Making JEE Session Tokens "Domain Cookies" in Tomcat

This post is not ColdFusion specific, but this came about while using ColdFusion 10 with the Tomcat servlet container that comes with it.

Ray was asking today about making Domain cookies with Tomcat and CF10 while using JEE Session Tokens (JSESSIONID). When using ColdFusion Session Tokens (CFID/CFToken) this is a trivial matter, because we have complete control over the cookies which are set.


Giving more memory to the Tomcat Service in Windows

I've been setting up our super-awesome new server this week and last night I ran into an issue that I thought I should blog about.

This is a Windows Server 2008 R2 64-bit machine with 8GB RAM and I am installing ColdFusion 9 running on Tomcat 6. And, as with everything Tomcat related, it was a pain in the ass and the documentation sucked.

To add Tomcat as a Windows service is pretty easy.

You just run:

<%CATALINA_HOME%>/bin/service.bat install

For those that don't understand the notation above, CATALINA_HOME is the directory where Tomcat is. So in my case, we are going to N:\tomcat\bin and running service.bat.

This sets up Tomcat as a service, but by default it only gives it some tiny bit of memory to work with (256m or something, like it's 2002 again). So, of course, the moment I deployed a second instance of ColdFusion 9 on this container, I started getting "java.lang.OutOfMemoryError: PermGen space" errors.


Wha sup, yo?

Wow. Things have been busy and I have been neglecting my blog. I feel bad about that. My blog is so important to me, and things have been keeping me away.

I am a teacher at heart. I love to teach. That is why I blog, that is why I present at conferences, and that is why I am going to grad school. So the fact that I have been unable to blog for a while upsets me greatly. But I want to tell you a little bit about why. This is not about making excuses. This is about what is keeping me busy and what I am learning about. It will also motivate me to blog about these things, and that's the important part.


Session token rotation REVISITED - Security Series #12.3.3 and #6.4.3

I posted on Friday about my experimental code for session token rotation and I got some great comments (thanks Peter and Brian). Brian stated in his comment that because I am using a <cflocation>, which is a 302 HTTP redirect, it could cause problems with legitimate deep-linking, plus, using <cflocation> feels like a hack. I agree with the latter. I was not happy with using <cflocation>, but it was all I could think to do at the time.

So I gave it some more thought this weekend and came up with a new way of doing it that uses <cfhttp> instead of a redirect. I am MUCH happier with this method for a couple of reasons.


BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner