A couple more related points:   1) Beware also that cf2021 itself reaches end of life (no more updates, including security updates) in just 5 months: Nov 2025. And no, buying Adobe's offered "extended support" does not grant you access to another year of updates. More on both those points in a post I did (pointing to their info) at https://www.carehart.org/blog/2025/1/9/coldfusion2021_end_of_life_nov_2025   2) As for your saying, "the version of CF will not work", do you mean cf2025? What doesn't work for you? There may be a workaround that solves that--and it may well be needed to move even to cf2023 or 2021. You really should NOT be running on cf2018 or earlier, or soon even cf2021. The risk of unpatched vulnerabilities is severe, once Adobe no longer updates a cf version.   3) Finally, if you find it challenging to move to a given version, I'll add that if you can't find adequate resolution from Adobe or the community, I help people solve those troubles every day in my remote consulting, often solving nagging problems in hours if not minutes. More at the consulting page of carehart.org.  ... View more

Yes, there is a solution for you, from a reseller, where you buy cf2025 but backwards license it to cf2023 or 2021. For more, see: https://fusion-reactor.com/blog/navigating-adobes-new-licensing-model-how-to-access-older-coldfusion-versions-in-2025-via-buy-adobe-software-com/   (CF2018 is no longer updated by Adobe since mid-2023, including security updates, so it would be unwise to use that.)   To be clear, Adobe's web site does indeed offer only cf2025...and this is nothing new: it's always been that when a new version comes out they stop selling the old version.  ... View more

Glad to help, and hope we may indeed learn more in time.   I'll add that the real pain about this change (for many) is that they're encountering the error regarding vars they're not even passing in directly (to such remote methods). Instead, it's turned out that Cf has always passed into such remote methods ANY url or form fields that may be defined in the flow of the request. Once can dump the arguments scope to see that happen even in earlier cf releases (assuming you're calling a remote method and have some url or form fields defined, including via cfset, cfparam, and more).   The challenge with these is that it's not easy to know WHAT such vars may exist, to add them as defined arguments. And worse, your method may not even USE them, so defining them as args can seem all the more awkward and even counter-productive.   But after this May CF update, such will lead to errors, which forces many to consider using that jvm arg to "stop the madness"....which then leads to your reasonable question.   This is discussed some in my blog post about the update from that day, including someone sharing that they'd opened a tracker bugs report on the matter.    Something I've been wondering is whether Adobe might do for this what they did last year, when they came out in April with a patch to help with a similar challenge regarding the March update. That's the one that stopped CF from searching implicitly into several scopes if none was defined for a variable.   The "patch" (a jar), if added to your cf, would cause it to now LOG whenever such implicit scope searching was done--assuming you'd added the jvm arg to allow that again--which helped you FIND when it was happening. The log entry named the template and bar name in question (though sadly not the line number in your template).   Anyway, I'm saying that such a patch would help for this problem as well. I'll go add this now as a suggestion on that tracker ticket, if no one else yet has. Sadly, this update (like that one last year) will be tripping people up for weeks, months, and even years to come as they move from earlier updates (or earlier cf versions) to this update (or later cf versions).  ... View more

There's been no indication that it will "go away". Those added last year that were to "go away" (in cf2025) did indicate that. But I realize you'll want to hear from Adobe. They may or may not reply to you here.   As for that meaning you can "dispense with any rework", you do that at your own risk...at least in that Adobe didn't add this change cavalierly, just to piss people off and make their lives difficult (despite what antagonists may assert). They did it to protect us against a known vulnerability...though we have no more info than what they say in the apsb for the update. It's not clear if this is a vuln that affects just our own code (where we may see no vuln) or something Adobe implements (where we may not readily realize the risk to us).    That said, the apsb does (for now) say that there are no known exploits in the wild. So can we just do that jvm arg and call it a day? Well, it comes with a risk (as yet undefined), so it's not something that WE should do cavalierly...though we can do it judiciously and with due caution. 🙂 And perhaps in time we'll learn more about what is the real risk to beware.  ... View more

That's certainly interesting to hear. Either something changed again about the format of the key/password, or somehow Adobe forgot to include this fix in 2025 (which seems unlikely).   Either way, you may or may not get any reply from them here. Your best bet is to report it to them either via cfsup@adobe.com or by opening a ticket at tracker.adobe.com. The latter will benefit more people, as it would be viewable by all.   In fact, someone had reported it back in 2023, before it was fixed for those versions. Indeed, before writing my first reply here I'd seen that someone had commented there that it was happening for them on 2025.  You'll see I'd suggested to them also to open a new ticket, since that one was marked fixed back in 2023.   If you do file a new ticket, please do share the link here and there, so that interested folks can add a vote or comment and follow along in any news there from Adobe.  ... View more

Well, this was a known issue prior to it being fixed in cf2023 (and 2021) in the Oct 2023 cf update. That's update 5 for cf2023. What update are you on?   Here's the indication of it being fixed back then: https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-5.html#bug-fix ... View more

Guys, while it's great that judo has solved the problem with hard-coding the scope, let's clarify about solving it otherwise.   First, despite what the docs say, the jvm arg IS in fact supported in cf2025. Adobe reversed their plans after that March 2024 update that introduced this. (FWIW, they did not reverse their removal in cf2025 of the similar cfmx_compat arg that came out with the Apr 2024 update.)    Second, though, note that the ability to control this at the app level (setting searchimplicitscope in cfapplication or in an application.cfc) was NOT indicated to be removed at all. It was only the jvm arg approach--which has been reversed for now.    All that said, there's certainly a security argument for correcting code rather than app or jvm level settings.    ... View more

Brian, thanks for the update and you've shared a lot that I and others could respond to. But let's start with something simple.   1) In your last point you refer to the code failing (with these session errors) because of line 130 of index.cfm, at the indicated path. Have you checked that? If so, what is it doing that has to do with sesion vars? We DO want to know (for now) what code it is that's failing. (I realize it may well be ANYTHING to do with using session vars. We want to KNOW.)    1a) On the other hand, you may say that either there IS no line 130 in that file, or no CFML on that line 130, or that whatever CFML is there seems to have absolutely nothing to do with this error. This is a common problem, but you CAN find the CORRECT file: see the exception.log (in the same cfusion/logs as other CF logs). What does THAT say is the actual file, whose line 130 has the error? And what does that line do? Can you share it? Or if not, can you tell readily what it says it's doing?   2) You say you created a test folder with a simplified application.cfc, and it works. That's great. And you do confirm that works after a box restart as well, right? (That's very odd that you have ANY issue that occurs ONLY after a box restart and not just a CF restart alone. For now, let's leave that one alone.) I just mean to say it seems in your interest to confirm that this test app works after such a box restart. Please confirm.   3) But you say also about this test app that it "is not using the session manipulation methods we normally use in our real application.cfc ."  I'm very curious to hear what you are referring to there. Again, I'd said I'd never heard the term "session manipulation methods", until you mentioned initially here that you were getting the error, "Enable SessionManagement to use Session manipulation methods."   So what ARE those "session manipultion methods" that you "know" are in the real app and not this test one? What happens if you add even ONE of them to this test app? And please tell us what it is. (And is it what you find gets reported as being on line 130 above?)   4) Finally, again focusing for now on just this error, you've not indicated in any of your notes if you had done what's discussed  in comments here BEFORE yours (and in recent technotes), about the value of "clearing the felix cache". If you know what that is, had you done it after the update?   If you don't know about it, it's the recommendation (in some CF update technotes and being made generally by folks like myself to do after ALL CF updates) where you stop CF, delete the folder cfusion/bin/felix-cache (no need to "save it"), then restart CF (which will recreate it and all its contents). It has to do with clearing out java jars and classes implemented by CF based on whatever CF package versions you had that may have changed.   4a) Then do your tests again: the real app, the test app, and confirming also if they work after a box restart (not merely a cf restart, since you say that's its own issue.   Looking forward to hearing what you  ... View more

Noel, while the original problem (of the missing files) might be solved by obtaining them from Adobe at the email offered in the comment above, as for your asking instead how to SKIP the migration process I might have an answer for that.   I did a blog post back in the cf11 timeframe where I documented the file and lines you'd need to edit to cause cf to stop trying to run that migration wizard (once you'd told it to run but it fails). Granted, that focused more on when the migration page was hanging, while yours is erroring. And even though it's from several years ago, the file and its format remain the same (just use a path and values suited to your later cf version).   See my post, specifically the final section, 'Setting the "wizard" to not run at all'.  No cf restart is needed after going that.   Let us know if that gets you going.   Also, let us know if you get the files needed from Adobe or elsewhere. (I'm writing from a phone and so can't offer them to you, if it may be as simple as copying them from a cf2023 or 2021 install.) Or maybe someone else will offer them, though in an earlier comment above you sought only "an official Adobe download source".  ... View more

