

New whitepapers from Adobe on ColdFusion 2016: lockdown, migration, and performance

Continuing my series of posts on new things in CF2016 which some may miss,there are some new resources from Adobe about CF 2016, posted in recent days. (I suppose we may see a post from Adobe on their blog at some point, but I wanted to share it in the meantime.)

You can find them listed as "whitepapers" at the bottom of ColdFusion.com (as I view it today, at least), so keep an eye there to see if perhaps any others may ever be added.

Here are the docs, with some observations also about their size and version, if available:

  • Lockdown Guide (85 pages, currently version 1.0, released Feb 2) - An update to the classic document that Pete Freitag has been doing for CF for a few releases. Everyone should read this, and heed its recommendations. I'll have more to say on that in another post.
  • Migration Guide (22 pages, currently version 2.0, no date offered) - Focuses on a few things: how installation on a current server running CF already offers to migrate admin settings; how one can do that with the CF Archive (CAR) feature (available for CF Standard since CF11); using the Code Analyzer, and how to troubleshoot some server-level migration issues. For more on "what's new" in 2016, see the docs page on What's New in CF2016. For more on what's deprecated, see the docs or my other post discussing what's deprecated in 2016
  • Server Performance White Paper (9 pages, version 2.0, no version or date info offered) - Discusses specific performance improvements in CF 2016 (not performance of CF in general, nor performance-related changes in previous releases, nor all available optimizations in code or config). It's focused solely on changes in CF 2016 (or could be a huge document), whether regarding existing code/configuration as migrated or as impacted via new config/coding options available. Includes an appendix indicating the server and CF admin configuration for the testing they did.
  • API Manager Performance White Paper (18 pages, no version or date info offered) - Discusses load testing done against the new API Manager, and the rate of traffic sustained (very important as an aspect of the API Manager is to act as a gateway for performing, managing, monitoring, caching, and even throttling API calls, whether against CF or any server in your infrastructure). Since the API Manager is a new product, it's a larger document than that on CF, focused as it is only on changes in 2016 (in case anyone may comment that the CF Performance guide is only half its size)

There is also now a single page from Adobe listing all the CF2016 whitepapers (and datasheets).

Hope that's helpful. Check 'em out.

The ColdFusion 'metrics log', an oft-missed or misunderstood feature, 'new' since CF10 (Part 1)

I'd like to take a diversion from my recent posts focused on CF2016 and talk about something that applies (and should interest) anyone using CF 10, 11, or 2016.

Have you heard of the new "metrics log" option that was enabled in CF10? If you have not, it's worth knowing about (there's precious little documentation, and I'll point to it, and give you still more info to help you use it). It's a useful, low-impact mechanism to get some high-level metrics logged by CF every 60 seconds (by default), and stored along with other CF logs.

If you did know about it, you've probably had some problems with it. Why does it show "nulls"? What do reported metrics really mean? Why do they not jive with what I'd expect to be the numbers reported?

In this post, and a Part 2 to come, I will introduce the metrics log, pointing out some key things you need to know to have it setup to work at all, and then I'll share my observations of things I've come to understand about the reported metrics.

[....Continue Reading....]

More on Tomcat 'Status Worker', as discussed recently by Adobe

If you're running CF 10 or 11, there's a very interesting post on the Adobe CF blog, from July 19, entitled, Configuring Status Worker in Connectors. The Adobe blog post title may not have caught your attention, but it's about setting up a lightweight and built-in Tomcat monitoring feature for observing the status of the Tomcat web server connector.

You may want to consider enabling it, but I would add some caveats and observations that I share below. Note that it's really quite easy to enable, and DOES NOT require a restart of CF (only of your web server, or technically in IIS, the application pool/s) to take effect.

If you've not yet read their blog entry, go check it out and then come back here for several observations I have to share, some of which I think you'll agree could be very important. (BTW, if you don't follow that Adobe CF blog regularly, you really should. Often great content, and very little "noise".)

[....Continue Reading....]

Free, simple code to find out what SQL statements are running slow in SQL Server right now

Often when people are trying to troubleshoot seeming problems in ColdFusion (or whatever app server you use), they may wonder if (or have tools which suggest that) their CF requests are being held up waiting for some long-running query to run in the database.

Wouldn't it be nice to know, at any moment (such as when things are going badly), just what queries (or stored procedures or commands) were running in the database at that point in time?

Well here's good news: if you're running SQL Server, the following SQL query will show you just that: the currently running SQL statement(s) and some additional details about each query including their duration, their database name, the program executing the SQL, the session id, and much more.

(If you're running MYSQL, you may know that you can get pretty much the same info with SHOW PROCESSLIST. Or if you want to do it as SQL, you can use SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST WHERE COMMAND != 'Sleep'. Sadly, it's just not that simple in SQL Server, it seems, thus the need for this entry.)

The code for SQL Server

Following is the code, and then some discussion of it:

[....Continue Reading....]

My presentations at ColdFusion Summit, CFCamp, etc.

I wanted to share word here of the presentations I'll be offering at the upcoming Adobe ColdFusion Summit 2014 in Vegas on Oct 16-17, as well as CFCamp 2014 in Munich on Oct 20-21.

Also, sorry for the long delay in blogging. Just been so busy doing my CF server troubleshooting consulting.

As for my sessions at CFSummit (next week), I'll be doing the following (and you can follow the links to learn more about the talks, their dates and times, etc.):

At CFCamp, the following week, I'll be offering:

I had also presented the Hidden Gems talk at NCDevCon 2014.

These are all great conferences, and, in addition to cf.Objective 2014 (where I spoke also, on different topics), they are each great ways to keep up on what's going on in the world of ColdFusion and related technologies.

Finally, if someday you're visiting this blog entry and find that one of the conference links no longer work, you can find my own link to all my presentations, at all conferences the past 15+ years (as well as to any recordings made available) at my presentations page.

Come say hello if you're at any of these events.

CF911: High CPU in ColdFusion? Some common but perhaps unexpected causes

I often help people who are reporting that CF is "running hot on the CPU", maybe reaching 80 or even 100% of the CPU, whether in spikes or for extended periods. What might you propose people look at, when you've heard that? I've heard all kinds of things over the years, often focused on coding, or perhaps jvm tuning.

But as is often the case in a lot of the CF server troubleshooting consulting I do, I find the causes to be far less often what most people seem to suspect. So what would I look for when someone reported high CPU in ColdFusion (or Railo)? Read on.

[....Continue Reading....]

CF911: Want to monitor ColdFusion "out of process" (from outside the instance itself)? Many ways.

I just blogged about how the hidden gem "enable monitoring server" option in CF 9.0.1 does NOT cause the CF Server Monitor to somehow magically run "out of process". See more on that.

Yet people will reasonably want to be able to have some mechanism that "watches" CF "from the outside", to know when it's gone down. How can you do that? That's what I'll point out in this entry.

And beyond talking about what goes along with the CF Enterprise Server Monitor, I'll also point out options for those who are NOT running CF 8, 9, or 10 Enterprise and therefore do not have the Enterprise Server Monitor. This also includes those CF 6 or 7. There are solutions for you, and also for those running Railo, BD, or indeed any Java server. More on all that in a moment.

This is part 4 of an unexpected series of entries today on the CF Enterprise Server Monitor. :-) I got on a roll, and each seemed deserving of its own topic. See the "Related Blog Entries" below this entry for links to those.

What the CF Server Monitor is, and is not

[....Continue Reading....]

CF911: "Enable Monitoring Server" option (new in ColdFusion 9.01) DOES NOT monitor "out of process"

Have you been led to believe that the "Enable Monitoring Server" option (new in the CF 9.0.1 Admin) somehow magically runs the CF Enterprise Server Monitor "out of process". Sadly, even some folks from Adobe have and still may assert that. It's just not true. So what is this option about, then? I'm not denying its value. I just want to clarify it.

BTW, today is "more about the CF Server Monitor" day today here at carehart.org. :-) In my last two entries today, I talked about related matters, regarding the impact of the 3 "start" buttons (monitoring, profiling, and memory tracking), as a followup to an older entry I did on them when the monitor came out with CF 8 in 2007. See the "related blog entries" below for more.

In the last entry, I mentioned that in 9.0.1, Adobe added a new "Monitoring Settings" page to the CF Admin, and one of the features is that ability I discussed to turn off the 3 start buttons from within the Admin.

Below that is this other feature, labeled "Enable Monitoring Server". Let me say first that has really have nothing to do with all the discussion of the "start" buttons in the previous entries.

So what does "Enabling Monitor Server" do?

[....Continue Reading....]

CF911: Disabling the ColdFusion Server Monitor "start" buttons, when you can't get into the Monitor

Many know I'm a big fan of CF monitoring, whether with CF Server Monitor, FusionReactor, or SeeFusion. I've written plenty on each (see the categories to the right here).

But the CF Server Monitor does have an Achilles Heel: you may turn on one of its "start" buttons, especially "memory tracking", and find that it's crippling your server. You may not be able to then turn off the feature.

I talked about this potential issue in an entry when CF 8 was released back in 2007, CF Server Monitor: what's the impact on production? you may be surprised. I clarify there that the monitor will not, as some assert, "always kill your server". See that for more details.

And I discussed in an entry earlier today that you can't just "close the monitor" or even restart CF to make the problem go away, because that won't stop the functionality. See CF911: Using the #ColdFusion Server Monitor? Be aware that the "Start" buttons remain enabled.

So what if you are in a situation where using one of the features, especially typically "memory tracking", has in fact sent your server into a tizzy. If you can't even get into the monitor to turn it off, you're going to be in quite a pickle, and understandably panicked.

Easy solution if you're on CF 9.0.1

[....Continue Reading....]

CF911: Using the ColdFusion Server Monitor? Be aware that the "Start" buttons remain enabled

If you use the CF Enterprise Server Monitor (in CF 8, 9, or 10), it's vital that you understand that if you turn on any of the Start buttons at the top ("Start Monitoring", "Start Profiling", or "Start Memory Tracking"), the settings they enable in CF STAY TURNED ON, even if you close the monitor, and EVEN IF YOU RESTART CF.

