Changes to defaults in ColdFusion 10

This post is more than 2 years old.

Along with new features, ColdFusion 10 also offers some good changes to defaults. You may not agree with these changes, so review them carefully to ensure they mesh with your development rules.

  1. One that almost no one should argue about - the default storage method for client variables has switched from the Windows Registry (or the fake version on Unix-based systems) to cookie values.
  2. CFTOKEN cookie values now are set to use UUIDs.
  3. Global script protection is now enabled by default. Now, this is probably a good thing, but, I've found it trips me up and I normally ensure it is disabled. (You can disable it at the application level.) This is the setting that trips up bloggers since it takes their HTML and escapes it automatically. I guess I can accept that it makes more sense to be enabled, just keep this in mind when working on code for a ColdFusion 10 server.
  4. The maximum number of simultaneous template requests changed from 10 to 25. The maximum number of simultaneous CFC function requests went from 10 to 15. Remember - these are defaults. You really want to take the time to configure these for your server and application.
  5. The minimum JVM heap size went from nothing to 256 megs.
  6. This one may impact people too - the maximum size of post data went from 100 megs to 20.
  7. Finally, ColdFusion Event Gateway services will be disabled by default. Probably makes sense with no one using it (which is unfortunate!), but keep it in mind if your code requires it.

There are a few other changes as well. For example, file uploads are now more secure by default since we go far beyond just checking the file extension. Now deeper checking into the file type is performed. You can disable this, but don't.

There may be other changes as well - if you find em - post em!

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by MikeZ posted on 2/27/2012 at 2:17 AM

Did they finally eliminate that old legacy problem due to automated variable validation for variables which follow a certain pattern?
That's the classic which everyone that ever built a Facebook app in CF probably has run into at least once.

Comment 2 by Raymond Camden posted on 2/27/2012 at 2:25 AM

Are you talking about the automatic form validation? That was 'fixed' in CF9. You can disable it in your app.cfc settings.

Comment 3 by Mark posted on 2/27/2012 at 5:43 AM

That maximum number of simultaneous template requests = 10 really, really worked for me. Unless your hardware suddenly improved I would not change that.

Comment 4 by Kerr posted on 2/27/2012 at 5:49 AM

I believe the maximum number of simultaneous template requests is a very server / app-specific issue. We have a well tuned CF9 application set at 25, and don't run into issues under load.

Comment 5 by Aaron Greenlee posted on 2/27/2012 at 9:00 AM

Really is a shame if people are not using event gateways.

Comment 6 by Raymond Camden posted on 2/27/2012 at 9:39 PM

Aaron: Agreed. I don't think features should be used "just because", but at the same time, I do wish there were more usage out there.

Comment 7 by Kerr posted on 2/27/2012 at 11:36 PM

@Aaron - Out of curiosity, how are you leveraging event gateways in your project(s)?

Comment 8 by Aaron Greenlee posted on 2/28/2012 at 12:09 AM

Anytime I want something to be asynchronous, I use an Event Gateway. This typically means long running operations, logging, app metrics, or processes I want to be triggered by a remote user but that don't need to furnish a result when the processes started. I've found there are lots of areas in my applications where Event Gateways have helped me to accelerate response times.

Comment 9 by Aaron Greenlee posted on 2/28/2012 at 12:10 AM

I should note that I also use threads, but, only if I need parallel operations to re-join (like the furnish data for a request.).

Comment 10 by Raymond Camden posted on 2/28/2012 at 12:11 AM

Any reason why you don't use threads for times when you _don't_ want to join? I use them cfbloggers and it works fine.

Comment 11 by Kerr posted on 2/28/2012 at 12:16 AM

Ahh ok, I've been using threads for some of those operations. That has helped with response times, but then consumes the thread pool. I see how the event gateway would be best if there's no need to re-join the asynchronous process. Thanks for the feedback.

Comment 12 by Wes Byrd posted on 2/28/2012 at 8:17 AM

An interesting change in path issues with CFINCLUDE results in incorrect paths generating a 404 error. Oddly enough, for as long as I can remember, ColdFusion would allow you to have extra "/" marks in a path and still include the page. For example:

include "/path/to//file.txt";

This works in CF9 and earlier versions but not CF10. The usual cause of this kind of path is dynamic path information from a database that might include the "/" mark and then so does your code.

Good news... it makes us do it right. Bad news, errors may arise when you upgrade your CF9 app to CF10 if you include files via dynamic file paths.

Comment 13 by Raymond Camden posted on 2/28/2012 at 8:20 AM

Wes, while I agree that it is good to make us "do it right", this kind smells like something that will bite a _lot_ of people. Can you file a bug report please?

Comment 14 by Wes Byrd posted on 2/29/2012 at 12:04 AM

Added bug to bugbase.adobe.com. Bug #: 3125367

Comment 15 by Wes Byrd posted on 4/3/2012 at 1:43 AM

Looks like they posted a fix to the CFINCLUDE path issue. The cool new built in update tool found and installed that bug fix.

Comment 16 by Raymond Camden posted on 4/3/2012 at 1:46 AM

Nice. Glad to see it being useful already.

Comment 17 by Henry Ho posted on 7/4/2013 at 5:09 AM

Maximum number of simultaneous template requests is "0" in CF10 standard. Any idea what does "0" mean?

Comment 18 by Raymond Camden posted on 7/4/2013 at 5:23 AM

No limit maybe? Check the help (click the ?).

Comment 19 by Henry Ho posted on 7/4/2013 at 5:31 AM

@Raymond There's no (?). No limit doesn't seem to make sense because if I click Submit Changes: Simultaneous Request limit must be numeric and greater than zero.

Comment 20 by Raymond Camden posted on 7/4/2013 at 5:37 AM

Look in the upper right corner. Every CF Admin for a while not has had built in contextual help.

Comment 21 by Steve Fentriss posted on 11/13/2013 at 11:47 AM

Ray, thank you so much for writing so many great articles and being such a ridiculously source of CF knowledge. Like Henry Ho, I'm wondering what the "zero simultaneous requests" in Coldfusion 10 means. I read the help as you suggested here, and did not see anything specifically about the "0" value.

Comment 22 by Steve Fentriss posted on 11/13/2013 at 11:48 AM

* a ridiculously awesome source of CF knowledge

Comment 23 by Raymond Camden posted on 11/13/2013 at 4:10 PM

It almost sounds like a bug - as Henry says he wasn't able to save the page. If you still see this, and if you also can't save the page, best I can suggest is to log a bug, and then obviously change the value - 10 should be fine until you can test for better values.

Comment 24 by Jim posted on 5/6/2014 at 11:38 PM

Hi Ray - I have a web service that gets invoked just fine in CF9. We upgraded to CF10 and now if the size of the data goes above a certain amount (which is not a lot of data), the service call errors and returns:

An existing connection was forcibly closed by the remote host.

Any ideas or thoughts on tuning or where to look? Thank you!

Comment 25 by Raymond Camden posted on 5/6/2014 at 11:42 PM

Check the Admin settings for the max post setting. That could be it.