Ok on all that. In the meantime, you could at least take a chance and use a tool to search all your cf files (*.cf*)looking for the quoted text of either of those error messages.   Better editors (better than notepad) can do that fairly easily and quickly, while tools devoted to the task can do it faster, and across even your entire drive in seconds or minutes. I'd recommend FileLocator Lite (from Mythicsoft) which is free even for prod, and should have no negative impact even if run  directly ON a prod server. (Again, quote the string to ensure it finds only that phrase and not just files with those words in any combination.)    Let us know if you get to do that search. (I realize you may be wanting to put this all entirely on a back burner until your next maint window.)  ... View more

Thanks for the clarification. So first, I want to note that the update install log would still be available for you to assess, even though you uninstalled the update (unless of course you reverted a backup or snapshot).   But then again I'm now starting to wonder if this is indeed an error in cf itself. The fact that you're saying it happens only with application.cfc. That just doesn't sound like a problem that CF alone report. Indeed, that led me to search for the two error messages you reported, "Enable SessionManagement to use Session manipulation methods" and "Session management is not enabled".  I don't find a single occurrence of them. But they sure sounded like cf errors. :-). I'm wondering if instead they're your own error messages (from your app, I mean). I realize that may seem unlikely. 🙂    But let's just have you try something, which will take only a moment: create a new folder, and in that create an Application.cfc, and in that just set sessionmanagement="true".  Then create an index.cfm or another file and have it try to set a session var.  If it works, then it would sure seem that what you're getting is not a cf error.    Further, I can't even fathom what's meant by the message reporting it can't "use Session manipulation methods".  There are no "Session manipulation methods" in cf that I can think of.   Let's see what you may find and take it from there.  ... View more

Brian, if you're concluding (or warning) that folks should beware of this happening upon updating, I can say it has not happened to any of the dozens of instances I've updated or helped others update this week.    As such, whatever is amiss for you seems quite unique. And perhaps Adobe or someone else will step in with a ready explanation/fix/workaround. Until then, I'll ask some questions. First, what platform are you on? It might be helpful to hear.    Second, you say the "updater completed without any errors". How are you measuring that? By the pop-up msg at the end? Or by the update install log within hf-updates? And did it show 0 fatalerrors and nonfatalerrors? It's possible that's where something went amiss.   Next, did you confirm there weer no new errors during the startup, as tracked in the coldfusion-out.log? Look especially during the startup which followed the update. That should show uninstallation (only) or any packages update (it never shows their "installation" after that).   Before you might report the various errors you may/will see, please do look also at the log's tracking of the startups BEFORE the update: we're only focusing on what errors are new on the startup AFTER the update. (And if you've since restarted cf and your issue remains, you could assess as well the startup logs for that. But look especially at the first startup after the update, which alone should have attempted the package updates.)   Let us know what you find. And if no other solution comes up from others, I suspect I could help you get things working (via a remote screenshare consulting session, in perhaps as little as 15 mins, even this weekend). If I can't help, you'd not pay for my time. If we found some new bug, you could report it to Adobe. Or again they may offer you direct help,.or someone else here may provide a solution.  ... View more

Glad to have helped. Hope it goes well for you, there or here.  ... View more

Alexandre, since you're using cfwheels, you may get better help at the site and forum devoted to that, a s offered at https://cfwheels.org/.   Then, too, the fact that you show using a server.json file tells us you're using commandbox. And as that uses its own web server by default and has its own rewrite capabilities, you may well need to look at this from a Commandbox perspective. And for that you might want to raise this at the ortus Commandbox forums, https://community.ortussolutions.com/c/communities/commandbox   But perhaps someone may step in here, recognizing something to suggest based on what you have shared.  ... View more

