Whats new in CF10, 11, 2016

WHAT'S NEW IN CF 10, 11, AND 2016
THAT YOU MAY HAVE MISSED?
Charlie Arehart, Independent Consultant
CF Server Troubleshooter
charlie@carehart.org
@carehart (Tw, Fb, Li, Slack)
Updated July 17, 2017

TOPICS
 Introduction
 For each release:
 Key Major Features
 Key Minor Features
 Key Admin Changes
 Key Security Changes
 Key Hidden Gems
 Key Changes Per Updates
 Licensing Changes
 Compat Issues / Gotchas
 Resources

ABOUT ME
 Focus on CF server troubleshooting, as an independent consultant
 Assist organizations of all sizes, experience levels
 Work remotely 99% of the time, safe, secure, easy (via shared desktop)
 Focus is not just solving problems but educating you
 Satisfaction guaranteed. More on rates, approach, etc at carehart.org/consulting
 Love to share info, with my clients and the community
 Active blogger
 Speaker at nearly every CF conference
 Contributor to/creator of many CF community resources
 Online CFMeetup, CF411.com, UGTV, CF911.com, CFUpdate.com, and more
 I also happen to be manning the FusionReactor booth on and off. Stop by

INTRODUCTION
 Been chronicling CF feature changes since 3.0.1
 Can’t cover here EVERY change, let alone demo
 Hidden gems talk on each version
 Goal: broad-brush review of key things
 Across those several common categories
 “Major/minor feature” distinction is somewhat arbitrary
 And some “admin”, “security” changes may of course also be “major”
 Success: everyone comes away learning several things that they want to try
 Slides carehart.org/presentations

CF10 KEY MAJOR FEATURES
 Change from running on JRun to Tomcat
 Initial support for REST
 HTML5 charts and videos, geolocation support
 WebSockets
 Web services: AXIS 2, WSDL 2, SOAP 1.2, document literal wrapped support
 Substantial increase in “tags as script”
 Many security and language enhancements (later here)

CF10 KEY MINOR FEATURES
 Implicit notation for arrays, structs
 Option to use : separator for struct key assignment, as in var:value
 Implicit constructors for CFCs, implicit gettings/setters; method chaining
 Closures and inline functions
 Support for openauth: CFOauth (facebook, google, ms, github auth)
 Updates to embedded libraries (jvm, ehcache, solr, more)
 Developer edition no longer restricted to NN ips, but 2 simult requests
 Amazon AMI

CF10 KEY SECURITY CHANGES
 “Secure Profile” feature (choice at installation only, in CF10)
 Many security enhancements regarding XSS, CSRF, Session Fixation, etc
 New sessioninvalidate and sessionrotate functions
 New “Session Cookie Settings” on “Memory Variables” page
 Verification of mime type on CFFILE uploads (optional STRICT attribute)
 CFPOP adds SECURE attribute for use of SSL/TLS
 New canonicalize, encodefor*, decodefor*, csrf*, decodeFromURL, hmac
functions
 Admin:
 New “Maximum number of POST request parameters” (Server Settings>Settings)
 Can now restrict Admin Access by IP Address (also asked during installer)
 Security>Allowed IP Addresses (bottom of page)
 Can now disable creation of unnamed application scopes (Server Settings>Settings)

CF10 KEY ADMIN CHANGES
 Automated hotfix mechanism
 Scheduled tasks: many improvements, and moved within Admin
 New directory structure: base instance is “cfusion”, as in
c:coldfusion10cfusion
 For Enterprise, Trial, developer editions, new instances created as sibling to that
 And each instance has its own jvm.config, and own “Java and JVM” admin page
 New audit.log tracks most changes made in CF Admin

CF10 KEY HIDDEN GEMS:
INSTALL/ADMIN
 Old “out” log (from runtime/logs or jrun/logs) now in main logs folder
 New password reset scripts (in instance’s bin folder
 New metrics logging feature (on “debugging output” page)
 Scheduled tasks moved to Settings section (from Debugging & Logging)
 New jQuery UI element for admin “browse” buttons
 Can now enable/disable RDS in Admin (versus knowing config file tweak)
 Several AdminAPI enhancements
 New Access log (tracking every request) [disabled by default in CF11+]

CF10 KEY HIDDEN GEMS:
LANGUAGE
 CFImage INTERPOLATION attribute to help performance of “resize” action
 CFLoop GROUP attribute
 CFStoredproc TIMEOUT attribute: time for each action within SP, not all
 CFInclude RUNONCE attribute
 New onAbort method for application.cfc (to handle CFAbort/abort)
 Support in querynew/queryaddrow to add data directly, simply
 New datetimeformat (and lsdatetimeformat) function
 New getApplicationMetaData and sessionGetMetaData functions
 Several get… functions for obtaining system information
 Enhancements to java loading, S3, Exchange, ORM, SOLR, image processing

CF10 KEY HIDDEN GEMS: CACHING
 Query caching now stored in ehcache by default
 Can be changed in CF Admin or application.cfc
 this.cache.useinternalquerycache, this.cache.querysize
 New CFQuery cacheregion and cacheid attributes for cache control mgt
 Via new removeCachedQuery function
 Can now clear CF’s template cache on per-folder basis, in Admin or Admin API
 New caching functions: cacheIdExists, cacheRegionNew,
cacheRegionRemove, cacheRegionExists, cacheRemoveAll
 Several VFS enhancements

CF10 KEY CHANGES PER UPDATES
 Of course, each update contains either bug fixes or security updates, or both
 And some contain several dozen bug fixes, which has been encouraging
 As well as various updates to Tomcat, some of which are important
 But some updates introduce fairly significant changes
 Update 11 added support for SQL Server 2012, MySQL 5.6, 64-bit COM
 Update 13 added support for OS X 10.9 (Mavericks)
 Update 14 added support for Java 8, Apache 2.4
 Update 18 added support for Windows 10, OS X 10.11
 More: helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html

CF10 LICENSING CHANGES
 New CF10 features that are Enterprise-only:
 HTML 5 Charts (limitation lifted in CF11), ORM Search, Data import handler for Solr
 Some aspects of new scheduler (chaining, listeners, exception handling, clustering,
more)
 Standard limits websockets to 100 simultaneous requests (limit lifted in CF11)
 …

CF10 LICENSING CHANGES (CONT.)
 EULA changes
 CPU-based, CPU defined as 4 cores, CF licensed for 2 CPUs (so up to 8 cores)
 Testing, staging, development remain free (as introduced in 9), as are backup and
DR
 VM licensing unchanged since 9, new Cloud licensing. Differences for Std vs
Enterprise
 Observe distinctions about CF Standard vs Enterprise vs Developer edition
 For questions, email cfinstal@adobe.com
 More:
 wwwimages.adobe.com/content/dam/acom/en/legal/licenses-
terms/pdf/Adobe%20ColdFusion%C2%AE%2010.pdf
 web.archive.org/web/20121223084925/http://blogs.coldfusion.com:80/post.cfm/coldfusion-10-
eula
 cfmumbojumbo.com/index.cfm/coding/coldfusion-10-eula-changes/

CF10 COMPAT ISSUES / GOTCHAS
 Web server connector conflicts with CF9, 10 connector in same web server
 Possible need of web server connector tuning
 Verity text search engine removed, Solr carried forward from CF9
 Web services changes may break compat
 See Admin-, application-, and code-level options to change wsversion, etc
 Single login at a time to CF Admin, for a given username (resolved in CF11)
 Need to “reconfigure” web server connectors after most CF10 updates (and 11)
 Challenges with 64-bit and MS Access, due to MS Jet Driver issues
 CF10 no longer updated, since May 2016

CF10 RESOURCES
 What’s new in ColdFusion 10
 help.adobe.com/en_US/ColdFusion/10.0/Developing/WSd160b5fdf5100e8f639b45501
29d6ce3d4f-8000.html
 With links to more substantial discussions for each set of new changes
 www.adobe.com/devnet/coldfusion/articles/coldfusion10-whatsnew.html
 tv.adobe.com/watch/coldfusion-10-deep-dives-for-developers/whats-new-in-
coldfusion-10/
 Security
 helpx.adobe.com/coldfusion/developing-applications/developing-cfml-
applications/securing-applications/security-enhancements-in-coldfusion-10.html
 www.adobe.com/devnet/coldfusion/articles/security-improvements.html
 wwwimages.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf1
0-lockdown-guide.pdf
 …

CF10 RESOURCES (CONT.)
 Book: Adobe ColdFusion Web Application Construction Kit: ColdFusion 10
Enhancements and Improvements by Ben Forta, et al.
 www.akbarsait.com/cf10tutorials.cfm
 www.seguetech.com/upgrading-to-coldfusion-10-feature-review-part-1/
 My talk, “What’s New and Different about CF 10 on Tomcat”
 www.carehart.org/blog/client/index.cfm/2012/3/7/charlie_areharts_ultimate
_cf10_new_features_list
 And still more

 Mobile app development/CFClient
 Full CFScript support
 Pixel-perfect PDF generation: CFHTMLtoPDF
 Many security and language enhancements (later here)

 App-specific datasources
 Charting enhancements (some compat issues, discussed later)
 helpx.adobe.com/coldfusion/developing-applications/working-with-documents-
charts-and-reports/creating-charts-and-graphs/charting-enhancements.html
 Functions as first-class citizens
 Member functions
 Elvis operator

 New dev/production/prod+secure profile install option
 Can enable/disable secure profile via admin
 If secure profile enabled, cflocation defaults to addtoken="no"
 Can lock down Admin by IP address (including Admin API, RDS)
 CFMail encryption
 CFHttp AUTHTYPE for NTLM login
 CFZip PASSWORD and ENCRYPTIONALGORITHM attributes
 Change limiting what file extensions can be CFInclude’d
 New Anti-Samy functions, issafehtml, getsafehtml
 New Generatepbkdf2key function
 XSS functions (encodefor...)
 www.adobe.com/devnet/coldfusion/articles/security-improvements-cf11.html

CF11 KEY ADMIN/INSTALL CHANGES
 New Express edition (not for production use)
 Can allow multiple concurrent logins to Admin by same user
 New secure profile page
 Support for session replication AND sticky sessions (separate options again)
 Auto-hotfix mechanism has new prompt to watch for success
 Web server connector offers new backup option
 And more

CF11 KEY HIDDEN GEMS
 Support for signatures in PDF creation
 CFOauth
 cf_socialplugin
 Spreadsheet, JSON, charting, websocket enhancements
 Over two dozen new functions
 New appiication.cfc variables: datasources[], strictNumberValidation,
compileextforinclude
 Things formerly enterprise-only now in Standard
 CF archive (car) mechanism (to move CF admin settings from server to server)
 Security Sandbox (to lockdown what code in different directories can do)
 Web socket limit lifted
 HTML5 charts

 Hundreds of bug fixes over all updates, of course
 Update 3 added support for Java 8, OS X 10.10 (Yosemite), SQL Server 2014, and
much more
 Update 3 also re-enabled long-dormant DBVARNAME on CFProcparam
 Had been ignored since CF6, except briefly in 7.0.1
 Problem: some DBs now require prefix to dbvarname value ( “:” for Oracle and “@” for
SQLServer)
 You may have old code that just says dbvarname = “param1”; would now fail
 For SQL Server, should be dbvarname = “@param1”
 Update 4: new jvm arg to revert (jvm arg workaround NOT supported in CF2016)
 -Dcoldfusion.ignoredbvarname=true
 blogs.coldfusion.com/coldfusion-11-and-dbvarname-attribute/
 Update 7 added support for Windows 10 and OS X 10.11 (El Capitan)
 More: helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html

 New CF11 features that are Enterprise-only
 PDF signature support
 Full DDX support
 WebSocket cluster support
 CFHTMLTOPDF cluster support
 REST multisite support
 …

CF11 LICENSING CHANGES (CONT.)
 EULA changes
 More changes regarding cores, VMs
 wwwimages.adobe.com/content/dam/Adobe/en/legal/licenses-
terms/pdf/Adobe_ColdFusion-Multi-20140214_1311.pdf
 See comments, blogs.coldfusion.com/announcing-the-launch-for-coldfusion-11-
and-coldfusion-builder-3/

 CF10 installer was removed when CF11 was released. See cfmlrepo.com
 Again, as of update 3, dbvarname (in cfprocparam) is suddenly *honored*
 See previous discussion
 CFChart issues
 Some original charting issues solved by updates (3, 4, 5, 11, 12)
 Removed: using XML to configure charts--now must pass json. Tool to help:
cfchart_xmltojson (bat/sh)
 helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-c/cfchart.html
 …

