Common ColdFusion Problems & Solutions
Comprehensive troubleshooting database for ColdFusion 2025 with diagnostic steps, solutions, and prevention strategies for the most common issues.
Memory Leak / Out of Memory Errors
critical🔍 Symptoms
- java.lang.OutOfMemoryError: Java heap space
- Application becomes unresponsive over time
- Memory usage continuously increases
- Frequent garbage collection
🔬 Diagnosis Steps
- Enable GC logging: -Xlog:gc*:file=gc.log
- Monitor heap usage in PMT or FusionReactor
- Check for session variable accumulation
- Review query caching configuration
- Analyze heap dumps with Eclipse MAT
✅ Solutions
-Xms8g -Xmx8g (example for 8GB heap)
// Clear large session variables
<cfset structDelete(session, "largeData")>
// Limit query caching
<cfquery name="q" cachedWithin="#createTimeSpan(0,0,5,0)#">
-XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:G1HeapRegionSize=16m
<cfapplication
name="myApp"
sessionmanagement="yes"
sessiontimeout="#createTimeSpan(0,0,30,0)#"
setclientcookies="yes">
🛡️ Prevention
Monitor heap usage proactively, implement session size limits, use query caching judiciously, regular heap dump analysis
Slow Page Load Times / High Response Times
high🔍 Symptoms
- Pages taking >3 seconds to load
- High P95/P99 response times
- User complaints about slowness
- Timeouts during peak load
🔬 Diagnosis Steps
- Enable PMT request tracking
- Profile slow templates with FusionReactor
- Check database query execution times
- Review web server connector settings
- Analyze thread dump for bottlenecks
✅ Solutions
// Add indexes to frequently queried columns
CREATE INDEX idx_userid ON users(userid);
// Use cfqueryparam for all variables
<cfquery name="getUser">
SELECT * FROM users
WHERE userid = <cfqueryparam value="#userid#" cfsqltype="cf_sql_integer">
</cfquery>
// Template caching
<cfcache action="cache" timespan="#createTimeSpan(0,1,0,0)#">
// Query caching
<cfquery name="getData" cachedWithin="#createTimeSpan(0,0,10,0)#">
SELECT * FROM products WHERE active = 1
</cfquery>
// Object caching with Redis
<cfset cachePut("userdata_#userid#", userData, createTimeSpan(0,0,30,0))>
// In server.xml
<Connector port="8500"
maxThreads="200"
minSpareThreads="25"
connectionTimeout="20000"
acceptCount="100"
enableLookups="false"
compression="on"
compressionMinSize="2048"/>
// Defer non-critical operations
<cfif structKeyExists(url, "loadExtras")>
<cfset heavyData = getExpensiveData()>
</cfif>
🛡️ Prevention
Regular performance testing, query optimization reviews, caching strategy, CDN for static assets
SQL Injection Vulnerabilities
critical🔍 Symptoms
- Security scan findings
- Unexpected SQL errors in logs
- Unauthorized data access
- Database anomalies
🔬 Diagnosis Steps
- Run security scanner (OWASP ZAP, Burp Suite)
- Code review for dynamic SQL
- Check query logs for suspicious patterns
- Review all user input handling
✅ Solutions
// VULNERABLE CODE - DO NOT USE
<cfquery name="badQuery">
SELECT * FROM users WHERE username = '#form.username#'
</cfquery>
// SECURE CODE - ALWAYS USE
<cfquery name="secureQuery">
SELECT * FROM users
WHERE username = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar" maxlength="50">
</cfquery>
// Input validation
<cfif NOT reFindNoCase("^[a-zA-Z0-9_]{3,20}$", form.username)>
<cfthrow message="Invalid username format">
</cfif>
// Whitelist approach
<cfset validSortColumns = ["name", "date", "id"]>
<cfif NOT arrayContains(validSortColumns, url.sortBy)>
<cfset url.sortBy = "name">
</cfif>
// Use ORM instead of dynamic queries
entityLoad("User", {username: form.username}, true)
// Use queryExecute with params
queryExecute(
"SELECT * FROM users WHERE username = :username",
{username: {value: form.username, cfsqltype: "varchar"}}
)
🛡️ Prevention
Code review checklist, automated security scanning, developer training, never trust user input
Cross-Site Scripting (XSS) Vulnerabilities
high🔍 Symptoms
- Security scan XSS findings
- Unexpected JavaScript execution
- Session hijacking attempts
- Malicious user-generated content
🔬 Diagnosis Steps
- Test with XSS payloads in all inputs
- Review output encoding practices
- Check Content Security Policy headers
- Scan with automated tools
✅ Solutions
