Common ColdFusion Problems & Solutions

When something breaks, start here

Last updated: November 28, 202510 min read

These are the issues that come up again and again. Each one includes symptoms to help you identify the problem, diagnostic steps to confirm it, and solutions that actually work. We've also included prevention tipsβ€”because the best fix is not needing one.

Memory Leak / Out of Memory Errors

critical

πŸ” Symptoms

  • java.lang.OutOfMemoryError: Java heap space
  • Application becomes unresponsive over time
  • Memory usage continuously increases
  • Frequent garbage collection

πŸ”¬ Diagnosis Steps

  1. Enable GC logging: -Xlog:gc*:file=gc.log
  2. Monitor heap usage in PMT or FusionReactor
  3. Check for session variable accumulation
  4. Review query caching configuration
  5. Analyze heap dumps with Eclipse MAT

βœ… Solutions

Increase heap size if undersizedImmediate relief if memory-starved
-Xms8g -Xmx8g (example for 8GB heap)
Fix application-level memory leaksPrevents long-term memory accumulation
// Clear large session variables
<cfset structDelete(session, "largeData")>

// Limit query caching
<cfquery name="q" cachedWithin="#createTimeSpan(0,0,5,0)#">
Tune garbage collectorMore efficient memory reclamation
-XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:G1HeapRegionSize=16m
Implement session size limitsPrevents session bloat
<cfapplication
  name="myApp"
  sessionmanagement="yes"
  sessiontimeout="#createTimeSpan(0,0,30,0)#"
  setclientcookies="yes">

πŸ›‘οΈ Prevention

Monitor heap usage proactively, implement session size limits, use query caching judiciously, regular heap dump analysis

Related Issues: Slow performance, GC pause times, Connection pool exhaustion

Slow Page Load Times / High Response Times

high

πŸ” Symptoms

  • Pages taking >3 seconds to load
  • High P95/P99 response times
  • User complaints about slowness
  • Timeouts during peak load

πŸ”¬ Diagnosis Steps

  1. Enable PMT request tracking
  2. Profile slow templates with FusionReactor
  3. Check database query execution times
  4. Review web server connector settings
  5. Analyze thread dump for bottlenecks

βœ… Solutions

Optimize database queries50-70% query time reduction
// Add indexes to frequently queried columns
CREATE INDEX idx_userid ON users(userid);

// Use cfqueryparam for all variables
<cfquery name="getUser">
  SELECT * FROM users
  WHERE userid = <cfqueryparam value="#userid#" cfsqltype="cf_sql_integer">
</cfquery>
Implement caching strategy70-90% reduction for cached content
// Template caching
<cfcache action="cache" timespan="#createTimeSpan(0,1,0,0)#">

// Query caching
<cfquery name="getData" cachedWithin="#createTimeSpan(0,0,10,0)#">
  SELECT * FROM products WHERE active = 1
</cfquery>

// Object caching with Redis
<cfset cachePut("userdata_#userid#", userData, createTimeSpan(0,0,30,0))>
Tune Tomcat connector threads30-40% throughput improvement
// In server.xml
<Connector port="8500"
  maxThreads="200"
  minSpareThreads="25"
  connectionTimeout="20000"
  acceptCount="100"
  enableLookups="false"
  compression="on"
  compressionMinSize="2048"/>
Enable lazy loading for expensive operationsFaster initial page loads
// Defer non-critical operations
<cfif structKeyExists(url, "loadExtras")>
  <cfset heavyData = getExpensiveData()>
</cfif>

πŸ›‘οΈ Prevention

Regular performance testing, query optimization reviews, caching strategy, CDN for static assets

Related Issues: High CPU usage, Database connection pool exhaustion, Memory issues

SQL Injection Vulnerabilities

critical

πŸ” Symptoms

  • Security scan findings
  • Unexpected SQL errors in logs
  • Unauthorized data access
  • Database anomalies