(CONT.)
 CF11 update 11 broke CFTextArea richtext editor
 Fix available: tracker.adobe.com/#/view/CF-4198259
 CF11 update 12 broke CFinput type=“datefield”
 Fix available: carehart.org/blog/client/index.cfm/2017/7/17/
 New, more aggressive deprecation/obsoletion
 mostly really old tags, like cfgraph, cfservlet, etc.
 wikidocs.adobe.com/wiki/display/coldfusionen/Deprecated+Features
 webdevsourcerer.com/index.cfm/blog/post/slug/coldfusion-11-finally-
deprecating-removing-things
 Access log which was enabled in CF10 is disabled by default in CF11

CF11 RESOURCES
 wikidocs.adobe.com/wiki/display/coldfusionen/New+in+ColdFusion
 helpx.adobe.com/coldfusion/release-note/coldfusion-11-release-notes.html
 wikidocs.adobe.com/wiki/pages/viewpage.action?pageId=140968014
 wikidocs.adobe.com/wiki/display/coldfusionen/ColdFusion+Language+Enha
ncements
 www.adobe.com/devnet/coldfusion/articles/security-improvements-
cf11.html
 www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/
cf11-lockdown-guide.pdf
 www.akbarsait.com/cf11tutorials.cfm
 www.seguetech.com/coldfusion-11-review

 Security code analyzer
 cfadmin/CFIDE folder no longer accessible via external web server
 cfscripts moved to separate folder
 Performance improvements:
 Option to change implicit scope search order
 Option to change array passing to by reference vs default of by value
 External session storage (store CF sessions in REDIS)
 Not J2EE sessions, but see blog.svajlenka.com/post/125784752315/redis-and-
coldfusion-because-why-not
 Command line interface (cf.bat) (helpx.adobe.com/coldfusion/2016/command-
line-interface.html)
 API manager (really a separate application entirely)

 PDF enhancements:
 Redaction, sanitization, export/import comments/metadata
 Archiving, attaching files, adding stamps
 adobe.com/devnet/coldfusion/articles/pdf-enhancements.html
 Safe navigation operator (?.)
 Not to be confused with elvis operator from CF11 (?:))
 Ordered/sorted collections
 Dozens of new, changed tags and functions, new member functions
 NTLM support for cfobject/createobject, cfinvoke, cfsharepoint
 Generation of swagger docs from RESTful APIs
 More

 Security Code Analyzer
 CFOUTPUT
 New encodefor attribute: names encoding type to be used for strings within its
tags (for html, htmlattribute, url, javascript, css, xml, and so on)
 Also offered as 2nd arg in writeoutput function
 For other tags, script, use encodefor function added in CF10
 Helpx.adobe.com/coldfusion/2016/security-enhancements.html

CF2016 KEY ADMIN CHANGES
 Requirement to use Akamai downloader removed
 New applicationintent field, in DSN settings for SQL Server
 New admin setting to disable “REST discovery” by API Manager

CF2016 KEY HIDDEN GEMS
 Connector changes
 No need to remove/add connector after updates (needed only once update 4)
 New "update" option within WSCONFIG UI
 UI now offers all 3 tunable args (Adds pool size, timeout)
 Better defaults, on Windows at least, for a 2-site setup (500/250)
 Now offers option to configure "all" sites (to use one connector) or "all - individually“
(each with own connector)
 Fixed to properly support multiple instances
 New “Advanced Settings" option to "skip iis custom errors“
 CFMAILPARAM
 New, optional filename attribute, to give different name for file attached to email
when using cfmailparam file attribute
 File points to name as on server, filename points to name as shown in email
 New CFLOOP item attribute, for loops over list, array, or file

 Update 2
 Added some new minor language elements, and ckeditor in favor of fckeditor for
cftextarea, etc (does not yet seem to be happening in CF11)
 Update 3
 Added more minor language enhancements
 Added support for IIS 10 (in Windows 10), Websphere 9
 Many tag/function enhancements
 Update 4
 Broke CFinput type=“datefield”
 Fix available: carehart.org/blog/client/index.cfm/2017/7/17

NEW INSTALLERS ADDING FEATURES
 New installer in Dec 2016
 Split off of API manager from CF installer. No longer GB+ in size
 Removed portlets, spry, YUI toolkit
 YUI used by cfcalendar, cfinput “autosuggest”/”datefield”, cfmenu, cftooltip,
cfsprydataset
 These will now break. Libraries can be added back, link offered here:
 helpx.adobe.com/coldfusion/deprecated-features.html
 Includes update 3 by default, and updated JVM
 blogs.coldfusion.com/coldfusion-2016-installer-refreshed/
 New installer in May 2017 (64-bit Win only) adds Windows Server 2016 support
 blogs.coldfusion.com/coldfusion-2016-support-for-windows-server-2016/

ABOUT CF UPDATES
 Lists of updates, links to technotes, and offers jar download links!
 helpx.adobe.com/coldfusion/kb/coldfusion-2016-updates.html
 Also available for CF 11 and 10:
 Again, updates are cumulative, need only apply latest!
 If you have troubles applying CF updates (in 2016, or 10/11), see my blog
post:
 carehart.org/blog/client/index.cfm/2016/9/6/solve_common_problems_with_CF_
updates_in_10_and_above

 Enterprise-only: Security Code Analyzer (SCA), API Manager
 SCA requires CF Builder 2016 and works only with Enterprise (not Developer)
 EULA
 wwwimages.adobe.com/content/dam/acom/en/legal/licenses-
terms/pdf/ColdFusion-2016.pdf
 Reach out to CF Product Mgr, Rakshith Naresh, with any questions
 rakshith@adobe.com

 CF11 installer was removed when CF2016 was released
 To “buy” CF11: blogs.coldfusion.com/post.cfm/adobe-coldfusion-backward-licensing
 Deprecated features (nothing obsoleted)
 CFMEDIAPLAYER, CFTABLE, CFCHART format=“flash”, CFFILEUPLOAD Flash component
 Report Builder
 helpx.adobe.com/coldfusion/deprecated-features.html
 carehart.org/blog/client/index.cfm/2016/2/22/cf2016_deprecated_features
 Update 3 DID remove support for portlets, spry, and YUI-based features
 Can be added back manually
 See bottom of helpx.adobe.com/coldfusion/deprecated-features.html
 CF2016 docs:
 Web docs lack any navigational features (left nav, breadcrumb, next/prev page, etc.)
 PDF no longer available (poor at first, being revamped)

CF2016 RESOURCES
 adobe.com/devnet/coldfusion/articles/whats-new-cf-2016.html
 helpx.adobe.com/coldfusion/whats-new.html
 helpx.adobe.com/coldfusion/2016/topics/features.html
 helpx.adobe.com/coldfusion/2016/language-enhancements.html
 helpx.adobe.com/coldfusion/2016/other-enhancements.html
 helpx.adobe.com/coldfusion/release-note/coldfusion-2016-release-notes.html
 helpx.adobe.com/coldfusion/home.htm (CF2016 docs)
 Video on CF2016 (8-minute overview): youtube.com/watch?v=Bm6dJjNSPNg
 adobe.com/devnet/coldfusion/articles/language-enhancements-cf-2016.html
 wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/col
dfusion-2016-lockdown-guide.pdf

SUMMARY
 So did I meet my goal?
 Do you see that there is a lot new in CF10, 11, and 2016
 Did you learn at least a few new things you want to try?
 Again, my contact info for followup:
 Charlie Arehart
 charlie@carehart.org
 @carehart (Tw, Fb, Li, Slack)
 And I hope you’ll stop by the FusionReactor booth …

FusionReactor Proud Sponsors of
cf.Objective()

 FusionReactor is the #1 Performance Monitor for AdobeColdFusion
 FusionReactor launched in 2005 –Version 7 planned for release in 2017
 5,000+ customers – in almost all industries and segments (incl. Government)
 25,000+ Servers running FusionReactor in production
 Visit our booth for a demo, more information + Keep Calm mug
 All attendees are eligible for a special 30 day extended trial of FR Ultimate
FusionReactor Highlights

Whats new in CF10, 11, 2016

More Related Content

Similar to Whats new in CF10, 11, 2016 (20)

Recently uploaded (20)

Whats new in CF10, 11, 2016