Why is this important? Well, I discussed the impact of these buttons (which can be severe or negligible, depending on certain factors) in a blog entry I wrote back in 2007 when CF8 was released.

And today someone was kind enough to point it out to someone on Twitter, so I took a look at it and tweaked it a bit to give some more context. While doing that, I realized I'd never mentioned this fact about the "start" buttons, and about an important related change in CF 9.01 (and 10), thus this entry.

The buttons remain enabled over CF restart or closing the monitor

[....Continue Reading....]

I'm speaking this evening on the Adobe CF Developer Week webinars: mine on CF Server Monitor

Hey folks, just a heads up (for those who may not have seen all the tweets and list messages) that this week is the Adobe CF Developer Week series of free webinars.

Update, Recording: Note that this session was recorded. You can view it here, but note that you must login with an Adobe ID to see it.

And I'm presenting a session tonight, Tuesday September 13, at 7pm Eastern, on "Understanding and Using the ColdFusion Server Monitor".

As many of you know, I'm pretty much a fanatic about the monitor, especially about truly understanding elements of it that many miss. And so in my talk this will not be just a dog and pony show, but I will talk about practical experiences with it, though presented to either those new to it or experienced with it.

Note that the times for all these devweek sessions is shown (on the Adobe site) as being Pacific time, so again mine is at 7pm, not 4pm, Eastern.

And yes, the sessions are being recorded and seem to be made available the next day.

Finally, beware that there is no one URL you can use to join in on all the Connect sessions, nor can you get the Connect session URL by going to the event page (via the first link above). Instead, you must register for each event (free) from that first page, to get each session's Connect URL--and you'll want to do that at least several minutes in advance of any session to have time to register, get the email, login, etc.

See you then.

PS Hey, while we're talking monitoring, note as well that if you've not heard, FusionReactor has come out with its new release 4, which has lots of great additions, especially FREC (or the FR Extensions for CF) which cause FR to grab and log lots of great info that the CF Server Monitor only shows and never logs. I'll be blogging about FR 4 soon, but plenty to see on their site. and FusionAnalytics is also just about to release, really!

I won't be discussing these at this talk, focused solely on the server monitor, but as I always tell folks, each tool has its use and often a single shop can benefit from having both (like I do, as do many of the clients I help with troubleshooting). You can find more from me about FR here in my blog. And I'll have lots more to say about FA and FR4 more soon.

CF911: Lies, Damned Lies, and CF Request Timeouts...What You May Not Realize

How often have you seen (or seen others complain of getting) a a CF page running longer than it's supposed to (perhaps in the CF server monitor, or FusionReactor or SeeFusion). Maybe you've set the CF Admin "request timeout" to 60 seconds, and you see a request running for 3 minutes, 3 hours, or 3 days! How can that happen?

Or perhaps you've seen this error from ColdFusion, in your logs or on-screen:

The request has exceeded the allowable time limit Tag: cfoutput

Do you know what this means? It's usually not what you think. I've even seen experienced CF developers who get thrown by this challenge. In this entry I'll try to help explain a very common problem and correct some misconceptions. I'll even contend that this info is often useless and indeed misleading (and therefore the feature producing it ought not be relied upon, and should even be turned off). Along the way, I'll share some things that I've not seen documented elsewhere.

Strap on your seatbelts. We're going for a bit of a ride (if it was easy and could be understood in the length of a tweet, then perhaps everyone would already understand it!) As always, I welcome feedback.

[....Continue Reading....]

Some code to throttle rapid requests to your CF server from one IP address

Some time ago I implemented some code on my own site to throttle when any single IP address (bot, spider, hacker, user) made too many requests at once. I've mentioned it occasionally and people have often asked me to share it, which I've happily done by email. Today with another request I decided to post it and of course seek any feedback.

It's a first cut. While there are couple of concerns that will come to mind for some readers, and I try to address those at the end, it does work for me and has helped improve my server's stability and reliability, and it's been used by many others.

Background: do you need to care? Perhaps more than you realize

[....Continue Reading....]

Free tools for SAN monitoring, VM Monitoring and more...and their educational site

Folks know that I like to share news of tools (see my CF411 site), but I want to point out here a couple of free ones in particular that may address problems people are having in new/modern configurations: one is a tool for monitoring a SAN, and the other is for monitoring VMs.

It also gives me a chance to offer some props for the site of the company behind the tools, SolarWinds, which again many may find valuable in educating not only about the tools but the topics that the tools help with.

The free SAN and VM monitoring tools

The two tools (and one more for bonus) are:
  • SolarWinds Free SAN Monitor - keep a close eye on the performance & capacity of your storage arrays and become a storage superhero!
    Note also:
  • VM Monitor - continuously monitor a VMware® ESX Server and its virtual machines with at-a-glance virtualization health statistic
    Note also:
  • WMI Monitor - monitor your Windows® apps and servers in real time, using built-in, community-sourced, and customizable application templates!
    Note also:

I haven't yet used them myself, so this isn't so much a recommendation of the tools but rather a recommendation that you consider them if you are interested in what they have to offer.

