May 9, 2014

isapi_redirect 500 Internal Server Error

Today I was Installing Dev Version of ColdFusion Splendor in my Machine.
I completed CF 11 Installation successfuly but when I try to run CFM code then I got this strange error.

500 Internal Server Error -

I was not aware of such kind of error in past so
What is isapi_redirect DLL ?
What is the need of  isapi_redirect DLL in running .cfm page?

Here comes the Answer -

As we know IIS is an External Web server and It tends to process HTML content and Tomcat/Jrun is Built In web server which in turns execute Java and JSP applications.

As we know ColdFusion is built on top of Java EE so we need some one to run those Javabyte codes and that is why we need Tomcat/Jrun.

So,  here isapi_redirect is Middle guy which send your request from IIS to Tomcat. In technical term,  It is a Plugin which helps IIS to send servlet/JSP request to Tomcat to  process any client request.

So, now solve our Main Issue - 500 Internal Server (Check above screenshot showing error message )

Steps to Follow to solve it -
Open ISAPI Filters in IIS
>  Right Click/ Click Action "Add"
> Give any filter name say "CFIASPI"  and under Executable Text box give path of your isapi_redirect DLL present under #root#\config\wsconfig\1\isapi_redirect.dll
>  Now restart IIS once 
>  Load your CFM page, Issue solved

If issue not solved even after adding required DLL under ISAPI.
-- Check web.xml under your project folder and see for any reference of ISAPI present or not.
    Above scenario may only happen when you have CF 10 already Installed  and due to mismatch in handler mapping It cause to read wrong path of ISAPI DLL.
-- If  found in web.xml check config setting for ISAPI. Validate its path.

If you still facing any issue,  Please share. It is also new to me.
Hope it may help :)

May 8, 2014

May 2, 2014

Securing ColdFusion Server - Seminar Response

Here is my Feedback Summary of Seminar which I have given last week - How to Secure your ColdFusion Server

Quick Look on Seminar Slides:

Thanks all for your useful responses. 
Check Slide here
Check Video here

Hope you all have taken preventive measures to secure your ColdFusion Server.

ColdFusion Security - How to Secure your ColdFusion Server

Recently I have given Seminar on ColdFusion Security -  How to Secure your ColdFusion Server in company Level

In seminar I discussed about recent CF vulnerabilities, how CF server can be hacked, how we can prevent such attacks by securing our CF server etc

Here is my slide - Please look into it.

Video Presentation here
Hope it may help you :)

May 1, 2014

Cookies : setDomainCookies Funda

All knows what setDomainCookies does.
If not Please revisit "setDomainCookies  Used to set CFID and CFTOKEN cookies for a domain (not just a host) ". and generally we use to set it as false always.

I faced real time problem in my Application few days back.
We create multiple websites through single Applications, Hosted with different domains.

The issue was here:
Let's say we have 2 different websites altogether.
Named as

The problem was when you open and on another tab
kasleRealty websites show same content of shamRealty.
More simple way: you have open in one tab and then opened Facebook in another tab, opens with google page in it.
Weird right ?

I thought this might be some IIS related Issue, but once I clear my browser cookie/cache. Issue was not reproducible.

I start looking into Cookie assignment and found this:
CFID and CFTOKEN was generating twice in website
one for (CFID:2313, CFTOKEN:234124)
and one for (CFID:23412 , CFTOKEN:345435)

These give us a hint that why domain specific CFID/CFTOKEN is generating.
We start Looking into Application Level settings and found that by mistake we have enabled setDomainCookies to true.

Funda : Don't enable setDomainCookies to true until your application is not running in Clustered Environment because If CFID and CFToken variable combinations already exist on each host in the cluster, ColdFusion migrates the host-level variables on each cluster member to the single, common domain-level variable.
source - Adobe

So we have turned off setDomainCookies and Issue was solved.
Hope it may help