I have very good news for you. First, note that Adobe offers an image for EACH update, for all three of cf2025, 2023, and 2021. They're all at the AdobeColdFusion docker hub page , or Amazon ecr. Choose the specific image for a given version, then see the "tags" on the right, where there is a different tag for each update. For example, you could use adobecoldfusion/coldfusion2025:2025.0.4   There's also a considerable docs page from Adobe on using those images, linked to from there. It's a great way to be introduced to what's configurable with them.   Finally, for even more, note that I have a github repo with dozens of examples on using the Adobe (and Lucee and Commandbox) images in various ways (including choosing versions and LOTS more), at https://github.com/carehart/awesome-cf-compose.   And of course I can help directly with all aspects of using them, if needed.  ... View more

Now that you've concluded for sure that the jvm arg IS there but is NOT helping, it sounds like you're hitting the same problem someone reported about 2 months ago at https://tracker.adobe.com/#/view/CF-4227376. They, too, are using encrypted querystrings--and it may be that this (or the post-processing you guys want to do) is where the problem is happening. Anyway, add a vote there, at a minimum. And while you can add a "vote comment", that box is tiny. Add a regular comment instead, which is a larger box (easier to read, as well).   And in the meantime perhaps someone else (Adobe or otherwise) may chime in here or there with other thoughts for you. ... View more

I'm sorry to hear of your challenges. First you have not shown what the error is. Your screenshots show that Cf itself is working, which is a great start. I suspect it's something in your iis configuration. The error message may help us, but perhaps not.    I'll say as well that I am confident I could have your server back up (cf site serving requests again) today, perhaps in as little as 15 minutes, via remote screenshare consulting. For more on my rates, approach, satisfaction guarantee, online calendar, email, phone, and more, see the consulting page at carehart.org. I have open slots now and into this evening. I can also help after what's offered on the calendar.    Hope we get you back on your feet ASAP, one way or the other.  ... View more

Well, first I'm glad that checking the files showed the value actually having been set. I hope you appreciate the suggestion to look there--but perhaps that's tempered by your remaining concern that something seems wrong with cf.   I see it differently. I suspect the "someone else" was on that page and may have been setting ANY of the many settings...and THEIR browser's password manager filled in those values, so cf accepted them. (It does not validate them in any way.)   And to be clear, yes, since you say you see their the cf admin username and pw (sadly, in clear text in that file, which I agree is its own problem), that further confirms my suspicion. When a browser password manager fills in the field, it's NOT paying attention to the NAME of the field. It associates a username and pw with a domain/ip, and fills that in on any field asking for a pw on any page in that site. (That's why I made the suggestion above to adobe, about how to stop that.)   As for getting further proof that "someone else did it", I will note (as some may consider it) that while the CF Admin DOES log MANY changes one may make to the CF Admin (in the audit.log within CF's logs folder), sadly I just confirmed that it does NOT log changes to THIS page. I hope to create bug reports for that, as well as for that clear-text password shown in that file, as well the suggestion of autocomplete="new-password". If anyone else may jump on it, please share the bug id's here. ... View more

I am proposing that you please just create a simple few-line simple example that demonstrates ONLY the problem that remains, in as few lines as possible, and WITHOUT using any variables which come from your queries or your app session scope or any previously run code. Keep it minimal, do only what's needed to cause the problem.  That might even be one line. Doing this really will help you as much as us. You're well on your way, it seems.   BTW, then being only a few lines, you can just type them here, as your way to then have it available when you get home (off the DOD network) to try running it in one of the fiddles. I'm trying to help you see around all the roadblocks in front of you. 🙂    On that and as for Dreamweaver, finally, a rant: if someone works with CF with any regularity (more than once a week) and unless they are retiring/leaving CF in the next month, it would seem REALLY worth their time and effort to learn to use ANYTHING other than DW. 🙂 Not least of which because besides your bugginess it hasn't had CFML support in more than 10 years.   How about using any of the popular free VSCode (for which one can turn off MS telemtry and AI support), or the open-source vscodium alternative to it (which has no MS telemtry)? Those have current CFML support from Adobe (ColdFusion Builder...and yes, you can install CFB into codium using a vsix file) and from others.   Or how about Sublime, which has CFML support updated in 2025, or NotePad++ or  which at least had CFML support until some years ago? Or use any of those without the CFML support. Or heck in that case use notepad on Windows (or vim or nano on Linux), and so on.   I keep a list of editors, both those WITH and WITHOUT CFML support at cf411.com. The benefits DW offers most people can be provided for in about any other modern editor (though wysiwyg editing and ftp--rather than sftp--are ignored or frowned upon by most of them). ... View more