The company offers still more free tools, as well commercial ones of course.

A company that gets how to educate you about their products

You may have noticed above that I offered as well links to videos about each product. SolarWinds has really done a great job offering educational resources, especially videos, and organizing them into categories such as tech talks, webcasts, and more.

Indeed, if you may be new to network management (which can be a broad and/or deep subject, appealing variously to generalist IT geeks and hard-core network admins), they offer lots of compelling introductory resources, including their geek guides and even certification training . Of course they also have a helpful blog and twitter feed.

Just as I previously praised the Mura folks as a "company who got it right" in terms of setting up a compelling, informative web site for IT folks, I really have to say the same for the SolarWinds folks. Congrats, and thanks.

I'll be speaking at cf.Objective() on "Stack Tracing CFML Requests to Solve Problems"

Though I got the news a couple of weeks ago that my submission to cf.Objective() 2010 had been accepted, I only tweeted my delight about it and didn't blog it. Here's the description:

"CF911: Stack Tracing CFML Requests to Solve Problems"

Regardless of what CFML server monitoring tool(s) you have, or even if none, did you know that you can use a feature called "stack traces" to be able to pinpoint the exact line of code that a CFML request is running at any time? Did you know how to use that information to troubleshoot performance/stability problems? Do you know how to obtain that information either manually or automatically (such as during a crash while you're not watching)? Do you know how to obtain that information in any of the CFML Server Monitors (FusionReactor, SeeFusion, the CF8/9 Enterprise Server Monitor), or with free command line tools? And how to do this for any CFML engine (CF, Railo, BlueDragon, etc.)? Do you know how to interpret the information once you get it?

In this session, veteran CF troubleshooter Charlie Arehart will help remove the mystery from using stack traces. It really is amazingly simple with the right tools, and it can be incredibly useful to solve otherwise thorny problems, once you understand how to interpret the information.

Of course, I'm thrilled to be heading back to Minneapolis. I spoke there previously in 2008 and 2007 but couldn't attend in 2009. It'll be great to see all the fine folks who run and attend this unique conference.

BTW, I just saw also that CFUnited announced another round of topics accepted today and I see a topic whose title if very similar, "How to Read a Stack Trace", by the inimitable Daryl Banttari. It's hard to tell from his brief description how similar these will be, but Daryl is awesome so I'm sure I'll learn much from his. (I was literally just about to offer mine as another CFUnited submission but now won't of course. :-) Hopefully another of my submissions will be accepted, so I can keep my streak of having spoken at every CFUnited since they started.)

Anyway, the good news is that whichever conference you go to, this important (and often misunderstood) topic will be covered! :-)

Spying on ORM database interactions: Hibernate, Transfer, etc. on any CFML engine

As people use CF9's ORM feature (or other ORMs like Transfer and Reactor, or indeed Hibernate, on any version of CF6+ or indeed any other CFML engine), they may be left wondering what sort of SQL interactions happen "under the covers" between the ORM framework and the database engine (whether in a given request, or perhaps at startup of CF).

Well, there are several ways you can watch them, as this entry will discuss, and some may be better suited to the job than others. It can be very interesting to discover what's going on, especially if you're having any suspected performance problems which you think may be related to ORM processing (or just if you wonder what all it does for you).

As for spying on the SQL, of course ORM support is just a different way that the CFML engine (through the ORM framework) sends SQL to a database via a regular DSN, just like any other request, so there's nothing really "tricky" about this. It's just about realizing that while you don't write the SQL yourself, it's still generated by the CFML engine/ORM framework, and you may not realize/consider the available tools which can spy on it, just like any other DB processing from within CF. Indeed, some people may not even realize how many options exist to spy on JDBC interactions from their CFML engine to the database engine.

The good news is that there are several approaches, some included in CF (some depending on the edition), and some available separately which would work in any edition of CF or the other CFML engines (Open BlueDragon, Railo, etc.), and with any of the ORM frameworks. And again, some may be better than others for certain challenges.

(FWIW, besides the aforementioned Transfer and Reactor, there are still other ORM solutions for CFML, which I mention in my CF411 list as CFML ORM Frameworks. Indeed, note that you can run Hibernate on CF prior to CF9, if you want to. This is a recovery of a blog entry that no longer exists, recovered via archive.org.)

Built-in ORM Logging Option

First, note that for those using CF9+ ORM, there is indeed a built-in option in the CF ORM setup where one can enable logging, settable in the application.cfc: see the this.ormsettings option and its available key/value pair, logSQL="true".

There are several resources where you can learn more on that (and a related log4j property file approach to logging this). Besides the CF9 docs page on the ORM settings, there is also a blog entry by Adobe engineer Rupesh Kumar.

The default is to log this information to the console, but you can manipulate those log4j settings to tell it to use a file (see the links above). Even so, this will result in quite a lot of data being logged, which you will then need to connect back to your specific requests. The following approaches may be preferable.

