If you're considering or have already implemented the latest CF updates from June 2024, you might have struggled a bit to understand completely what Adobe was getting at in the update technotes, as they can sometimes be rather terse in covering some points (worse, some folks don't even read the technotes before applying the updates). Briefly, a key aspect of the update changes the default algorithm that CF uses--for code that does not specify one, in several CF functions, related to encryption, hashing, or randomization.

As another case where Adobe is opting to sacrifice compatibility for security, the update changes from using the very old default of CFMX_COMPAT (as the default) to using either of a couple different alternatives, depending on the function. And if you're not careful/paying attention, you could break some critical part of your app by applying this update.

TLDR; In this post, I want to share a bit more to help you understand the impact of this update, whether you're a developer or an administrator--and whether you've applied or not yet applied the update. Even if you HAVE done it and "all seems well" (in test or even in prod), do beware there may be nasty problems waiting to bite you that could take time to crop up. I'll explain the issues, and help you find the code using these functions, then help you determine if that code is or IS NOT affected by this change. I'll also discuss some real-world scenarios and challenges, with solutions.

Finally, I'll explain an available JVM arg that can be used to revert this behavior, for those who may feel they need to sacrifice security for compatibility, so as to get to this June update and take their time to address this change in the encryption default. I also explain how the CFMX_COMPAT algorithm DOES still remain available as an option, despite what some have asserted, which may be an acceptable option to use. Then I wrap up with some thoughts on how it may not be so bad that I'm only getting this post out a few weeks after the June update.

For more, read on.

[....Continue Reading....]

Don't miss that Adobe had added a useful feature (a "patch", made available in Apr 2024) to help in identifying any CFML code you may have which refers "implicitly" to scopes that would no longer searched (for any variables without a scope prefix), which is the new default behavior for CF2021, CF2023 and beyond as of the March 2024 updates (updates 13 and 7, respectively).

TLDR; (more on each of these points, in the rest of this post)

• By following the simple couple of steps, CF will start logging (to a new unscoped.log) whenever code is run that would access an unscoped variable when that would cause CF to implicitly search through scopes (external to the request) which it would no longer search if "searchimplicitscopes" was false. (To be clear, the new logging only works if searchimplicitscopes is true, otherwise such searching would fail if searchimplicitscopes is false, as is the new default as of the March 2024 updates)
• The "patch" is a jar which you must manually obtain and put into place--it is NOT included with the March 2024 CF update, or any others. The steps are very simple, discussed below or in an Adobe technote that was released in the weeks after the March updates, with the title: View unscoped variables in a log file
• Note that this patch is also NOT included in the June 2024 CF updates, CF2021 update 14 and CF2023 update 8
• Further, beware that if you DO apply any update to CF after applying this patch, that update will REMOVE this "patch" (and any jars in the lib/updates folder which is referred to in the technote). Therefore, you would need to put the jar BACK in manually after any such CF update, for it to continue doing its logging
• Finally, FWIW, note that you can even leverage this patch in the CF two updates PRIOR to the March 2024 updates which introduced the change in the default for searchimplicitscopes, so updates 5/6 and 11/12, respectively. That means someone could also use this patch to test BEFORE moving to either the March 2024 updates or later

Again, more on each of these points below. But for some, the news and the link to the technote (and my couple of tips above) may be all they feel they need to hear. For others, I think more perspective may help, so read on for that.

[....Continue Reading....]

I'm delighted to announce that I've been selected to speak again (for the 12th straight year) at the upcoming Adobe CF Summit conference, to be held in Las Vegas Sep 30-Oct 1.

Actually, I've had two of my talks selected. The first will be a repeat of the one I offered at CFCamp in Germany last month (June), while the second is a brand new talk (and one I've been meaning to offer for a long time):

• Using Redis for session storage in ACF and Lucee: why, and how it's easily done
• Understanding cflocks: how they work/how they can help or hurt

[....Continue Reading....]

This is important news for those using CF's feature to store sessions (session variables for all sessions) in Redis.

Some folks, using it with CF2021 or 2023 found CF was somehow heavily impacting their Redis instance. The good news is that I've found an easy fix/workaround (until Adobe fixes it formally).

For more (including why you may or may NOT be impacted by the issue), read on.

[....Continue Reading....]

If you use the ColdFusion Admin to perform CF updates (vs updating via the command line), has it ever confused or annoyed you that the CF admin update page lists the currently installed version as the first value in "available versions"? That's illogical and confusing.

And it seems easily solved: they should just list the installed version on its own line on the page, above the dropdown.

If you agree that this should be addressed, please do add a vote at the tracker ticket I just posted:

https://tracker.adobe.com/#/view/CF-4221716

Sometimes Adobe only implements changes if many ask for it (though sadly, as in this case, some just grumble at an annoyance they may hit only rarely and they move on without ever reporting it. I didn't find anyone else having reported this there, before I created my ticket.)

If you need more info to understand the problem, I'll save you going to look at the ticket by repeating here what I wrote there:

[....Continue Reading....]

I've done a few online presentations in recent weeks, and while I've done a blog post announcing each when it was upcoming, I was torn about also doing a blog post after each, just to mention their recording URL. I don't want people to feel there are "too many" posts. Also, since I use youtube live for the CFMeetup sessions, technically the url for the meeting is indeed the same one to use to view the recording of it: so if you know one, you know both.

But some people seem to notice when news is shared of a recording being made available, so here you go.:-) These are 4 sessions I've done in Jan 2024 and Dec 2023.

[....Continue Reading....]

Do you feel you understand all there is to know about the CF Package Management feature (and cfpm tool), added by Adobe in CF2021? It has far more capabilities than most may realize.

So I'll be presenting a talk on this topic, online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be recorded). Folks who are members of the Online ColdFusion Meetup will have already gotten email notification about this, including the meeting URL, but for those who are not members here are the details:

[....Continue Reading....]

As most know, ColdFusion runs atop Java (and has since CF6). Did you know that JVM updates come out quarterly (including one just this week)? While some may find the process of doing them to be "old hat", others are often surprised to discover it's their responsibility to keep that Java updated. And on the surface, "installing Java" is easy--but like so many other things, "the devil is in the details".

So I will be presenting presented a talk on this topic, online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be was recorded). Folks who are members of the Online ColdFusion Meetup will already have gotten notification about this, but for those who are not, here are the details:

[....Continue Reading....]

If you learn there's a new Java update available, it may well be relatively simple for you to apply that update, but if you're running important applications that rely on Java, it's in your interest to give some consideration to various matters related to doing such an update.

And as important, if you may have skipped some Java updates before this one, there are some additional points to consider regarding some potentially important changes in updates you may be skipping.

In this post, I cover several topics in both those areas.

[....Continue Reading....]

Last week I did a talk on MIGRATING to CF2023 (as that's a challenge that many contemplate BEFORE proceeding to install it). This week I will follow-that up with a talk on INSTALLING it, and addressing various challenges in doing that. Some people don't do development and only deal with installing it. (Others don't ever want to install CF, and I address alternatives for them also.)

So I will be presenting presented this talk online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be was recorded). Folks who are members of the Online ColdFusion Meetup will already have gotten notification about this, but for those who are not, here are the details:

[....Continue Reading....]