We came across an error today without drop down menu system that uses a PNG-24 semi transparent drop shadow image around the border where the transparency would appear black in IE 7 and IE 8. After searching and trying all possible fixes we found the solution to the problem and it was quite simple.

Our menu system uses jQuery (doesn’t everything these days?), and had a nice fade in and fade out transition. jQuery handles the fade transitions by setting the opacity which IE does not like very much. So using the fadeTo() functions in jQuery is a no-no in IE. The solution, use hide() and show() instead. It’s not as elegant but the transparency issue was fixed on all modern browsers.

Other solutions to the problem include:

1. Using a background colour instead of transparent on the style so you would do:

.my-transparent-stuff{background: #fff url(‘image.png’) repeat-y scroll left top;}

instead of

.my-transparent-stuff{background: transparent url(‘image.png’) repeat-y scroll left top;}

2. Using PNG-8/transparent gifs (hey, it’s a solution)

3. Forcing IE8 into IE7 mode by adding the following meta tag:

<meta http-equiv=”X-UA-Compatible” content=”IE=7″ />

I still can’t understand what Microsoft is doing!

For the past few weeks I’ve been incognito due to some memory leak issues we’ve been having with our new app. It is essentially a rewrite of our existing web application using Object Oriented techniques and embraces the Model-View-Controller paradigm. It really is a pretty little thing but unfortunately she crumbled under the weight of the world wide web. Anyone who has faced the memory leak problem will know that it is not an easy one to crack and it takes time to determine the exact issue. There are a lot of articles around that have excellent information which were all very helpful in my quest for a solution.

The system made a lot of use of the session and application scope for caching objects which was the first issue that we had to overcome. It seemed like a good idea, you’ve got loads of memory, you have a finite amount of objects that can be called for each session why not persist them. The problem is that ColdFusion 8 seems to have an issue with complex objects (i.e. CFCs) stored in the session and application scopes. The reason I say this is that we were seeing a very, very strange thing happening to the memory on our server. When load testing was run, the server was fine, the memory steadily increased until the initial sessions began expiring and then the average of memory usage plateaued, which is what you like to see. However, once the load test ended the memory steadily increased until it crashed the CF instance. Weird right? And so the search for a solution began. I came across a few helpful articles:

http://www.ghidinelli.com/2009/07/16/finding-memory-leaks-coldfusion-jvm

http://www.schierberl.com/cfblog/index.cfm/2006/10/12/ColdFusion_memoryLeak_profiler

http://www.alagad.com/blog/post.cfm/troubleshooting-coldfusion-performance-analysis-part-ii

These were tremendously helpful in assisting me in finding the solution. The last post from Alagad was the one that helped cure my issue in the end. You need to ensure that when making copies of persistent scoped variables that they are deep copied or used in a local scope within CFC functions. However, bear in mind that there are many causes for memory leaks and you should spend the time in figuring out the exact cause of your problem. I found the MAT tool supremely useful.

Here are some tips for curing memory issues:

1. Install cumulative hotfix 4 for ColdFusion 8.0.1 (Get it here)
2. Update the JVM to the latest provided by Sun, in my case it was JDK 1.6.0_18 (Get it here)
3. Add the -XX:+AggressiveHeap option to the JVM configuration (Read about it here)
4. Set your min and max heap to the same size to reduce the number of garbage collection calls
5. Run varscoper against your code and ensure all local variables are var scoped (Get it here)
6. Limit the use of variables scope within objects, use the THIS reference instead
7. Limit the number of complex objects (cfcs) being stored in SESSION and APPLICATION scopes
8. Clear the variables scope onRequestEnd (this doesn’t really work when using Application.cfc though)
9. Run load tests! We used WCAT for Windows (Get it here)
10. Turn off CF monitoring use FusionReactor (or something similar) (Get FusionReactor here)

Hopefully these will help someone else going forward.

UPDATE 16/05/2010: Point #6 should be, ensure you scope your variables correctly. The THIS scope has its own set of limitations. Ensure that all variables (including loop indices) have the proper scope to avoid leakage.

Every so often there is a tiny problem that has you scratching your head until you RTFM. I love JSON, it’s totally awesome and the fact that you can not convert CF objects natively is even better! I ran into a small issue where I was using serializeJSON on a structure that contained a query object (don’t ask!). The problem was when the serialized string was deserialized using deserializeJSON the query was no longer a query, it was not a structure! It turns out that the serializeJSON function takes two parameters!

SerializeJSON(var[, serializeQueryByColumns])

The second optional parameter serializeQueryByColumns tells CF to handle queries in a special way. Now the trick is to remember to use the second parameter of the DeserializeJSON function which performs the reverse operation. The second parameter must be set to false for the query object to be recreated during deserialization.