// HTML context encoding
<p>#encodeForHTML(userInput)#</p>
// JavaScript context encoding
<script>
var userName = "#encodeForJavaScript(userInput)#";
</script>
// URL context encoding
<a href="profile.cfm?user=#encodeForURL(userInput)#">Profile</a>
// CSS context encoding
<div style="color: #encodeForCSS(userColor)#">
// In Application.cfc
function onRequestStart(targetPage) {
cfheader(name="Content-Security-Policy",
value="default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'");
cfheader(name="X-Content-Type-Options", value="nosniff");
cfheader(name="X-Frame-Options", value="SAMEORIGIN");
cfheader(name="X-XSS-Protection", value="1; mode=block");
}
// Use OWASP Java HTML Sanitizer
<cfset cleanHTML = createObject("java", "org.owasp.html.HtmlPolicyBuilder")
.allowElements("p", "br", "strong", "em")
.toFactory()
.sanitize(userHTML)>
🛡️ Prevention
Output encoding by default, CSP headers, input validation, regular security testing
Connection Pool Exhausted
high🔍 Symptoms
- Error: "Unable to get connection from pool"
- Timeouts waiting for database connection
- Application hangs during database operations
- Growing connection count
🔬 Diagnosis Steps
- Check current pool usage in CF Admin
- Review connection timeout settings
- Look for unclosed queries/connections
- Monitor database connection count
- Check for long-running queries
✅ Solutions
// In ColdFusion Administrator or Application.cfc
this.datasources["myDB"] = {
driver: "MSSQLServer",
host: "dbserver",
database: "mydb",
port: 1433,
username: "user",
password: "encrypted:...",
connectionLimit: 100, // Increase from default
connectionTimeout: 30,
loginTimeout: 30
};
// Always close connections in finally block
<cftry>
<cfquery name="getData" datasource="myDB">
SELECT * FROM products
</cfquery>
<cfcatch>
<cflog file="errors" text="#cfcatch.message#">
</cfcatch>
<cffinally>
<!--- Connection auto-closed with cfquery --->
</cffinally>
</cftry>
// Close stored proc connections
<cfstoredproc procedure="myProc" datasource="myDB">
<cfprocresult name="result">
</cfstoredproc>
// Set reasonable timeouts
<cfquery name="getData"
datasource="myDB"
timeout="30"
maxrows="1000">
SELECT * FROM large_table
WHERE date > <cfqueryparam value="#dateAdd('d', -7, now())#" cfsqltype="cf_sql_timestamp">
</cfquery>
// Check pool usage
<cfset poolStats = getConnectionPoolStats("myDB")>
<cfif poolStats.activeConnections / poolStats.maxConnections GT 0.8>
<!--- Alert: Pool usage > 80% --->
<cflog file="monitoring" text="Connection pool usage critical: #poolStats.activeConnections#/#poolStats.maxConnections#">
</cfif>
🛡️ Prevention
Right-size connection pools, query timeouts, connection monitoring, regular pool stats review
High Garbage Collection Pause Times
medium🔍 Symptoms
- Application pauses/freezes
- GC logs show pause >500ms
- User reports intermittent slowness
- Request timeouts during GC
🔬 Diagnosis Steps
- Enable GC logging: -Xlog:gc*:file=gc.log
- Analyze GC logs with GCViewer or GCEasy
- Check heap usage patterns
- Review GC algorithm configuration
- Monitor with PMT or FusionReactor
✅ Solutions
// In jvm.config
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200
-XX:G1HeapRegionSize=16m
-XX:InitiatingHeapOccupancyPercent=45
-XX:G1ReservePercent=10
// Set min = max for consistent performance
-Xms8g -Xmx8g
// Heap should be 50-70% of total RAM
// 16GB server → 8-10GB heap
// Parallel GC threads (default: CPU cores)
-XX:ParallelGCThreads=8
// Concurrent GC threads (1/4 of parallel)
-XX:ConcGCThreads=2
// Reuse objects instead of creating new
<cfset stringBuilder = createObject("java", "java.lang.StringBuilder").init()>
<cfloop array="#items#" index="item">
<cfset stringBuilder.append(item)>
</cfloop>
<cfset result = stringBuilder.toString()>
// Avoid in-loop object creation
<cfset pattern = createObject("java", "java.util.regex.Pattern").compile("regex")>
<cfloop array="#data#" index="item">
<cfset matcher = pattern.matcher(item)>
</cfloop>
🛡️ Prevention
Proper heap sizing from start, G1GC for heaps >4GB, object allocation review, regular GC monitoring
ColdFusion Administrator Locked Out
high🔍 Symptoms
- Cannot access CF Admin
- Forgot admin password
- Admin IP restriction blocking access