πŸ”¬ Diagnosis Steps

  1. Run security scanner (OWASP ZAP, Burp Suite)
  2. Code review for dynamic SQL
  3. Check query logs for suspicious patterns
  4. Review all user input handling

βœ… Solutions

Use cfqueryparam for ALL user inputsEliminates SQL injection risk
// VULNERABLE CODE - DO NOT USE
<cfquery name="badQuery">
  SELECT * FROM users WHERE username = '#form.username#'
</cfquery>

// SECURE CODE - ALWAYS USE
<cfquery name="secureQuery">
  SELECT * FROM users
  WHERE username = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar" maxlength="50">
</cfquery>
Validate and sanitize all inputsDefense-in-depth protection
// Input validation
<cfif NOT reFindNoCase("^[a-zA-Z0-9_]{3,20}$", form.username)>
  <cfthrow message="Invalid username format">
</cfif>

// Whitelist approach
<cfset validSortColumns = ["name", "date", "id"]>
<cfif NOT arrayContains(validSortColumns, url.sortBy)>
  <cfset url.sortBy = "name">
</cfif>
Disable dynamic SQL where possibleReduces attack surface
// Use ORM instead of dynamic queries
entityLoad("User", {username: form.username}, true)
Implement prepared statementsModern, secure query approach
// Use queryExecute with params
queryExecute(
  "SELECT * FROM users WHERE username = :username",
  {username: {value: form.username, cfsqltype: "varchar"}}
)

πŸ›‘οΈ Prevention

Code review checklist, automated security scanning, developer training, never trust user input

Related Issues: XSS vulnerabilities, Command injection, LDAP injection

Cross-Site Scripting (XSS) Vulnerabilities

high

πŸ” Symptoms

  • Security scan XSS findings
  • Unexpected JavaScript execution
  • Session hijacking attempts
  • Malicious user-generated content

πŸ”¬ Diagnosis Steps

  1. Test with XSS payloads in all inputs
  2. Review output encoding practices
  3. Check Content Security Policy headers
  4. Scan with automated tools

βœ… Solutions

Encode all outputPrevents XSS in output
// HTML context encoding
<p>#encodeForHTML(userInput)#</p>

// JavaScript context encoding
<script>
  var userName = "#encodeForJavaScript(userInput)#";
</script>

// URL context encoding
<a href="profile.cfm?user=#encodeForURL(userInput)#">Profile</a>

// CSS context encoding
<div style="color: #encodeForCSS(userColor)#">
Implement Content Security PolicyDefense-in-depth protection
// In Application.cfc
function onRequestStart(targetPage) {
  cfheader(name="Content-Security-Policy",
    value="default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'");
  cfheader(name="X-Content-Type-Options", value="nosniff");
  cfheader(name="X-Frame-Options", value="SAMEORIGIN");
  cfheader(name="X-XSS-Protection", value="1; mode=block");
}
Sanitize rich text inputSafe rich text handling
// Use OWASP Java HTML Sanitizer
<cfset cleanHTML = createObject("java", "org.owasp.html.HtmlPolicyBuilder")
  .allowElements("p", "br", "strong", "em")
  .toFactory()
  .sanitize(userHTML)>

πŸ›‘οΈ Prevention

Output encoding by default, CSP headers, input validation, regular security testing

Related Issues: CSRF attacks, Session hijacking, Clickjacking

Connection Pool Exhausted

high

πŸ” Symptoms

  • Error: "Unable to get connection from pool"
  • Timeouts waiting for database connection
  • Application hangs during database operations
  • Growing connection count

πŸ”¬ Diagnosis Steps

  1. Check current pool usage in CF Admin
  2. Review connection timeout settings
  3. Look for unclosed queries/connections
  4. Monitor database connection count
  5. Check for long-running queries