Using FusionReactor or SeeFusion

Users of any CF edition (6+) or any CFML engine (Railo, OpenBD, or BD 7+) can use tools like SeeFusion and FusionReactor, which have always had the ability to monitor database interactions by "wrapping" the datasource to be monitored. FusionReactor engineer John Hawksley has posted a recent article specifically on monitoring CF9's ORM interaction, in the FR Devnet site, Using FusionReactor's JDBC Driver Wrapper With ColdFusion 9 ORM. Its concepts would apply to any ORM, of course.

Similarly, I've written generically about FusionReactor's database monitoring feature in What is the FusionReactor datasource monitoring feature? Why would I use it? Powerful stuff. As I point out in that article, the concepts discussed apply as well to SeeFusion's ability to monitor queries by wrapping datasources.

That said, it's worth noting that FusionReactor does have a couple of advantages, in that it provides for the display of all queries for a given request (while viewing the details of that request), whereas SeeFusion only lets you see the slowest query in a given request. FusionReactor also provides a separately available display of all the slowest queries (across all requests). It also logs every query (connecting it to a given request as well), while SeeFusion (Enterprise, at least) can also log the slowest queries to a database.

And note that both of these track any requests coming out of CF, not just those associated with a given request. So if there is ORM SQL that is associated with the startup of CF, that's tracked too. (And for those aware of issues with CF's Client Variables, such DB activity is also tracked, even that done by the hourly purge, which takes place on a background, non-jrpp thread.)

CF Enterprise Server Monitor

Those running CF 8 or 9 (Enterprise only) will find that its available Server Monitor does offer built-in monitoring of the SQL executed against CF datasources, at least, as long as you enable "Start Profiling" (which also enables other features, and overhead, as well). In this way, the Enterprise Server Monitor can monitor database interactivity, including ORM interactions.

Unlike FusionReactor (and like SeeFusion), it focuses only on showing queries that exceed certain limits, and at that it shows them only in a "Slowest Queries" interface, tracking the slowest queries among all requests. The CF Enterprise Server Monitor also has no logging ability at all.

Being able to see every single DB interaction for a given request (or across all requests) may be all the more interesting for discovering/observing what's happening with ORM interactivity.

Another alternative CF feature

Still another little-known feature for spying on JDBC interactions in CF is by way of the JDBC "spy" feature, which does in fact allow logging of all JDBC interactions mde from within CF. This feature was first enabled by way of the DataDirect 3.5 driver update which was made available (as an optional upgrade for 6 and 7) in the CF 7.02 timeframe. I wrote about the Spy feature back back in Aug 2006.

Since then, CF 8 (and now 9) offer it instead as a new "log activity" option in the "advanced settings" for a datasource definition in the CF Admin (which is disabled by default). I pointed this out in another entry from 2007 as one of many easily missed changes for the CF 8 Admin.

This "log activity" output is not as easy to interpret as FusionReactor's logs, and can indeed be voluminous (moreso than FR's), so be careful. Anyway, it's one of the several ways you can monitor JDBC interactions between CFML and your DB engine. Again, any of these may be useful for monitoring any of your CFML/database interactions.

Generic DB Monitoring tools

Indeed, it's worth noting finally that while the focus here has been watching the DB interaction from CF (and the ORM framework) to the database (by watching the JDBC traffic going out of CF and returning), you could just as well watch the DB interactivity from the DB's perspective instead (watching it coming and and being returned).

There are many tools that can monitor database processing, available for each of the major databases (free and commercial). I list several such tools in one of my CF411 section, Database/SQL Monitoring Tools.

Hope all that's helpful, whether you use ORM or not.

CF911: Easier thread dumps and stack traces in CF: how and why

You may have heard the value of taking thread dumps or stack traces when trying to understand and resolve problems with CF. They can be valuable to see what's really running on your server at the time it may seem hung or slow to respond. The problem is that they can be challenging to obtain, so here's how to get them even more easily.

(If you're not familiar with the value of thread dumps or stack traces, read on. The resources I point to get help you to appreciate their usefulness.)

[....Continue Reading....]

Tracking number of CF sessions per application easily, and why you should care

Ever wanted to count how many sessions are active on your server, in total and per application, whether on CF 7 or 8? And regardless of whether you're using CF's regular sessions or the "new" J2EE sessions feature introduced in CF 6? Would you be surprised to find you could have a shocking number of active sessions?

Here's a nice simple solution, the free ServerStats tool, that provides that info. It's from Mark Lynch (of Learnosity) and while a couple years old still works just fine. Besides printing out the total count of sessions and the count per application, ServerStats also shows some information about CF memory use, number of processors, and more.

It's totally safe to use (I've helped hundreds of customers use it in my troubleshooting consulting practice), and the CFML source is open for you to review.

Of course, some will want to point out that the CF 8 Server Monitor offers session and memory info, but for those not on CF8 Enterprise, this is a useful alternative. Also, some may want to point out that the solution described here uses internal objects that may be disabled (and are also undocumented and unsupported). I discuss both these points below. There are also some other approaches people take, which I also mention briefly.

Why care about number of sessions?

So why care so much about how many sessions are active on a CF server? If there are 10 or 20, or maybe a 100, does it really make a difference? No, not likely. But what if you find that there are 90,000? I'm not kidding. I was helping someone just last week when we discovered this. It's not as unusual as you may think.