Flipout, I really think you have something else going on there in your environment--perhaps a proxy or firewall or a/v tool that is making that manipulation. Here's how you can prove it.   Change the URL in your code to call this domain instead:  https://httpbin.org/delete   As you may know, httpbin.org is a nifty service that allows you to make calls and see what IT received. The front page explains how it works.  When I run it with your code, it shows just the accept you expect.   Finally, BKBK, while it's true that folks should stop using the http cfc (and CF2025 removes it), ntoe that you don't need to switch to tags. There is the long-existing (since cf11) cfhttp statement. His code could be written as: <cfscript> cfhttp( url="https://httpbin.org/delete", timeout=5, result="httpServiceResponse", method="delete" ) { cfhttpparam( name="Accept", type="header", value="application/json" ); cfhttpparam( name="cfId", type="header", value=session.CFID ); cfhttpparam( name="cfToken", type="header", value=session.CFTOKEN ); } writeDump( var=httpServiceResponse ); </cfscript>   As always, just trying to help. I hope you both will let me know what you think of the above. ... View more

Thanks for sharing, Roberto. Yes, this has been a step frequently mentioned in recent cf update technotes. I was surprised to see it not in this one, and I hoped it meant that at least those coming from the April update maybe didn't need to.   Really, I just now recommend do it after every cf update, as part of good hygiene. And I recommended it in my post this week on the update.    If nothing else, I hope Adobe will consider whether that suggestion to do it should be added to this latest update's technote.  And until then, let's hope this suggestion of yours helps others finding this post.  ... View more

@SaschaD , first it may surprise you to hear but I don't get that error, on any machine running CF2025, whether update 2 or 1 or 0, and as tested on multiple machines running both Windows and Linux.    If you may want to see it for yourself, run the code on either or both of the sites, cffiddle.org or trycf.com, which let you choose what CF version to run on. That's a helpful tip for when anyone wants to test such things on a machine other then their own.   And here's some code that anyone could try, which reports also the CF version, update level, and OS: <cfscript> writedump(var=server.coldfusion,abort=true) </cfscript> Let us know what you may find.   As for the error you get, if it proves to be unique to your own machine, one thing to consider is whether your application of any update to CF2025 may have had an error. It can happen. See the update log found in cf's cfusion/hf-updates folder, in the folder under that for the latest update you applied, then within that folder see the longest-named log file, which includes the date/time you ran the update. Then look at about line 70, to see a table tracking the count of successes, warning, fatalerrors, and nonfatalerrors. Are the latter two non-zero? If so, try re-running the update. (I also have a blog post with more on dealing with CF update problems.) ... View more

Michael, you've not clarified when it worked before and when it stopped working. Also, the timeout may be misleading.    Since you're experiencing this with cf2023, note that the Oct 2023 update (https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-17.html) indicates in "bugs fixed" (not so obviously) how--if the server you're talking to uses md5 and rsa--cf no longer supports that by default (for security reasons). If that may be your situation, you need to tell cf to allow for that, by adding these to the java args for cf (in the admin or jvm.config file): -Dcoldfusion.sftp.enable-ssh-rsa=TRUE -Dcoldfusion.sftp.fingerprint=md5 And it's also now indicated for cf2025 as well in the cfml reference for the cfftp. Even if it does not SEEM like that's your situation, it's easy enough to try.    Let us know if those get you going (after a restart of cf). If not, there may be more to consider before giving up.  ... View more

Thanks for the update and the kind regards. I suspect points 1 and 2 were sufficient. Point 3 is and has long been asserted to be valuable but I've not found it to be nearly as important.   And while sometimes such improvements may be sufficient going forward, other times it's only a stop-gap and the problem returns. In that case, while raising things still further may suffice, generally the next step would be to find and stop whatever is DRIVING the need for more memory. Sometimes it's about unexpected traffic (in nature, volume or both),  sometimes it's about coding or configuration, still other times it's about a bug.   And sometimes Adobe has a bug fix. You're on cf2023, but even with the latest update (from April) there's a known bug causing a memory leak caused by use of caching, including query caching. Ask Adobe for the fix for cf-4244890 (a private bug, not listed on tracker). It's been a solution for other folks I've helped recently. But your issue could have some other cause, of course.   Again, though, perhaps you'll have. I further memory issues. Hope it's so, for your sake.  ... View more

For folks who find that the PDF services feature (and the related add-on service) have trouble after the update, note that the update technotes for CF2023 update 13 and CF2021 update 19 have been updated, with a new last item in the "known issues" section to address one of the issues.   You'll see it offers the few steps needed to correct the problem of missing files in the cfusion\jetty\webapps\PDFgServlet\WEB-INF\classes\coldfusion\pdf\service. Note that the process offers a zip (for each version) with the needed class files, rather than the approach of downloading and extracting from the full add-on services installer which was a workaround some had helpfully offered. This doesn't address the issue of the missing jetty-ipaccess.xml filethat some experience (though not everyone).   I'm just a fellow traveler/messenger here: I have nothing to do with the work Adobe's doing sorting out these problems. ... View more

Paul, why do you keep trying to look at that temp file? And you're not even doing the cffile action="upload" in that example? Why not? Especially when things worked in the previous example output you showed (that DID do that)?   It seems you feel some compelling motivation to grab that file. It's not for you to do: it's for that cffile upload action to do. I explained this in the first reply, last week, 36 replies ago, and with more detail in the blog post I pointed to then. Have you had a moment to read it? It could help you.    Otherwise, why are you insisting on touching that temp file? What's your motivation? This has gone on too long, so it's time to get this clarification--on your end or ours.  ... View more

So @bartlebyBC , which is it? 🙂 I got notification about 90 mins ago that you had marked both replies above (and others) as "answers"...but they conflict with each other. You're the ultimate judge: what was the result? That will be as valuable as the marknig of "answers", which of course is appreciated. ... View more

Michael (and Matt, Tuan, et al), I'll repeat the offer I'd made to Matt as the first response here in Feb 2021. I promise we will solve your problem or you won't pay for the assistance.   I can understand preferring to await someone else offering "the solution" (and I said that then, and again above in my reply to Tuan and Matt in 2022). No one else ever suggested the magic bullet to put down this ghost in the machine. And I don't recall they ever took me up on the offer of direct help.    Michael, I appreciate that you've tried to assess things with the pmt--and that you feel the box is more than capable so that it should not fail. Yet it has. There will be an explanation.   We may be able to find and resolve it in less than a couple of hours, perhaps even less.  I do it daily, helping when even teams of smart folks may have struggled for days or weeks. That's not bragging; it's simply that they don't likely attack such knotty cf problems day in and day out, and so I might connect a dot they missed.    And I can offer time today even, this morning--or next week or whenever. We can even arrange evenings or weekends if necessary (but it should not be) More on my rates, approach, satisfaction guarantee, online calendar and more at carehart.org/consulting  ... View more

Paul, I honestly think you'll save yourself time and frustration to abandon having us focus on all that code. Instead, create a simple several line template to do a prompt to upload a file, then (in the same or another template) do cffile action="upload", and dump the cffile scope.   Does that work? That will tell you if there some issue on that server that somehow preclude uploads. It may not. In that case, then you can figure what differs with your real code.  ... View more

Great to hear, Dom. And thanks for marking the answer. Now we'll attend to Scott's different issue. And one could argue it's OK for both to be discussed here, given the generic nature of the title you'd originally chosen. 🙂  ... View more

If you mean a generic xml validation tool, that's not at all where I was headed (also, cf does such generic validation in loading its xml files). But I appreciate you're just trying to facilitate things.    I'm referring instead to the nature of the xml elements, as far as how cf loads and processes that. I've certainly seen problems over the years where a neo xml file is "valid" generically but cf would not process it.   As an example (I'm not saying it's your case), some folks will bring one or all neo xml files from one CF instance to another. Sometimes that's fine. Often it's not, for any of many reasons. Again, I'm not saying you did that. I'm simply proposing that your validation, if generic, is insufficient.   And I understand you'll just want the bug fixed. But Adobe needs to be able to recreate it, to fix it.    Again, I took the time to implement cf2021 update 18, as you indicated, and I could add and edit sp's. Further,. I did it first filling in only the required fields, then all fields, and several permutations in between. I'm just trying to help.    Perhaps a concern you have is that you have dozens of sp's you'd need to redact. Understandable. If you reduce it to one--for this testing, and it fails this way (after restarting cf), then at least you need only redact the values for that one.  ... View more

You could remove every value (not any xml, just info between quotes, or names, etc.) . There would be then nothing unsafe or private about it.  ... View more

Would you be willing to share privately the xml file? I'd compare it to a working one. Perhaps there's something amiss, some subtle difference. My email is charlie@carehart.org.  ... View more