βœ… Solutions

Increase connection pool sizeHandles higher concurrent load
// In ColdFusion Administrator or Application.cfc
this.datasources["myDB"] = {
  driver: "MSSQLServer",
  host: "dbserver",
  database: "mydb",
  port: 1433,
  username: "user",
  password: "encrypted:...",
  connectionLimit: 100,  // Increase from default
  connectionTimeout: 30,
  loginTimeout: 30
};
Fix connection leaksPrevents connection leaks
// Always close connections in finally block
<cftry>
  <cfquery name="getData" datasource="myDB">
    SELECT * FROM products
  </cfquery>
  <cfcatch>
    <cflog file="errors" text="#cfcatch.message#">
  </cfcatch>
  <cffinally>
    <!--- Connection auto-closed with cfquery --->
  </cffinally>
</cftry>

// Close stored proc connections
<cfstoredproc procedure="myProc" datasource="myDB">
  <cfprocresult name="result">
</cfstoredproc>
Implement connection timeout and retryPrevents connection hogging
// Set reasonable timeouts
<cfquery name="getData"
  datasource="myDB"
  timeout="30"
  maxrows="1000">
  SELECT * FROM large_table
  WHERE date > <cfqueryparam value="#dateAdd('d', -7, now())#" cfsqltype="cf_sql_timestamp">
</cfquery>
Monitor and alert on pool usageProactive issue detection
// Check pool usage
<cfset poolStats = getConnectionPoolStats("myDB")>
<cfif poolStats.activeConnections / poolStats.maxConnections GT 0.8>
  <!--- Alert: Pool usage > 80% --->
  <cflog file="monitoring" text="Connection pool usage critical: #poolStats.activeConnections#/#poolStats.maxConnections#">
</cfif>

πŸ›‘οΈ Prevention

Right-size connection pools, query timeouts, connection monitoring, regular pool stats review

Related Issues: Slow queries, Database server resource limits, Network latency

High Garbage Collection Pause Times

medium

πŸ” Symptoms

  • Application pauses/freezes
  • GC logs show pause >500ms
  • User reports intermittent slowness
  • Request timeouts during GC

πŸ”¬ Diagnosis Steps

  1. Enable GC logging: -Xlog:gc*:file=gc.log
  2. Analyze GC logs with GCViewer or GCEasy
  3. Check heap usage patterns
  4. Review GC algorithm configuration
  5. Monitor with PMT or FusionReactor

βœ… Solutions

Switch to G1 garbage collector50-70% reduction in pause times
// In jvm.config
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200
-XX:G1HeapRegionSize=16m
-XX:InitiatingHeapOccupancyPercent=45
-XX:G1ReservePercent=10
Right-size heapReduces GC frequency
// Set min = max for consistent performance
-Xms8g -Xmx8g

// Heap should be 50-70% of total RAM
// 16GB server β†’ 8-10GB heap
Tune GC threadsBetter GC efficiency on multi-core
// Parallel GC threads (default: CPU cores)
-XX:ParallelGCThreads=8

// Concurrent GC threads (1/4 of parallel)
-XX:ConcGCThreads=2
Reduce object allocation rateLess pressure on GC
// Reuse objects instead of creating new
<cfset stringBuilder = createObject("java", "java.lang.StringBuilder").init()>
<cfloop array="#items#" index="item">
  <cfset stringBuilder.append(item)>
</cfloop>
<cfset result = stringBuilder.toString()>

// Avoid in-loop object creation
<cfset pattern = createObject("java", "java.util.regex.Pattern").compile("regex")>
<cfloop array="#data#" index="item">
  <cfset matcher = pattern.matcher(item)>
</cfloop>

πŸ›‘οΈ Prevention

Proper heap sizing from start, G1GC for heaps >4GB, object allocation review, regular GC monitoring

Related Issues: Memory leaks, Heap size issues, High CPU during GC

ColdFusion Administrator Locked Out

high

πŸ” Symptoms

  • Cannot access CF Admin
  • Forgot admin password
  • Admin IP restriction blocking access
  • MFA token issues