Often when I'm helping people solve problems with their CF servers, one of the first things I want to help them discover is just how many sessions they have active at any time. With the potential impact of spiders and bots creating huge numbers of sessions, which could have an impact on memory and also on other aspects of performance, it's definitely one of the first things to look into.

So how's Mark's code tracking them?

Mark's blog entry (pointed to above) is a summary of things he'd discussed in a few blog entries about how to leverage internal CF/Java objects to provide the info, and that one entry offers ServerStats as a downloadable zip with a single CFM file and a directory of CFCs and custom tags. You can just extract the zip into a web-accessible directory and run it. No need to create custom tag mappings, etc.

Many folks have known about and blogged about these internal CF/Java objects, coldfusion.runtime.SessionTracker and coldfusion.runtime.ApplicationScopeTracker, over the years. They're undocumented and unsupported, so you use them at your own risk, but again I've confirmed that Mark's code works against CF 7 and 8 (and I'll assume 6 as well.) You can google to learn more from him and others on these.

CF8 Enterprise has other solutions

Of course, those on CF 8 Enterprise (or Developer) have still other approaches to this, whether in the CF8 Server Monitor (see its active sessions page) or the Admin API's servermonitoring.cfc. But if you're not CF8 Enterprise (and even if you are) this solution can help.

Update: FusionReactor Extensions for CF

When I first wrote this entry in 2009, FusionReactor did not offer any session tracking, but does since the introduction in FR4 of FREC (the free FusionReactor Extensions for CF), which added tracking of CF sessions in its realtimestats.log. For more on that, see my blog entry, Tracking #ColdFusion sessions within FusionReactor, by way of FREC logging.

Finally, note that in FusionReactor 5, the FREC functionality is built-in, and besides the logging of session count in realtimestats.log, there is now a chart of sessions offered in the Metrics>Custom Series option on the left. Choose the option for ActiveSessionCount in the drop-down on the top right, if it's not selected by default.

(For any who may wonder, SeeFusion does not offer session tracking info.)

JRun Metrics and other solutions

And yes, there's still another way to get at least a count of all J2EE sessions, using the available JRun Metrics. While it has the benefit of tracking the info over time, it does track the session count only if you've enabled J2EE Sessions in the CF Admin, and even then it tracks only the total of all sessions, not a count per app.

Of course, there have been various solutions offered to solve the problem of session tracking, such as those that track sessions in code (within your application) by storing them in an array in the application or server scope, and so on. The nice thing about using the internal CF/Java objects is that the apps being tracked don't need to be altered at all.

Potential Security Gotcha

Of course, therein lies a potential security risk. Anyone running such code on any CF server can have access to the sort of info that these internal CF/Java objects offer. The example above (Mark Lynch's) doesn't really expose much to worry about (unless the names of apps on a server is sensitive, where one user on the server shouldn't know that another app exists on it, which may be true in a shared hosting environment.) But more important, if one digs deeper into these objects, they do expose more details, including the values of variables in session scopes across all applications. That could be considered very sensitive.

As such, there have long been a couple of solutions that Adobe has provided to enable an administrator to shut down the use of these internal objects.

First, in CF 5 and above, it's been possible to set security for the entire server (or a given app in CF Enterprise) to make it impossible to call any Java objects (yes, you could call Java objects starting in CF 4.51). To learn more about this option, called Resource Security in CF Standard, and Sandbox Security in CF Enterprise, see my 2-part article series for the Adobe Security Developer Center from Sept 2002, "ColdFusion Security, Part One: Understanding Sandbox/Resource Security" and "Part Two: Sandbox/Resource Basics", both available at my articles site.

That approach is a little brute-force though, and throws the baby out with the bathwater if you have legitimate use of java objects.

So in CF8 finally, Adobe added a new feature that permits an Administrator to disable JUST access to the these underlying internal CF/java objects. See the CF Admin "Server Settings" section, "Settings" page, and its "Disable access to internal ColdFusion Java components" checkbox. The option takes effect immediately.

It's certainly more effective if one wants to control to this info, but of course it will make code that relies on it fail, with an error like:

Permission denied for creating Java object: coldfusion.runtime.SessionTracker

I'll point out that since most of the folks I help with run their own servers, they're just not worried about disabling these internal java objects, since they can control what code runs on the servers.

So if you want to quickly find out how many sessions you're running, per application, check out Mark's code. You can also get much more info from these internal objects, if you want to explore. I'm working on a tool to provide some still more powerful information that I started working on years ago based on these objects. But until that's ready, I had occasion today to point out this working alternative to a customer, and thought I'd pass it along here.

CF911: CF 8 Server Monitor reports "ColdFusion Server is unavailable" (solution)

Here's another entry in my CF911 series. If you try to open the CF8 server monitor and get the error "ColdFusion Server is unavailable", the problem may be in your web server configuration. In this entry, I help you confirm if you're getting the problem I refer to here, and of course I show the solution (3 actually), with a caveat.