Matthew, that's certainly some interesting gymnastics you've had to go through.   I'd like to focus on your last point. You say you added Dcoldfusion.runtime.remotemethod.matchArguments=false but it didn't help. First, let's confirm that is indeed set as you think it is. If you just dump the server.systemproperties, it will show you a few dozen things--among which will be any such JVM args, whether set by you in the CF admin or jvm.config. But there are also others that CF sets, and ones that the OS and Java and Tomcat set that are shown. So look for the ones starting with "coldfusion."   And I've created a github jist of some code to do just that for you. See it here.   BTW, I was writing that and this up while I see you offered your next reply with examples. I may not have time soon to try that, but perhaps others will. In the meantime, please do run that code I offer and see if you DO see that env var set. If not, you'll want to pursue why it's not set when you thought it was.   Granted, fixing your code would be better, but I suspect you'd like to do the update if not for this problem, so if the JVM arg DOES work for you then it DOES allow you to proceed. Then maybe your example will help Adobe or us here to see what it is about your code that doesn't work without it. ... View more

That's certainly interesting to hear (that it would seem NOT to be about the browser). Time will tell. As for the file to check for THIS page, it's neo_updates.xml--such as may be in \ColdFusion2023\cfusion\lib\, or if you're running multiple instances, look in \ColdFusion2025\[yourinstance]\lib\.   And FWIW, a default ("empty") one (specifically for CF2023 only) would show: <?xml version="1.0" encoding="UTF-8"?> <settings> <update autocheck="false" checkinterval="10" checkperiodically="false" sendupdate="true"> <url>https://www.adobe.com/go/coldfusion-updates</url> <defaulturl>https://www.adobe.com/go/coldfusion-updates</defaulturl> <packagesurl>https://www.adobe.com/go/cf2023_packages</packagesurl> <defaultpackagesurl>https://www.adobe.com/go/cf2023_packages</defaultpackagesurl> <notification> <emaillist/> <fromemail/> </notification> </update> <proxy> <hostname /> <port></port> <username></username> <password></password> </proxy> </settings> That said, don't just blindly overwrite what you may have with this. Notice all the values in the update section above the proxy section, which may well have been changed upon install or since install of your CF. ... View more

Unless you want to leave it be with that conclusion, and since you seem to be leaning toward a change in how your different cf versions work, please proceed to create a few-line test that demonstrates what you're now suggesting is the problem. Run it locally, then run it on the public fiddles which allow you to test against past versions.  ... View more

Ah, I missed that the brackets in your original code are OUTSIDE the function. Sorry.    But since you say (in the original post) that you're "getting an error that position 1 of the array doesn't exist", then instead dump the RESULT of the function. Is THAT an array? Is it indeed empty?    Next, you go on to suggest that somehow the ASSIGNMENT of the function result to a session var somehow makes the assignment fail. I can't see how that could be so. (Even so, you may want to dump the session scope right before the assignment to confirm you have a valid session.)    Finally you go on here to refer to differences when you comment out stuff. That's where it's so valuable to create a standalone demo, to exhibit what you're experiencing. That will help you also, to narrow down what it takes specifically to make the error, no more and no less. (And I know you're a longtime CFer also, and even help others here. I'm not meaning to be condescending with what I'm saying. It's as much for future readers following along.)    Will be very interesting to hear what more you may find or share.  ... View more

I've read all the replies so far. If you remain stumped after doing what bkbk and Pete have suggested, then please do this: Dump cgi.SSL_CLIENT_S_DN_CN right before the code that's failing. Is it indeed an array? And is array element 1 what you'd expect? Dump to_char(dateObject, 'YYYY-MM-DD') and separately just dateobject just before the line using those. Do those have what you expect.  Please don't presume other similar dumps in other places prove "you've done it already": do those, right there (to a file if you must). Let us see the value of the date dumps.  If you remain stumped, you may be presuming there's a problem with CF or perhaps your application.cfc/cfm. In that case, please create a standalone few-line program that demonstrates the problem. Then try running that on its own folder with its own empty application.cfc. Does the error/unexpected behavior persist? If so, run that code on cffiddle.org or trycf.com, both of which will let you run it against different cf versions. If it fails on them, on different versions, do you have some environment where this demo code runs well? If so, tell us it cf version and update level that is. Maybe it's on an older update (those sites don't let you try different update levels). You might want to share the few-line demo here for us to try. Some of us can test on different update levels.  ... View more

So it's possible then that the use of such caching has never worked on this one instance, right? I'm curious: are all 4 instances running the exact same code? Or does this one run its own?   I ask because if they differ, then another thing to consider is your application.cfc/cfm controlling the app in questions. It could be that you specify caching characteristics in that file, which would override whatever is in the admin.   All that said, the dump that bkbk helpfully suggested may give useful clarification (as it too would be affected by app-level config).  ... View more

@Dordrecht, I think I can explain your point 1 differently than what you guys are suggesting. I suspect that the username and password field you see there IS NOT being populated by CF--nor from a migration, nor is it "magical". 🙂 But I understand it seems "mysterious".. And I have a suggestion for Adobe.    1) First, can you open the admin in a new private window (if in Firefox) or new incognito windows (in Chrome or Edge)? Does the "magic password" and username appear for that proxy page?   If not, that proves it's not coming from cf. Instead it's your browser, and specifically I suspect it's your browser's built-in password manager--whose cache is empty by default when you open such a private/incognito window.   Let us know how that test goes. I did considerable testing earlier today when I saw this thread, to confirm this from my end. It's a frequent problem for many. And there are in fact many cf admin pages with passwords, where this can happen. (And FWIW there's an xml file for each that you could also inspect to see that cf has no such current info/password., but the test above is easier)    2) Finally Ravi, here's the suggestion for you guys, which should prevent this problem. (Something has been tried, but I find it's done incompletely on some pages and not at all on this one.)    Add autocomplete="new-password" to the various admin password fields on the many admin pages asking for them.   Some have autocomplete="off", which is not doing the job, while this page's password field has neither.    Of course, if the admin code DOES find a password in the neo xml file and fills that in on the page itself, that WILL be rendered despite this attribute. The problem is that the browser pw mgr autocomplete is stepping in when it's empty. (And I appreciate that this matter can be challenging to resolve.)   Hope that helps both of you, and other readers. I'm open to correction or feedback.  ... View more

@ponnada40, while you may await someone offering "the answer", I'll ask some clarifying questions, which may help lead to it. And the first three relate to the only other occasion of someone raising this error. If it's not that, I offer still others: If you had recently applied a cf update, was that instance updated separately from the others for any reason? Either way, were there any errors in the update log? Are you familiar with where to look?  If nothing else, are there any errors during startup of the instance, in its coldfusion-out.log? Especially while packages are being started? Especially the cache one?  As for this instance in question, was the caching feature working previously? Or might this be the first time you tried using caching in a query on that instance? If it was running until recently, what changed since when it was working? Beyond the update questions above, beware that some changes don't take effect until a cf restart, so you can't look at just "what was changed the day it started failing": it could have been a change made well before that, after the last prior restart. You can see when that was using the server.log, among others. Compare especially the ehcache.xml between the working and failing instances. It's in the lib folder under each instance's folder You may even want to compare other aspects of the admin configuration between them    I'll add that doing all the above may seem daunting, but someone experienced doing them could do it all quickly. It's just not easy to communicate here EVERYTHING to consider in each task.    If you don't get resolution soon either on your own or from our help here, and if you need this solved ASAP (rather than waiting hours or days), I'll add that I can help solve this via remote screenshare consulting--likely in as little as a half hour, maybe less. For more on my rates, approach, satisfaction guarantee, online calendar and more, see the consulting page at carehart.org.   Let us know if you solve it or have answers (you can just offer the numbers) or might offer feedback on the above.  ... View more

Wonderful, thanks so much. I'd checked your blog back in April when this was introduced, but somehow missed this June post. I'll double check my rss follower, as I don't want to miss any of your posts. 🙂 Thanks for your ongoing work in cf security! ... View more

@Brian__, good stuff. Thanks. Can you elaborate on your final point about sandbox/multi-tenant?  ... View more

@wtlaughlin, any update on things? ... View more

@shashank_4461 My question of 3 days ago really is pertinent, not impudent. I hope you'll consider it and let us know a bit more, to be able to answer you correctly. ... View more

Before sharing alternatives, I'll note that you should report that to Adobe. They may or may not see this discussion. Simply send an email to cfinstal@adobe.com.   As for alternatives, note first that those who buy cf are given a login to a different place, so this does affect only those using that trial page (which doesn't diminish its importance: I just mean that's an alternative  available to some but not all). Those are either account.adobe.com/products or licensing.adobe.com.    But some will want to consider getting cf installers from cfmlrepo.com, managed by community members with, installers back to CF1.5 (seriously!)   Finally, if one wanted only the zip installer (a new approach since cf2021, quite different from and perhaps not suited for many preferring the traditional installer experience), that's offered both on that trial download page (not working for you) AND at the cf downloads page, https://helpx.adobe.com/coldfusion/kb/coldfusiondownloads.html. That page does NOT offer the full installers. The cfmlrepo site offers both kinds.  ... View more

Before giving up (and before others might go to the effort to confirm if it works for them, and before others might chime in with various alternatives), let's see if we can fix your root cause problem--and perhaps benefit others who may find this later.   Can you first try simply using your browser's new incognito/new private window feature? (Or you could just try another browser.)   The thing is, usually such form submission oddities at the Adobe site come down to being cookie issues, as they are often numerous, exacerbated by the various enterprise software used in Adobe sites.   So of course yet another idea would be to simply clear all cookies for the site, but that's not something many are familiar with. (And while some resources suggest clearing ALL cookies in the browser, that's over-the-top and I'd never recommend that.) Just trying a new private/incognito window is easier and has no ongoing potential impact like clearing cookies can.   Please let us know if you try. (It certainly could be that there IS a problem at the site, but that's rare for that particular page.)  ... View more

Yes, in answer to your first question.    As for you renaming the .cfmail file to .txt, why? Try skipping that step.   Also, your screenshot is missing the bottom line. Watch that for encoding info.    Most important, recall that your edited file may have been messed up by a previous edit.   If you want to "prove" that this process works, cut a newly created cfmail out of the spool, edit it (simply replacing the password line, though not "needed"), then save it back into the spool. Does it get out?   Then the problem HAS to be in something about the previously failing files you're editing.  ... View more

Good to hear.   But you also changed the cf2023 saml config to point to that new location also, right? Just pressing since you say you're updating your notes to follow next time. And did you catch how cfsetup can also be used to make that specific alteration, if you're wanting to automate it all?   Finally, to help those who'd find this in the future, would you regard my first reply as suitable to being marked as an answer? You should see a button under it to do just that.  ... View more

Yes, that was my point 3...which built on the previous two.  ... View more

dchan@gfc.state.ga.us, you're on the right track with your approach. As for why it failed, that's not clear. But I have a suggestion.    1) First, yes, the root problem is that when the cfmail ran while the incorrect smtp server password was defined in the admin (or cfmail itself), cf put an encrypted version of that into each mail file. When it could not be delivered, it was put into undelivr.   The next problem is that Cf does not itself alter that mail in undelivr when you may correct it in the admin.  So yes the solution is what you did: create a new mail, catch it in the spool folder, copy that password line (and user name if it changed), and replace the corresponding lines in the undelivr mails that failed for that incorrect username/pwd. Then move them back into the spool.    None of that is new or changed in any cf version or update. And none should require cf be stopped. I've done this hundreds of times helping people over the years.    2) So why the error? Well, first I would wonder if you made any mistake at all in replacing those two lines. We can't know from your screen shots.    And even if you made the exact right cut and paste you should have, the problem may be that the editor you used injected a special character or changed the encoding to be different from what it started as. Did you edit the mail file on the server? With what editor?   (Indeed, I would always warn folks doing this to SAVE a copy of the mail file before manipulating it, in case anything goes amiss. Then you could compare them to your change to confirm differences.)   2a) As for that potential editor difference, it may seem "too late" for you with those failing files, but not necessarily. Editing them on the server (running its OS) with something simple (like notepad) might suffice to rectify things. Or you may need to use a better editor giving more control over things, like vscode.   3) Until you fix the bad files (of either kind), you may want to remove them from undelivr so that you need not worry about putting them back in the spool (if you get new ones that fail delivery to the smtp server for some other reason).    Finally, while it's fortunate you don't find the (new) bad file remaining in the spool blocking ALL mail sending, if one did they'd just want to remove it from the spool folder.   Hope that helps. You absolutely should be able to do what you're attempting.  ... View more

Bkbk, it seems you've missed that Matthew has clarified that Cf does run. It only sometimes fails, and that only on shutdown.   The jmv issues you outline are indeed among the valid reasons someone may find cf to NOT start at all. But that's not Matthew's problem here.  ... View more

Let me try to help. I welcome clarifications from others or clarifying questions from you.    1. The sudo command (in Linux, Unix, macOS) is used by a non-root user to temporarily elevate to having root privileges, to get something done.    That's safer than logging in and running literally as the root user, as you could do things by mistake which could have wide-ranging impact, or you could fall victim to a vuln that now also would have that impact.   Of course, for an account to be able to DO that sudo command (or the related su), their account must be given that privilege by someone running as root (or already defined in sudoers).    2. If it helps, the corollary in Windows is the "administrator" account, and how another account can be put in the Administrators group. One COULD just login as administrator, or by being in the admin group you may have noticed windows offer the option to temporarily elevate your privileges to perform some operation.    (Also, FWIW, recent Windows versions even now allow one to enable sudo as a command, so you can intentionally run a given command with admin privileges--again assuming you're in the admin group.)    3. So to your original question, that's why the installer could be installed as root or via sudo, to the same effect. There's one important additional point.    Note that the Linux cf installer specifically ASKS what user to use to RUN cf, which can be different than the user INSTALLING it. That relates to the above, in terms of what permissions "cf" would then have. And one can create a user to run cf, giving it ONLY what permissions it needs to done what cf needs to do (discussed in the lockdown guide).   (In Windows, the cf installer sadly doesn't ask but just sets up a service that runs as the special "local system" account, available for such services. We have to change it to another account manually.)    BTW, all this is also why one would NOT want to put the user running the cf service into sudoers (on Linux, or the  Administrators group in Windows), as that would make it just as capable of causing trouble as if it WAS the root (or "administrator") account.   Does all that make sense, and help with your question?  ... View more

Thanks for the update, and the clarification. Sorry I misinterpreted it as a problem of startup rather than shutdown. So that's indeed different. And glad a couple of ideas helped still.    And no, there should not be the crash on shutdown either. So the next question would be: how long is cf taking to stop when you do that at the cli? It shouldn't be more than 30 seconds.   There WILL be an answer AS TO WHY it takes longer. And I already have ideas and diagnostics to consider. But let's start with this first question. It would be a lot to write to convey what I have in mind, and if one thing didn't work then the results of it could influence what I'd propose as the next.    If we might solve the problem in less than an hour of a shared desktop consulting session together, might your folks be open to that? You'd not pay for time you didn't value. For more, including my rates, approach, satisfaction guarantee, online calender and more, see carehart.org/consulting.  ... View more

And he knows more about security than I've forgotten. 🙂   ... while you, Dave, are on a pedestal in my mind that's too high to ever be eroded by any lack!  ... View more

Yep, what Dave says, on why this was a challenging one to answer--especially succinctly, which is why I left it to others also rather than write a blog length reply. ;-} As always, Dave hit the key points in short order (as others here could, also).   I'll elaborate on one part: to your second bullet, this is where a group would help especially. You could consider putting the user running cf and the user wanting to manage things in the same group.   The first step would be deciding what file permissions are needed for the users/groups, and then running the cf service as that user/group. As Dave said, setting up services varies depending on the Linux distro (and even options within that).   Finally, you will find the cf lockdown guide covers some of the very matters we're now discussing. It's available online for any version of cf, easily found via searching. I'd recommend you check it out. And Pete (Freitag, who wrote it under Adobe's authority) may well have more to say here in reply.    As you encounter more specific challenges, do let us know.  ... View more

Can you clarify first what you mean by a "static cf site"?  ... View more