πŸ”¬ Diagnosis Steps

  1. Check IP restrictions in neo-security.xml
  2. Verify password hash in neo-security.xml
  3. Check MFA configuration
  4. Review web server access logs

βœ… Solutions

Reset admin password (JVM method)Immediate admin access restoration
// Stop ColdFusion
sudo systemctl stop coldfusion

// Run password reset
cd /opt/coldfusion2025/cfusion/bin
./cfpm resetadmin

// Follow prompts to set new password
// Start ColdFusion
sudo systemctl start coldfusion
Remove IP restrictions temporarilyAllows access from any IP (temp only)
// Edit: /opt/coldfusion2025/cfusion/lib/neo-security.xml
// Find and comment out:
<!--
<var name='allowedAdminIPList'>
  <string>127.0.0.1,192.168.1.100</string>
</var>
-->

// Restart ColdFusion
Disable MFA temporarilyBypasses MFA requirement
// Edit: neo-security.xml
<var name='mfaEnabled'>
  <boolean>false</boolean>  <!-- Change from true -->
</var>

// Restart ColdFusion
Access via RDS (if enabled)Alternative access method
// Use CFBuilder or CF Admin mobile app
// Connect via RDS to manage settings
// RDS password in rds.properties

πŸ›‘οΈ Prevention

Document admin passwords securely, maintain IP whitelist, backup neo-security.xml, test MFA before enforcing

Related Issues: Lost RDS password, SSL certificate issues, Web server connector problems

Web Server Connector Not Working

critical

πŸ” Symptoms

  • 404 errors for .cfm files
  • Web server serves CFM as text
  • CFIDE/administrator not accessible via connector
  • Connection refused errors

πŸ”¬ Diagnosis Steps

  1. Check connector configuration in web server
  2. Verify ColdFusion AJP connector running (port 8012)
  3. Review web server error logs
  4. Test direct access to ColdFusion (port 8500)
  5. Check connector secret key match

βœ… Solutions

Regenerate connector (wsconfig)Recreates connector config
// Linux/Mac
cd /opt/coldfusion2025/cfusion/runtime/bin
./wsconfig -ws apache -dir /etc/apache2 -v

// Windows
cd C:\ColdFusion2025\cfusion\runtime\bin
wsconfig.exe -ws iis -site "Default Web Site" -v

// Restart web server
sudo systemctl restart apache2
Verify AJP connector runningEnsures CF listening for connector
// Check if AJP port listening
netstat -an | grep 8012

// Should see: tcp 0.0.0.0:8012 LISTEN

// If not, check server.xml
<Connector port="8012"
  protocol="AJP/1.3"
  redirectPort="8445"
  secretRequired="true"
  secret="your-secret-key"
  address="127.0.0.1"/>
Match connector secretFixes authentication failures
// Apache: In worker.properties
worker.cfusion.secret=your-secret-key

// IIS: In isapi_redirect.properties
connection_pool_size=10
secret=your-secret-key

// Must match server.xml secret
Fix file permissionsResolves permission issues
// Linux - Apache needs read access
sudo chmod 644 /etc/apache2/mod_jk.conf
sudo chmod 644 /etc/apache2/workers.properties
sudo systemctl restart apache2

πŸ›‘οΈ Prevention

Document connector setup, backup connector configs, test after CF updates, monitor connector logs

Related Issues: Port conflicts, Firewall blocking AJP, Web server module not loaded

Session Replication Issues in Cluster

medium

πŸ” Symptoms

  • Users logged out randomly
  • Session data lost on failover
  • Inconsistent session behavior
  • Cluster node sync errors

πŸ”¬ Diagnosis Steps

  1. Check cluster member status in CF Admin
  2. Review session replication logs
  3. Verify multicast/network connectivity
  4. Check session storage configuration
  5. Monitor session size