Here's a screenshot of what you may see:

Note that this is not an error related to logging in. You do need to fill in a username to log into the Server Monitor, even if CF is set to only ask for a password when logging into the Admin. Just use "admin". This and other facets about the CF8 Server Monitor are covered in a 4-part series of articles I did in the Adobe Dev Center, starting here.

Confirming this is the cause of your Monitor challenge

From my observation, this error is related to a problem with the Flex client being able to talk to the server using a URL it needs to use, and the problem is web server related.

You can confirm if what I'm about to describe is your issue by trying to access the URL that the server monitor tries to use to access the Flex Gateway for CF, such as:


Actually, you should use whatever domain name/port you're using to access your CF Admin, which is then used when you ask it to open the CF8 monitor, which may be a URL like this:


Anyway, if that test attempt to open the /flex2gateway/ url comes back with a "file not found" (or 404) error, as opposed to a blank page, then you likely have the problem I'm describing, whereby your web server is mistakenly looking to verify that a file exists for the path you're specifying. You have 2 solutions.

First, let me note that this flex2gateway URL is not a file, nor a directory. It's a value intercepted by a servlet filter defined within CF. You need to tell your web server not to check for any existing file (it's trying to use one of the "default documents" that are used when only a path to the web server is provided.) Before launching into how to fix your web server, you may want to consider one other possibly simpler alternative.

Changing to use the Internal Web Server

Some will note that I've used no port above in the URL. That's why I point out for you to try whatever URL is used to access your Admin. In the case above (and the people who have reported this problem so far that I've seen, they've been trying to access the CF admin using their external web server, IIS.

If instead you were to use the CF internal web server to access the CF Admin, you'd have a port in the URL, like this:


(or it could be 8300, or 8301: whatever is the port for accessing the built-in web server for CF, if you chose to implement that when CF was installed, and you are accessing the Admin that way.)

Well, I'd propose that if you DO use the internal web server, you probably won't get this error at all. The problem seems related to using IIS to access the Admin (and the CF 8 Server Monitor).

That said, I'll suggest that one quick solution folks can try is to see if indeed they can access their CF Admin (and monitor) using the internal web server. (If you can't or won't use it, I have the solution for getting it to work with IIS, in a moment.)

You just need to know what port to use to access the internal web server, if it's enabled.

First, you may find that if (on Windows) you use Start>Programs>Adobe>ColdFusion 8>Administrator that it will open using the built-in web server. If it does, see if using that gets you around this whole problem.

If that opens it with external web server (doesn't use a port like those above), or if you aren't on Windows and have no Start menu, you can also get the web server port (and indeed enabled it, if disabled) by way of the jrun.xml file. Rather than detail it here, I'll point you to a couple of resources:

Configuring the Macromedia ColdFusion MX built-in web server is an old technote, but the info still applies. Where it talks about disabling the internal web server, you'd want to reverse that, of course. There can be more subtleties and challenges to running the CF admin on the internal web server, if you don't configure it that way at the start, such as where are the /CFIDE files? Are they in the [cf]/wwwroot? or in your web server doc root, like inetpub/wwwroot? The built-in web server will look for them in the [cf]/wwwroot, so you may need to copy the CFIDE into this directory, or add a mapping to the built-in web server to point to the path as being located externally.

Making the change in IIS

Or you could just fix IIS to let you access the server monitor via IIS. The problem may be due to a setting in IIS (verify that files exist) that you may have caused to be set. (I don't know if it's set by default when CF is configured to integrate with a site, but I wouldn't think it was, so maybe this affects those who add new sites or configure things manually.)

And since this problem may affect other Flash/Flex apps trying to talk to CF, it may be worth doing for all such users. But this does come with a caveat to be aware of, if you might be using NTLM security to control access to files requested via IIS. More in a moment.

I offer the solution for IIS 6 and 7. I don't know if the same problem can affect Apache. If so, and anyone can offer the solution for there, please do comment.

Making the change in IIS 6

For IIS 6, launch the IIS Manager and select the web site which has the CF Admin you're trying to use. (It may be that you've also configured IIS so that ALL web sites are configured for CF, in which case this setting would be not at the site-level but at the root server-level, so you'd select the server name instead in the left IIS pane.)

From there, right-click and choose properties, and then select the "home directory" tab, then in the "application settings" area click the "configuration" button, and in the "wildcard mappings" section you should see something like "C:\ColdFusion8\runtime\lib\wsconfig\1\jrun_iis6_wildcard.dll" (which will be different, of course, for the JRun4-based Multiserver deployment).

This value is implemented here during the install of CF if you tell it to integrate with IIS, or by your running the CF Web Server Configuration tool after the fact.

Select it, and choose Edit, and if the "Verify that file exists" option is checked, un-check it. This setting can be confusing: you may think it means "verify that the named executable exists", but it doesn't. It refers to whether files requested and passed through this handler should be checked to confirm if THEY exist. Here's a depiction of the setting and how to get there.

Now try the URL above, and it should no longer give a 404. Then try again to login into the Admin. (Actually, you may find that you can just click the "cancel" button and it will login, even if the values for username and password are blank. I find this helpful when the CF server is temporarily unresponsive too, and the Monitor login screen pops up.) Hopefully the server monitor now works for you.

