CF 2023 update 15 Variable HTTP_REFERER is undefined

Report · Jul 16, 2025

I just updated CF 2023 from 6 to 15, and applicaton is not working with below error:

any idea what's missing?

Thanks.

Variable HTTP_REFERER is undefined

coldfusion.runtime.UndefinedVariableException: Variable HTTP_REFERER is undefined.
	at coldfusion.runtime.CfJspPage._get(CfJspPage.java:456)
	at coldfusion.runtime.CfJspPage._get(CfJspPage.java:411)
	at coldfusion.runtime.CfJspPage._get(CfJspPage.java:390)
	at coldfusion.runtime.CfJspPage._autoscalarize(CfJspPage.java:2364)

 <CFIF (ReFindNoCase("login/login.cfm",HTTP_REFERER) EQ 0 AND ReFindNoCase("login/login.cfm",SCRIPT_NAME) EQ 0 AND ReFindNoCase("login/action_login.cfm",SCRIPT_NAME) EQ 0)>
<CFIF IsDefined("SESSION.LOGGEDIN") and SESSION.LOGGEDIN EQ "TRUE">
<CFELSE>

Report · Jul 16, 2025

Yes, this was a change in update 7 of your cf2023, which came out in March 2024. It's not about a change in THAT one variable, but a change about referring to variables like that in the CGI scope (and other scopes). CF no longer searches through several scopes implicitly. This applies to cf2021 and 2025 as well.

You can solve your one error there simply by changing it to cgi.http_referer. But you may hit still others. (It's NOT that you must now scope ALL variables.) There is also an available app-level and/or jvm setting to revert the behavior WITHOUT need to prefix the var.

More on the matter was discussed in the technote for that March 2024 cf update...and frankly you should (seriously) read each of the technotes for ALL those updates you skipped. Many things are NOT repeated in each update, and you will find literally dozens of potential breaking changes over that number of skipped updates.

For more on your specific issue, see also blog posts like this from Pete Freitag at the time:

https://www.petefreitag.com/blog/cf-searchimplicitscopes/

I did my own, covering far more in that update (and nearly each update), but Pete's will suit your specific issue.

/Charlie (troubleshooter, carehart. org)

Report · Jul 17, 2025

Charlie has answered the question of the cause of the error: CGI scope missing from your code. But there's more besides.

The error is a lucky accident. It points to the following improvements to your code:

Though CGI is request-specific in a ColdFusion application, it is a universal, read-only variable in programming. As such, you should always scope CGI variables, hence CGI.HTTP_REFERER, and so on.
The references Charlie has provided suggest that one solution to your issue is either to add
```
<cfset this.searchImplicitScopes="true">
```
to Application.cfc, or to add
```
-Dcoldfusion.searchimplicitscopes=true 
```
to java.args in jvm.config.

There is a security reason why Adobe changed the behaviour. Therefore, as Pete Freitag correctly points out, each of the 'searchImplicitScopes' fixes should be regarded as only a temporary workaround. You should plan to review your entire code, and scope variables where necessary.

The dot (.) is a special Regex symbol. It matches any single character, including a newline character.
So the value of

ReFindNoCase("login/login.cfm","login/loginXcfm")

is 1, for any character X.

Your code seems to ignore that. Which can have serious security implications.
So, either "escape" the dot and replace

ReFindNoCase("login/login.cfm",HTTP_REFERER) EQ 0 AND ReFindNoCase("login/login.cfm",SCRIPT_NAME) EQ 0 AND ReFindNoCase("login/action_login.cfm",SCRIPT_NAME) EQ 0

with

ReFindNoCase("login/login\.cfm",CGI.HTTP_REFERER) EQ 0 AND ReFindNoCase("login/login\.cfm",CGI.SCRIPT_NAME) EQ 0 AND ReFindNoCase("login/action_login\.cfm",CGI.SCRIPT_NAME) EQ 0

or use instead

FindNoCase("login/login.cfm",CGI.HTTP_REFERER) EQ 0 AND FindNoCase("login/login.cfm",CGI.SCRIPT_NAME) EQ 0 AND FindNoCase("login/action_login.cfm",CGI.SCRIPT_NAME) EQ 0

Review your entire code to find places where the dot (.) needs to be escaped in a Regular Expression.