Here are links to the serializeJSON and deserializeJSON in LiveDocs.

I’ve not posted anything on my blog for a while, it always amazes me how the top bloggers in the ColdFusion world find the time to post almost daily about tips, tricks, resources and I hardly every find the time to write a note to myself. My posts don’t seem as interesting or as insightful as some of the ones posted by the CF elite. I do thank them for their great posts and continued support of the ColdFusion community.

I’ve been working on a website recently that has soaked up all of my time. I’ve been having some problems with memory leaks and JVM tuning but I think I’ve finally found solutions to my problems and will be posting them in a separate article shortly which will hopefully help someone out there.

I’ve discovered an odd little “bug” in the Fix and Int functions in ColdFusion 8. The Fix/Int functions work similarly to the Floor function in other languages:

According to the ColdFusion 8 LiveDocs

Int - Calculates the closest integer that is smaller than number. For example, it returns 3 for Int(3.3) and for Int(3.7); it returns -4 for Int(-3.3) and for Int(-3.7)

Fix – Converts a real number to an integer. If number is greater than or equal to 0, the closest integer less than or equal to number. If number is less than 0, the closest integer greater than or equal to number.

Now, if you do #Fix(15)# or #Int(15)# the functions return the correct value of 15. However if you do #Fix((6.84/45.60) * 100)# or #Int((6.84/45.60) * 100)# the functions return 14 which is incorrect since the equation equates to 15.

Bug or Feature?

One of the reasons I love Adobe’s ColdFusion so much is the fact that it is built on a Java engine and you are able to use a lot of the powerful features of Java from CF. I however don’t get to use this feature often enough, mainly because most of the things I work on daily doesn’t really need anything other than what is provided by the CF natively. And, well, as with anything without practice your skills get dull, so when I had to access a mailbox that is hosted by Gmail using CFPOP I was forced to turn to Google to find a solution.

CFPOP does not support SSL/TLS connections as of version 8, which is quite a big limitation since so many services now support SSL for POP connections. There are quite a few options for work arounds for this but the simplest and quite elegant solution is the one provided by Anuj Gakhar. This solution uses the underlying Java pop service which does support SSL.

 

<cfset javaSystem = createObject(“java”, “java.lang.System”) />

<cfset jProps = javaSystem.getProperties() />

 

<cfset jProps.setProperty(“mail.pop3.socketFactory.class”, “javax.net.ssl.SSLSocketFactory”) />

<cfset jProps.setproperty(“mail.pop3.port”, variables.popPort) />

<cfset jProps.setProperty(“mail.pop3.socketFactory.port”, variables.popPort) />

 

 

Set variables.popPort to the port on which your POP server is accessed. You then call the CFPOP tag as you would normally:

<cfpop action=”getHeaderOnly”

            server=”#variables.popServer#”

            port=”#variables.popPort#”

            username=”#variables.popUsername#”

            password=”#variables.popPassword#”

            maxrows=”5″

            timeout=”60″

            name=”variables.popRecords” />

The underlying Java platform can allow you to perform many tasks that may not be available in ColdFusion, so why not do some experiments?

This is a trivial post but Paypal integration has been a headache over the past few years which the manuals having incorrect information, differences between the UK and US apis and hugely unhelpful error codes. Things have gotten a bit better in recent times but still not as good as it should be given the proliferation of Paypal integration. We recently had a little issue that had me banging my head against my keyboard. Now this IS in the api specification but I think this is a bit obsurd. 

Apparently, you need to specify the amount as a decimal number to two decimal places otherwise the amount is flagged as invalid. So you must give your amount value as xx.xx and not xx.xxx or any other number of decimal places. You will receive an INVALID AMOUNT error and the transaction history in Paypal Manager will show INVALID AMOUNT $0.00 USD, even if you are using another currency.

As part of PCI compliance our servers were run through third party security auditing and one warning we received was “Missing Secure Attribute in an Encrypted Session (SSL) Cookie”. This warning referred to the JSESSIONID cookie being set in our SSL enabled pages not having the SECURE attribute set. In ColdFusion there is no way for you to do this programatically (since you would not explicitly create the JSESSIONID cookie) or even via the administrator. After a lot of searching and reading I found the solution thanks to comment on this post:

http://www.bennadel.com/blog/785-Ask-Ben-Hiding-Encrypting-ColdFusion-CFID-And-CFTOKEN-Values.htm

The solution is quite simple, add:

<cookie-config>
<cookie-secure>true</cookie-secure>
</cookie-config>

after the </persistence-config> element in your jrun-web.xml file which is usually located in C:\JRun4\servers\yourservername\cfusion-ear\cfusion-war\WEB-INF\jrun-web.xml. If you are running in multiserver mode of CF Enterprise and have multiple application instances, you must add this to the jrun-web.xml of every application instance.