Note that this was NOT about changing the handler mapping for .cfm files, which also offers an option to control the "verify that file exists".

A caveat about access via IIS to NTLM secured files, and another alternative

Thanks to Mike Gillespie for the following notice and clarification. If you use NTLM security (windows integrated authentication in IIS) to secure files accessed via IIS, then you DO NOT WANT TO make the above change for your IIS site. I share below what he offered to me.

But I'd point out again that even with that issue, you could still use the built-in web server is a solution. Or, sticking with IIS, you could also create a new IIS site just for accessing the CF admin and monitor, and make the change above for that site only.

Anyway, if you do use NTLM security to control access to sites requested via IIS, consider the following:

The check that file exists option is required if you want to use NTLM perms to secure .cfm files. http://www.adobe.com/go/tn_18516 (Steps 1-4)

If you have a secure folder on your webserver put a .htm file and a .cfm file in it. Do not give your ID access to that folder. In IIS turn on clear text and NTLM auth.

With the "check that File Exists" option unchecked, try this test.

Try to access the .htm file in the browser - access denied

Try to access the .cfm file in the folder, - access GRANTED - so much for NTLM perms

Now check the box and try again (you will need to recycle cf and IIS)

Try to access the .htm file in the browser - access denied

Try to access the .cfm file in the folder, - access denied as it should be - but flash forms and server monitor are dead.

So "fixing" the Server Monitor problem on an authenticated server just broke the security of the server for the sake of monitoring... [frown>]

In a nutshell.

If you implement this so that CF pages can be authenticated against Windows Security http://www.adobe.com/go/tn_18516, then Flash forms break (and the server monitor too). So to get flash forms (and the server monitor) working, you have to implement this, which fixes flash forms (though every user gets their own personal file on disk on the server that has to be cleaned up) but it does not fix the server monitor.

It is the "check that file exists" selection that breaks the Server Monitor (and flash forms).

On a cf webserver that grants anonymous access there is no reason to check the "check that file exists" box. However, on a server that does authenticate users for NTLM file access, that box should be checked.

This section above was added after the entry was first posted.

The change for IIS 7. None needed?

For IIS 7, it's a little different. I actually run IIS 7 (Vista) and am not sure how/where the wildcard mapping equivalent got created (I may have fudged it manually), but it's now listed as a "Handler Mapping" (in the properties for a web site). In my case, it's labeled "AboMapperCustom-32635", but just look at those listed as handling "*" meaning all requests. It's listed with a value of IsapiModule in the Handler column. (If you're looking at a specific site, and the "Entry type" column says "Inherited", then there is another mapping at the server level, so select your server name in the left IIS panel, and repeat.)

Even so, I see no option to control "verify that file exists", so maybe this problem can't happen in IIS 7. I will say, FWIW, that there is indeed a an equivalent to that "verify that file exists" option, at least for specific extension handler mappings. Look a the one for .cfm, for instance. Double-click it to see its properties, and note a new button called "request restrictions". It has an option, "Invoke handler only if request is mapped to", and an option of "file". Again, though, this does not affect requests to non-cfm requests like that for the /flex2gateway/ URL.

About other Flex/Flash apps

As I said, it may be that the info above will help other Flex apps having trouble talking to CF (the CF8 monitor is a Flex app), but I'll note that this problem doesn't affect all Flex apps: only those that connect to CF via IIS.

For instance, on this same server where this problem occurred, there was never any problem using FusionReactor (which is also a Flex app). It was working fine the whole time. But then its default behavior is also to use its own Built-in web server, so requests weren't going through IIS. If I did try to use IIS to access FusionReactor, then it too failed (with a file not found), and the fix above solved that.

A 12-page Intro/Review of FusionReactor 3

If you missed my 12-page introduction and review of FusionReactor 3 in the last issue of the FusionAuthority Quarterly Update, Volume II Issue IV which came out earlier this summer, well, the good folks at the magazine, Michael and Judith, have kindly chosen to post the article online:

FusionReactor: ColdFusion Server Healthcare (and What's New in Version 3) (PDF)

Thanks, folks! I hope it might serve as a useful intro for those who've not seen the tool (whether in its older or newer version), which can be used to monitor CF 6, 7, and 8. That CF8 support is important not only for those running CF8 Standard, which doesn't have the CF8 Server Monitor, and also even for those who can run the CF8 Server Monitor, as there are some useful benefits of using it even on CF8 Enterprise). Note that FR also works with Railo and OpenBlueDragon, as well as BlueDragon/J2EE and indeed any J2EE application (including LiveCycle Data Services) and any J2EE engine (JBoss, Tomcat, WebSphere, etc.)

The article can also serve as a review of features that those already using the tool may have missed, or you can focus on what's new in FR 3 (quite a bit).

Check out the article, and the tool, including the available live demo in addition to the 10 day trial. I'll note that the live demo is running at a lower level of authority (one of the new features of FR 3), so you don't see and can't do all with it that you might as a full admin user.

I'll arrange to do a demo of the tool on an upcoming CF Meetup session, whether on its own or along with other monitoring tools for CF which I've discussed before.

More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.005. (Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting