ColdFusion Vs Everyone?

This morning I was shocked to hear that ColdFusion is dead. Oh no wait again? So here’s the deal. I heard from two completely unrelated sources “this morning” that CF was dead. Hey folks….It’s still not dead, so why not just cut the crap accept that it’s alive and well.

ColdFusion is primarily used behind firewalls. For example a majority of the larger companies have instances of ColdFusion running their intranet applications.

ColdFusion’s many strengths including:

  • data transformation applications
  • rapid development
  • data aggregation
  • report building
  • systems integration
  • translation layer between multiple platforms and languages
  • And SOOOO many more

ColdFusion shows up as having low usage on external reporting services because it’s tucked away behind firewalls where external reporting services can’t see it. Also the analysis of external ColdFusion instances should include all CFML engines including Blue Dragon, Railo and Adobe ColdFusion. Railo is rapidly becoming the chosen solution for ColdFusion developers due to it open source roots and Adobe’s neglect to market ColdFusion.

Keep in mind that if we removed WordPress, Drupal and Joomla from the statistics, php would most likely be down by 75%, to less than the number of .NET sites.

Everyone jabbers about Groovy, Grails, Ruby on Rails etc, but they are all a smaller market than ColdFusion.

I’m not afraid to learn other languages, but I always laugh at people who baulk at CF. They just can’t afford the hosting, so they learn what they can afford or what they were taught in college. With the introduction of Railo I am hoping for a resurgence of ColdFusion development.

I really like this article written by Ray Camden CF extraordinaire.

http://www.raymondcamden.com/index.cfm/2011/3/21/Quick-advice-for-handling-the-ColdFusion-haters

Keep in mind folks there are currently at least 211,947 active sites using Adobe ColdFusion. Not including Intranet’s and custom internal applications, which is most likely the majority. Does that sound dead to you?

If you love CF get out there and tell people. Let you managers know why. Show them the product, the results and the cost analysis of something done using CF verses something done in another language.

Find a creative way to show people that you love ColdFusion. Post your ideas here (even though I get very little traffic). Scream to the world “I LOVE COLDFUSION!!!!!”

Advertisements

Escape an iFrame after a session logs out

Here is an example of how I escape an iFrame when my log in page is loaded.

So let me set the stage first.

I have an app that uses iFrames (very old app that I didn’t build). In my ColdFusion Application.cfc I tell the app to force the log in screen once a session has expired. So to avoid the iFrame from loading the log in screen my task is to tell the log in screen to check if it’s within an iFrame. If the page is within an iFrame I want the parent page to reload. By default my iFrames will be gone and the parent page will fail the session check. Hence forcing the parent page to display the log in as anticipated.

Place the following code on your log in screen or whatever screen you wish to have escape the iFrame.

<script>
    var iFramed= (window.location != window.parent.location) ? true : false;
    if(iFramed == true){
        alert('Your Session has expired. Please log in again.');
        window.parent.location.href = "index.cfm";
    }
 </script>

The target file to load into the parent window is in my case index.cfm. Your can of course point to any target you wish. Perhaps login.cfm or what ever suits.

Prevent brute force attacks

Check to see if the login was successful. you can apply your own variable here. Obviously all variable names

<cfif [login successful...]>
	Do something since you've successfully logged in.
<cfelse>
	<cfparam name="session.FailedLogin" default="0" >
	<cfset session.FailedLogin = session.FailedLogin+1>
	<cfif session.FailedLogin gt 10>
		<cfabort>
	</cfif>
	<cfset createObject("java", "java.lang.Thread").sleep(JavaCast("int", session.FailedLogin*500))>
</cfif>

Send an Email using CFScript

<cfscript>  
	savecontent variable="mailBody"{   
		writeOutput('<h1>Hello!</h1><p>Tada it works.</p>');  
	}    
	/* create mailer service */  
	mailerService = new mail();    
	/* set mail attributes using implicit setters provided */  
	mailerService.setTo('TO@somedomain.com'); 
	mailerService.setFrom('FROM@somedomain.com');  
	mailerService.setSubject('YOUR SUBJECT');  
	mailerService.setType("html");  
	/* add mailparams */  
	mailerService.addParam(file=expandpath(form.attachment),type="text/plain",remove=false);  
	/* send mail using send(). Attribute values specified in an end action like "send" will not persist after the action is performed */  
	mailerService.send(body=mailBody);  writeoutput("<h3>Thank you</h3>" & "<p>Thank you, " & mailfrom & "<br>" & "Your message, " & subject & ", has been sent to " & mailto & "</p>");
</cfscript>

XSS Additional Protection

This is a snippet of code from one of my applications. It’s not a stop-all, but it’s a good start.

//XSS protection
   whiteListReserved = "!|*|'|(|)|;|:|@|&|=|+|$|,|/|?|%|##|[|]";
   whiteListUnreserved = "A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z|a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z|0|1|2|3|4|5|6|7|8|9|-|_|.|~";
   whiteList = listappend(whiteListReserved,whiteListUnreserved,"|");
   qString = URLDecode(cgi.query_string);

   for(i=1;i lte Len(qString);i++){
    /*
    Get the character at the given index. The ColdFusion Mid() function takes the string, the starting index
    and the number of characters to return. In this case, we only want one character, so the length is one.
    */
    strChar = Mid(qString, i, 1 );
    if (listFind(whiteList,strChar,"|") eq 0){
     writeOutput("<script type='text/javascript'>alert('#strChar# is in violation of xss rules.');</script>");
     //Here I have a session variable that I toggle based on a user being authenticated. not super relevant to this posting.
     Session.isAuthenticated = 0;
     url.msg = "There is a security violation within your request. Your session has been reset. Please log back in.";
    }
         }