Common ColdFusion Problems & Solutions

Comprehensive troubleshooting database for ColdFusion 2025 with diagnostic steps, solutions, and prevention strategies for the most common issues.

Memory Leak / Out of Memory Errors

critical

🔍 Symptoms

  • java.lang.OutOfMemoryError: Java heap space
  • Application becomes unresponsive over time
  • Memory usage continuously increases
  • Frequent garbage collection

🔬 Diagnosis Steps

  1. Enable GC logging: -Xlog:gc*:file=gc.log
  2. Monitor heap usage in PMT or FusionReactor
  3. Check for session variable accumulation
  4. Review query caching configuration
  5. Analyze heap dumps with Eclipse MAT

✅ Solutions

Increase heap size if undersizedImmediate relief if memory-starved
-Xms8g -Xmx8g (example for 8GB heap)
Fix application-level memory leaksPrevents long-term memory accumulation
// Clear large session variables
<cfset structDelete(session, "largeData")>

// Limit query caching
<cfquery name="q" cachedWithin="#createTimeSpan(0,0,5,0)#">
Tune garbage collectorMore efficient memory reclamation
-XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:G1HeapRegionSize=16m
Implement session size limitsPrevents session bloat
<cfapplication
  name="myApp"
  sessionmanagement="yes"
  sessiontimeout="#createTimeSpan(0,0,30,0)#"
  setclientcookies="yes">

🛡️ Prevention

Monitor heap usage proactively, implement session size limits, use query caching judiciously, regular heap dump analysis

Slow Page Load Times / High Response Times

high

🔍 Symptoms

  • Pages taking >3 seconds to load
  • High P95/P99 response times
  • User complaints about slowness
  • Timeouts during peak load

🔬 Diagnosis Steps

  1. Enable PMT request tracking
  2. Profile slow templates with FusionReactor
  3. Check database query execution times
  4. Review web server connector settings
  5. Analyze thread dump for bottlenecks

✅ Solutions

Optimize database queries50-70% query time reduction
// Add indexes to frequently queried columns
CREATE INDEX idx_userid ON users(userid);

// Use cfqueryparam for all variables
<cfquery name="getUser">
  SELECT * FROM users
  WHERE userid = <cfqueryparam value="#userid#" cfsqltype="cf_sql_integer">
</cfquery>
Implement caching strategy70-90% reduction for cached content
// Template caching
<cfcache action="cache" timespan="#createTimeSpan(0,1,0,0)#">

// Query caching
<cfquery name="getData" cachedWithin="#createTimeSpan(0,0,10,0)#">
  SELECT * FROM products WHERE active = 1
</cfquery>

// Object caching with Redis
<cfset cachePut("userdata_#userid#", userData, createTimeSpan(0,0,30,0))>
Tune Tomcat connector threads30-40% throughput improvement
// In server.xml
<Connector port="8500"
  maxThreads="200"
  minSpareThreads="25"
  connectionTimeout="20000"
  acceptCount="100"
  enableLookups="false"
  compression="on"
  compressionMinSize="2048"/>
Enable lazy loading for expensive operationsFaster initial page loads
// Defer non-critical operations
<cfif structKeyExists(url, "loadExtras")>
  <cfset heavyData = getExpensiveData()>
</cfif>

🛡️ Prevention

Regular performance testing, query optimization reviews, caching strategy, CDN for static assets

SQL Injection Vulnerabilities

critical

🔍 Symptoms

  • Security scan findings
  • Unexpected SQL errors in logs
  • Unauthorized data access
  • Database anomalies

🔬 Diagnosis Steps

  1. Run security scanner (OWASP ZAP, Burp Suite)
  2. Code review for dynamic SQL
  3. Check query logs for suspicious patterns
  4. Review all user input handling

✅ Solutions

Use cfqueryparam for ALL user inputsEliminates SQL injection risk
// VULNERABLE CODE - DO NOT USE
<cfquery name="badQuery">
  SELECT * FROM users WHERE username = '#form.username#'
</cfquery>

// SECURE CODE - ALWAYS USE
<cfquery name="secureQuery">
  SELECT * FROM users
  WHERE username = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar" maxlength="50">
</cfquery>
Validate and sanitize all inputsDefense-in-depth protection
// Input validation
<cfif NOT reFindNoCase("^[a-zA-Z0-9_]{3,20}$", form.username)>
  <cfthrow message="Invalid username format">
</cfif>

// Whitelist approach
<cfset validSortColumns = ["name", "date", "id"]>
<cfif NOT arrayContains(validSortColumns, url.sortBy)>
  <cfset url.sortBy = "name">
</cfif>
Disable dynamic SQL where possibleReduces attack surface
// Use ORM instead of dynamic queries
entityLoad("User", {username: form.username}, true)
Implement prepared statementsModern, secure query approach
// Use queryExecute with params
queryExecute(
  "SELECT * FROM users WHERE username = :username",
  {username: {value: form.username, cfsqltype: "varchar"}}
)

🛡️ Prevention

Code review checklist, automated security scanning, developer training, never trust user input

Cross-Site Scripting (XSS) Vulnerabilities

high

🔍 Symptoms

  • Security scan XSS findings
  • Unexpected JavaScript execution
  • Session hijacking attempts
  • Malicious user-generated content

🔬 Diagnosis Steps

  1. Test with XSS payloads in all inputs
  2. Review output encoding practices
  3. Check Content Security Policy headers
  4. Scan with automated tools

✅ Solutions

Encode all outputPrevents XSS in output
// HTML context encoding
<p>#encodeForHTML(userInput)#</p>

// JavaScript context encoding
<script>
  var userName = "#encodeForJavaScript(userInput)#";
</script>

// URL context encoding
<a href="profile.cfm?user=#encodeForURL(userInput)#">Profile</a>

// CSS context encoding
<div style="color: #encodeForCSS(userColor)#">
Implement Content Security PolicyDefense-in-depth protection
// In Application.cfc
function onRequestStart(targetPage) {
  cfheader(name="Content-Security-Policy",
    value="default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'");
  cfheader(name="X-Content-Type-Options", value="nosniff");
  cfheader(name="X-Frame-Options", value="SAMEORIGIN");
  cfheader(name="X-XSS-Protection", value="1; mode=block");
}
Sanitize rich text inputSafe rich text handling
// Use OWASP Java HTML Sanitizer
<cfset cleanHTML = createObject("java", "org.owasp.html.HtmlPolicyBuilder")
  .allowElements("p", "br", "strong", "em")
  .toFactory()
  .sanitize(userHTML)>

🛡️ Prevention

Output encoding by default, CSP headers, input validation, regular security testing

Connection Pool Exhausted

high

🔍 Symptoms

  • Error: "Unable to get connection from pool"
  • Timeouts waiting for database connection
  • Application hangs during database operations
  • Growing connection count

🔬 Diagnosis Steps

  1. Check current pool usage in CF Admin
  2. Review connection timeout settings
  3. Look for unclosed queries/connections
  4. Monitor database connection count
  5. Check for long-running queries

✅ Solutions

Increase connection pool sizeHandles higher concurrent load
// In ColdFusion Administrator or Application.cfc
this.datasources["myDB"] = {
  driver: "MSSQLServer",
  host: "dbserver",
  database: "mydb",
  port: 1433,
  username: "user",
  password: "encrypted:...",
  connectionLimit: 100,  // Increase from default
  connectionTimeout: 30,
  loginTimeout: 30
};
Fix connection leaksPrevents connection leaks
// Always close connections in finally block
<cftry>
  <cfquery name="getData" datasource="myDB">
    SELECT * FROM products
  </cfquery>
  <cfcatch>
    <cflog file="errors" text="#cfcatch.message#">
  </cfcatch>
  <cffinally>
    <!--- Connection auto-closed with cfquery --->
  </cffinally>
</cftry>

// Close stored proc connections
<cfstoredproc procedure="myProc" datasource="myDB">
  <cfprocresult name="result">
</cfstoredproc>
Implement connection timeout and retryPrevents connection hogging
// Set reasonable timeouts
<cfquery name="getData"
  datasource="myDB"
  timeout="30"
  maxrows="1000">
  SELECT * FROM large_table
  WHERE date > <cfqueryparam value="#dateAdd('d', -7, now())#" cfsqltype="cf_sql_timestamp">
</cfquery>
Monitor and alert on pool usageProactive issue detection
// Check pool usage
<cfset poolStats = getConnectionPoolStats("myDB")>
<cfif poolStats.activeConnections / poolStats.maxConnections GT 0.8>
  <!--- Alert: Pool usage > 80% --->
  <cflog file="monitoring" text="Connection pool usage critical: #poolStats.activeConnections#/#poolStats.maxConnections#">
</cfif>

🛡️ Prevention

Right-size connection pools, query timeouts, connection monitoring, regular pool stats review

High Garbage Collection Pause Times

medium

🔍 Symptoms

  • Application pauses/freezes
  • GC logs show pause >500ms
  • User reports intermittent slowness
  • Request timeouts during GC

🔬 Diagnosis Steps

  1. Enable GC logging: -Xlog:gc*:file=gc.log
  2. Analyze GC logs with GCViewer or GCEasy
  3. Check heap usage patterns
  4. Review GC algorithm configuration
  5. Monitor with PMT or FusionReactor

✅ Solutions

Switch to G1 garbage collector50-70% reduction in pause times
// In jvm.config
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200
-XX:G1HeapRegionSize=16m
-XX:InitiatingHeapOccupancyPercent=45
-XX:G1ReservePercent=10
Right-size heapReduces GC frequency
// Set min = max for consistent performance
-Xms8g -Xmx8g

// Heap should be 50-70% of total RAM
// 16GB server → 8-10GB heap
Tune GC threadsBetter GC efficiency on multi-core
// Parallel GC threads (default: CPU cores)
-XX:ParallelGCThreads=8

// Concurrent GC threads (1/4 of parallel)
-XX:ConcGCThreads=2
Reduce object allocation rateLess pressure on GC
// Reuse objects instead of creating new
<cfset stringBuilder = createObject("java", "java.lang.StringBuilder").init()>
<cfloop array="#items#" index="item">
  <cfset stringBuilder.append(item)>
</cfloop>
<cfset result = stringBuilder.toString()>

// Avoid in-loop object creation
<cfset pattern = createObject("java", "java.util.regex.Pattern").compile("regex")>
<cfloop array="#data#" index="item">
  <cfset matcher = pattern.matcher(item)>
</cfloop>

🛡️ Prevention

Proper heap sizing from start, G1GC for heaps >4GB, object allocation review, regular GC monitoring

ColdFusion Administrator Locked Out

high

🔍 Symptoms

  • Cannot access CF Admin
  • Forgot admin password
  • Admin IP restriction blocking access
  • MFA token issues

🔬 Diagnosis Steps

  1. Check IP restrictions in neo-security.xml
  2. Verify password hash in neo-security.xml
  3. Check MFA configuration
  4. Review web server access logs

✅ Solutions

Reset admin password (JVM method)Immediate admin access restoration
// Stop ColdFusion
sudo systemctl stop coldfusion

// Run password reset
cd /opt/coldfusion2025/cfusion/bin
./cfpm resetadmin

// Follow prompts to set new password
// Start ColdFusion
sudo systemctl start coldfusion
Remove IP restrictions temporarilyAllows access from any IP (temp only)
// Edit: /opt/coldfusion2025/cfusion/lib/neo-security.xml
// Find and comment out:
<!--
<var name='allowedAdminIPList'>
  <string>127.0.0.1,192.168.1.100</string>
</var>
-->

// Restart ColdFusion
Disable MFA temporarilyBypasses MFA requirement
// Edit: neo-security.xml
<var name='mfaEnabled'>
  <boolean>false</boolean>  <!-- Change from true -->
</var>

// Restart ColdFusion
Access via RDS (if enabled)Alternative access method
// Use CFBuilder or CF Admin mobile app
// Connect via RDS to manage settings
// RDS password in rds.properties

🛡️ Prevention

Document admin passwords securely, maintain IP whitelist, backup neo-security.xml, test MFA before enforcing

Web Server Connector Not Working

critical

🔍 Symptoms

  • 404 errors for .cfm files
  • Web server serves CFM as text
  • CFIDE/administrator not accessible via connector
  • Connection refused errors

🔬 Diagnosis Steps

  1. Check connector configuration in web server
  2. Verify ColdFusion AJP connector running (port 8012)
  3. Review web server error logs
  4. Test direct access to ColdFusion (port 8500)
  5. Check connector secret key match

✅ Solutions

Regenerate connector (wsconfig)Recreates connector config
// Linux/Mac
cd /opt/coldfusion2025/cfusion/runtime/bin
./wsconfig -ws apache -dir /etc/apache2 -v

// Windows
cd C:\ColdFusion2025\cfusion\runtime\bin
wsconfig.exe -ws iis -site "Default Web Site" -v

// Restart web server
sudo systemctl restart apache2
Verify AJP connector runningEnsures CF listening for connector
// Check if AJP port listening
netstat -an | grep 8012

// Should see: tcp 0.0.0.0:8012 LISTEN

// If not, check server.xml
<Connector port="8012"
  protocol="AJP/1.3"
  redirectPort="8445"
  secretRequired="true"
  secret="your-secret-key"
  address="127.0.0.1"/>
Match connector secretFixes authentication failures
// Apache: In worker.properties
worker.cfusion.secret=your-secret-key

// IIS: In isapi_redirect.properties
connection_pool_size=10
secret=your-secret-key

// Must match server.xml secret
Fix file permissionsResolves permission issues
// Linux - Apache needs read access
sudo chmod 644 /etc/apache2/mod_jk.conf
sudo chmod 644 /etc/apache2/workers.properties
sudo systemctl restart apache2

🛡️ Prevention

Document connector setup, backup connector configs, test after CF updates, monitor connector logs

Session Replication Issues in Cluster

medium

🔍 Symptoms

  • Users logged out randomly
  • Session data lost on failover
  • Inconsistent session behavior
  • Cluster node sync errors

🔬 Diagnosis Steps

  1. Check cluster member status in CF Admin
  2. Review session replication logs
  3. Verify multicast/network connectivity
  4. Check session storage configuration
  5. Monitor session size

✅ Solutions

Configure external session storage (Redis)Reliable session sharing across cluster
// Application.cfc
this.sessionManagement = true;
this.sessionStorage = "redis";
this.sessionTimeout = createTimeSpan(0, 0, 30, 0);

this.redis = {
  server: "redis.example.com",
  port: 6379,
  password: "encrypted:...",
  database: 0,
  connectionPoolSize: 50
};
Reduce session data sizeFaster replication, less network overhead
// Store only essential data in session
<cfset session.userId = userQuery.id>  // ID only
<cfset session.userName = userQuery.name>

// Load full user object on demand
<cffunction name="getCurrentUser">
  <cfif NOT structKeyExists(request, "currentUser")>
    <cfset request.currentUser = userService.getById(session.userId)>
  </cfif>
  <cfreturn request.currentUser>
</cffunction>
Configure sticky sessions (load balancer)Reduces session replication needs
// NGINX example
upstream coldfusion {
  ip_hash;  // Sticky sessions by client IP
  server cf1.example.com:8500;
  server cf2.example.com:8500;
}

// Or use cookie-based
sticky cookie srv_id expires=1h;
Use J2EE session variablesImproved cluster compatibility
// In ColdFusion Admin:
// Server Settings > Memory Variables
// Enable: "Use J2EE session variables"

// Provides standard servlet session
// Better cluster support

🛡️ Prevention

External session storage from start, minimize session data, regular cluster testing, monitor replication logs

Unauthorized CFIDE Access

high

🔍 Symptoms

  • Security scan finds CFIDE exposed
  • Administrator accessible from internet
  • Debug output visible externally
  • RDS ports accessible

🔬 Diagnosis Steps

  1. Test external access to /CFIDE/administrator
  2. Check web server virtual host configs
  3. Review IP restriction settings
  4. Scan for exposed ports (8500, 8012)
  5. Check debug output settings

✅ Solutions

Restrict CFIDE access by IP (Apache)Blocks external admin access
// In Apache config or .htaccess
<LocationMatch "^/CFIDE/(administrator|adminapi|componentutils)">
  Require ip 127.0.0.1
  Require ip 192.168.1.0/24
  Require ip 10.0.0.0/8
</LocationMatch>

// Restart Apache
sudo systemctl restart apache2
Restrict CFIDE access by IP (IIS)IIS-level IP restriction
// In web.config for CFIDE directory
<configuration>
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <add allowed="true" ipAddress="127.0.0.1" />
        <add allowed="true" ipAddress="192.168.1.0" subnetMask="255.255.255.0" />
      </ipSecurity>
    </security>
  </system.webServer>
</configuration>
Change administrator URL pathSecurity through obscurity layer
// In CF Admin: Server Settings > Settings
// Administrator URL Path: /cf-secure-admin-abc123

// Creates new path, old path disabled
// Access via: /cf-secure-admin-abc123/
Disable debug output for external IPsPrevents information disclosure
// In CF Admin: Debugging & Logging > Debug Output Settings
// Enable: "Display debug output"
// Restrict to IP addresses:
127.0.0.1
192.168.1.0/24

// Or in Application.cfc
this.debuggingIPAddresses = "127.0.0.1,192.168.1.100";
Block direct CF ports at firewallNetwork-level protection
// Linux firewall (iptables)
sudo iptables -A INPUT -p tcp --dport 8500 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8500 -j DROP
sudo iptables -A INPUT -p tcp --dport 8012 -j DROP

// Make persistent
sudo iptables-save > /etc/iptables/rules.v4

🛡️ Prevention

Run Lockdown Guide on install, regular security scans, IP whitelisting from start, never expose CF ports

Additional Resources

Need Expert Help?

Convective provides 24/7 ColdFusion support and troubleshooting services. Our team has solved thousands of complex CF issues across 20+ years.

Get Expert Support