βœ… Solutions

Configure external session storage (Redis)Reliable session sharing across cluster
// Application.cfc
this.sessionManagement = true;
this.sessionStorage = "redis";
this.sessionTimeout = createTimeSpan(0, 0, 30, 0);

this.redis = {
  server: "redis.example.com",
  port: 6379,
  password: "encrypted:...",
  database: 0,
  connectionPoolSize: 50
};
Reduce session data sizeFaster replication, less network overhead
// Store only essential data in session
<cfset session.userId = userQuery.id>  // ID only
<cfset session.userName = userQuery.name>

// Load full user object on demand
<cffunction name="getCurrentUser">
  <cfif NOT structKeyExists(request, "currentUser")>
    <cfset request.currentUser = userService.getById(session.userId)>
  </cfif>
  <cfreturn request.currentUser>
</cffunction>
Configure sticky sessions (load balancer)Reduces session replication needs
// NGINX example
upstream coldfusion {
  ip_hash;  // Sticky sessions by client IP
  server cf1.example.com:8500;
  server cf2.example.com:8500;
}

// Or use cookie-based
sticky cookie srv_id expires=1h;
Use J2EE session variablesImproved cluster compatibility
// In ColdFusion Admin:
// Server Settings > Memory Variables
// Enable: "Use J2EE session variables"

// Provides standard servlet session
// Better cluster support

πŸ›‘οΈ Prevention

External session storage from start, minimize session data, regular cluster testing, monitor replication logs

Related Issues: Load balancer configuration, Network latency, Session timeout issues

Unauthorized CFIDE Access

high

πŸ” Symptoms

  • Security scan finds CFIDE exposed
  • Administrator accessible from internet
  • Debug output visible externally
  • RDS ports accessible

πŸ”¬ Diagnosis Steps

  1. Test external access to /CFIDE/administrator
  2. Check web server virtual host configs
  3. Review IP restriction settings
  4. Scan for exposed ports (8500, 8012)
  5. Check debug output settings

βœ… Solutions

Restrict CFIDE access by IP (Apache)Blocks external admin access
// In Apache config or .htaccess
<LocationMatch "^/CFIDE/(administrator|adminapi|componentutils)">
  Require ip 127.0.0.1
  Require ip 192.168.1.0/24
  Require ip 10.0.0.0/8
</LocationMatch>

// Restart Apache
sudo systemctl restart apache2
Restrict CFIDE access by IP (IIS)IIS-level IP restriction
// In web.config for CFIDE directory
<configuration>
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <add allowed="true" ipAddress="127.0.0.1" />
        <add allowed="true" ipAddress="192.168.1.0" subnetMask="255.255.255.0" />
      </ipSecurity>
    </security>
  </system.webServer>
</configuration>
Change administrator URL pathSecurity through obscurity layer
// In CF Admin: Server Settings > Settings
// Administrator URL Path: /cf-secure-admin-abc123

// Creates new path, old path disabled
// Access via: /cf-secure-admin-abc123/
Disable debug output for external IPsPrevents information disclosure
// In CF Admin: Debugging & Logging > Debug Output Settings
// Enable: "Display debug output"
// Restrict to IP addresses:
127.0.0.1
192.168.1.0/24

// Or in Application.cfc
this.debuggingIPAddresses = "127.0.0.1,192.168.1.100";
Block direct CF ports at firewallNetwork-level protection
// Linux firewall (iptables)
sudo iptables -A INPUT -p tcp --dport 8500 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8500 -j DROP
sudo iptables -A INPUT -p tcp --dport 8012 -j DROP

// Make persistent
sudo iptables-save > /etc/iptables/rules.v4

πŸ›‘οΈ Prevention

Run Lockdown Guide on install, regular security scans, IP whitelisting from start, never expose CF ports

Related Issues: Weak admin passwords, RDS enabled, Missing MFA

Additional Resources

Stuck on something not listed here?

Some problems don't fit neat categories. Convective's team has been troubleshooting ColdFusion for over 20 yearsβ€”if it can go wrong, we've probably fixed it before.

Get Expert Support
CFGuide - The Complete ColdFusion 2025 Resource Hub