category: coldfusion


Securing CFID, CFToken and JSessionID cookies

 Monday September 22, 2008
 
A recent presentation given at DEFCON 16 exposed a seemingly unsuspected vulnerability, common in most SSL-Secured websites. Many large and prominent sites such as GMail, Facebook, Yahoo Mail and others are exposed to this vulnerability simply because they haven't secured their cookies. The presenter dubbed the exploit, HTTPS Cookie Highjacking and loosely described it as,

"It turns out an adversary able to position themselves in between you and a website is able to inject arbitrary http-based content elements for domains that do not set the 'Encrypted Sessions Only' property of their cookies, and thus cause your client to transmit these cookies via clear text, intercept them, and impersonate you."
read more... 
Viewed 166 times   Comments (1)   
 

Various enhancements to jalpino.com

 Friday August 22, 2008
 
Just wanted to list out some recent enhancements that I've made to the site.

Photo Gallery
The most notable enhancement I made to this area was including a dynamic watermark to the images that I pull back from Flickr. I didn't do this for the copyright aspect of my photos (although its an added bonus read more... 
Viewed 137 times   Comments (0)   
 

Baltimore Meets Railo

 Sunday July 20, 2008
 
This months Baltimore Adobe Users Group is getting a special guest speaker, CFML committee member and CEO of Railo, Gert Franz. Railo is an Adobe Coldfusion alternative that, at some level, is free and soon will have a open source edition. If you live in and or around the Baltimore Metro you should defenitely make your way down for the meeting, there is usualy free food and drink, and always great conversation amongst Adobe professionals. read more... 
Viewed 116 times   Comments (0)   
 

Bye bye Waterfall, Hello Agile

 Saturday February 16, 2008
 
Come Monday I'll be starting the envisioning phase of a 4 month project aimed to enhance the overall user experience in one of our flagship applications. I'm definitely excited about the project not only because there will be some really cool components to build but also because the project will be run using an Agile methodology. For the past several years I've been working on high dollar(long running), complex business apps that followed the Waterfall approach. Each of these projects adhered to the phases of your standard Software Development Life Cycle (SDLC) and at times seemed to drag on in the least exciting phases.

Agile development is definitely different than your traditional waterfall based project, not only from a structure point of view (phases and such) but also in it's principles, which are;
  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan
 
Viewed 188 times   Comments (0)   
 

Surprise Presentation from a CF_Celebrity

 Monday December 10, 2007
 
Last week my work brought in a CF consultant from Universal Mind to help evaluate the performance of our flagship application and offer suggestions for improvement. On Tuesday this consultant was set up to give us a presentation on CFMX performance, and like most learning opportunities I attended the session. To my surprise, the consultant was Brandon Purcell... holy sh*t... I have been reading his blog for a few years now and regard him as being a CF rockstar along with the usual names.

Brandon was really cool and dropped some interesting tips on performance, some of which I had never considered before like using <cftransaction> with an isolation level of read_uncommited to speed up SELECT statements. Of course this only applies to queries where the returned results don't have to 110% accurate as the drop in the isolation level will curtail around locks from INSERTs and UPDATEs. I never thought of using <cftransaction> for anything other than managing 'atomic' transactions that included writing to the db.

Another interesting tip that he pointed out was the use of logging run time metrics directly to the screen but using HTML comments to hide them from the users. I think in non-MVC frameworks this would well and never really considered dumping runtimes to the display in a production environment, but I guess it's a quick way to see how well a page is rendering without going through hoops to get that info (in a large corp. environment where not everyone is privy to accessing production logs without waiting for someone else to get them for you).

Brandon had a ton of other great performance tuning tips, most of which I already knew about, but it was still cool to hear it from someone who has been around CF as long as he has. I really need to start going to more conferences and getting involved in some type of Users Group.  
Viewed 66 times   Comments (0)