My recent experiences with several hacking attacks has made me think more about application and data security on the web. In today’s world nothing can be taken for granted and security should be of the highest concern, no mater how simple you think your application or trivial the data you store. Many web applications are hosted on shared servers or virtual private servers where the first line of defense is often left to the hosting provider. The first line of defense is perimeter security such as hardware firewalls and other network related prevention. You are also at the hands of the hosting provider when it comes to software security, that is, your operating system, web server, application servers and scripting languages and ftp patches.

The first thing that and good security plan should have is a proper review of these basic things. Contact your hosting provider and find out about patch management and other security options that may be their responsibility. If you manage your own server then you need to be aware of firewalls (software or hardware), antivirus, patch management and user security.

Now, on to your web application security. In my previous article on preventing sql injection attacks in coldfusion  there are quite a few tips for securing the applications. One other place developers tend to ignore is the transmission of data to and storage of data in the database. So let’s look at some of the options for securing data.

Database access:

If your budget supports it, the first thing that should be implemented would be to have your database on a separate physical machine from your application server or public web server. This has two positive effects. Firstly, moving the database server to another machine will take the load off the web server or application server which can only be a good thing. Secondly, you public web server would be the first machine to be attacked, thus if a breach were to occur having the database on another machine would add some level of defense.

Ensure that the web application database user has the bare minimum rights to the database. That is, if the web application has no need to add tables or drop tables then the user should not have CREATE or DROP rights. Ensure, under no circumstances that your web application uses ROOT, SA or any other master login to access your database. Create a separate user for each application and give it the required rights.

One other thing I like to do is limit remote access to the database, if you can get SSH/RDP access to the server limit that to specific IP addresses. This causes remote administration to be a pain but the security benefits outweight the inconvenience.

Data storage:

Now, once you have the correct rights on your database and secured it from web access the next step would be to secure the actual data being stored. You will want to ensure that the forms that submit information are secured with a valid strong SSL certificate. Now, you may not be interested in using SSL encryption for all forms on  your site but it is a good practice to secure forms such as registration, login, shopping carts and checkout forms. Basically, any form that has any user information should be secured.

This same thinking should extend to storing the data in the database. Many developers encrypt passwords and store them in the database, but I think other things like usernames, email addresses and any other information that can potential be regarded as sensitive information should be encrypted and stored in the database. There are two options for this. Let the database encrypt the data for you or let your application encrypt the data before it is inserted in the database.

In SQL Server 2005, you can achieve this using some special functions. You can read more about this method in the following articles:

http://www.sql-server-performance.com/articles/dev/encryption_2005_1_p1.aspx

http://www.sql-server-performance.com/articles/dev/encryption_2005_2_p1.aspx

Other popular databases would have similar features.

The other option would be to encrypt the data before storing it in the database and then decrypting it when it needs to be used. In ColdFusion, this can be achieved using the encrypt and decrypt functions. These functions allow you to choose and encryption algorithm (SHA1, Blowfish etc) and a security key. The major drawback to this method is speed. This would slow down the communication of data between the web application and the user, however I think this is a fair trade off for the security concious.

This is an article I came across on Ben Forta’s blog. This gives some very good tips on preventing SQL  injection attacks and provides some excellent best practices.

 http://www.adobe.com/devnet/coldfusion/articles/sql_injection.html

When I took up my current position we had to do a vulnerability scan to become PCI compliant and well we originally failed horribly. After much work we got it compliant and fixed all of the security holes identified. The article above gives some ColdFusion specific items but also defines some techniques that can be applied to other languages. A few things that are of note are:

• Database user privileges
• Use of stored procedures
• Use of dynamic table names

These three points are usually overlooked by the average developer and should really be implemented. 

Database User Access:

Only give the user the minimum rights required to perform the task. So if your user only needs to perform select and update operations they should not have delete, create or other rights.

Stored Procedures:

Stored procedures provide a very good way to abstract and hide database logic from your code. This is a problem with many of the frameworks that use Active Record patterns like Rails and CakePHP or ORM systems like Reactor in ColdFusion but stored procedures can provide significant performance improvements as well as having security benefits.

Dynamic Table Names:

By prefixing your database tables with a custom string, you can build queries that use a dynamic string for accessing the table information instead of hardcoding the table name. This is another good idea since many systems use generic table names like users, categories, groups etc which can be easily guessed.

It is very important to analyse every section of code and perform a security audit ensuring that all forms are protected since this is the first place that attackers target.