- MFA token issues
🔬 Diagnosis Steps
- Check IP restrictions in neo-security.xml
- Verify password hash in neo-security.xml
- Check MFA configuration
- Review web server access logs
✅ Solutions
// Stop ColdFusion
sudo systemctl stop coldfusion
// Run password reset
cd /opt/coldfusion2025/cfusion/bin
./cfpm resetadmin
// Follow prompts to set new password
// Start ColdFusion
sudo systemctl start coldfusion
// Edit: /opt/coldfusion2025/cfusion/lib/neo-security.xml
// Find and comment out:
<!--
<var name='allowedAdminIPList'>
<string>127.0.0.1,192.168.1.100</string>
</var>
-->
// Restart ColdFusion
// Edit: neo-security.xml
<var name='mfaEnabled'>
<boolean>false</boolean> <!-- Change from true -->
</var>
// Restart ColdFusion
// Use CFBuilder or CF Admin mobile app
// Connect via RDS to manage settings
// RDS password in rds.properties
🛡️ Prevention
Document admin passwords securely, maintain IP whitelist, backup neo-security.xml, test MFA before enforcing
Web Server Connector Not Working
critical🔍 Symptoms
- 404 errors for .cfm files
- Web server serves CFM as text
- CFIDE/administrator not accessible via connector
- Connection refused errors
🔬 Diagnosis Steps
- Check connector configuration in web server
- Verify ColdFusion AJP connector running (port 8012)
- Review web server error logs
- Test direct access to ColdFusion (port 8500)
- Check connector secret key match
✅ Solutions
// Linux/Mac
cd /opt/coldfusion2025/cfusion/runtime/bin
./wsconfig -ws apache -dir /etc/apache2 -v
// Windows
cd C:\ColdFusion2025\cfusion\runtime\bin
wsconfig.exe -ws iis -site "Default Web Site" -v
// Restart web server
sudo systemctl restart apache2
// Check if AJP port listening
netstat -an | grep 8012
// Should see: tcp 0.0.0.0:8012 LISTEN
// If not, check server.xml
<Connector port="8012"
protocol="AJP/1.3"
redirectPort="8445"
secretRequired="true"
secret="your-secret-key"
address="127.0.0.1"/>
// Apache: In worker.properties
worker.cfusion.secret=your-secret-key
// IIS: In isapi_redirect.properties
connection_pool_size=10
secret=your-secret-key
// Must match server.xml secret
// Linux - Apache needs read access
sudo chmod 644 /etc/apache2/mod_jk.conf
sudo chmod 644 /etc/apache2/workers.properties
sudo systemctl restart apache2
🛡️ Prevention
Document connector setup, backup connector configs, test after CF updates, monitor connector logs
Session Replication Issues in Cluster
medium🔍 Symptoms
- Users logged out randomly
- Session data lost on failover
- Inconsistent session behavior
- Cluster node sync errors
🔬 Diagnosis Steps
- Check cluster member status in CF Admin
- Review session replication logs
- Verify multicast/network connectivity
- Check session storage configuration
- Monitor session size
✅ Solutions
// Application.cfc
this.sessionManagement = true;
this.sessionStorage = "redis";
this.sessionTimeout = createTimeSpan(0, 0, 30, 0);
this.redis = {
server: "redis.example.com",
port: 6379,
password: "encrypted:...",
database: 0,
connectionPoolSize: 50
};
// Store only essential data in session
<cfset session.userId = userQuery.id> // ID only
<cfset session.userName = userQuery.name>
// Load full user object on demand
<cffunction name="getCurrentUser">
<cfif NOT structKeyExists(request, "currentUser")>
<cfset request.currentUser = userService.getById(session.userId)>
</cfif>
<cfreturn request.currentUser>
</cffunction>
// NGINX example
upstream coldfusion {
ip_hash; // Sticky sessions by client IP
server cf1.example.com:8500;
server cf2.example.com:8500;
}
// Or use cookie-based
sticky cookie srv_id expires=1h;
// In ColdFusion Admin:
// Server Settings > Memory Variables
// Enable: "Use J2EE session variables"
// Provides standard servlet session
// Better cluster support
🛡️ Prevention
External session storage from start, minimize session data, regular cluster testing, monitor replication logs
Unauthorized CFIDE Access
high🔍 Symptoms
- Security scan finds CFIDE exposed
- Administrator accessible from internet
- Debug output visible externally
- RDS ports accessible
🔬 Diagnosis Steps
- Test external access to /CFIDE/administrator
- Check web server virtual host configs
- Review IP restriction settings
- Scan for exposed ports (8500, 8012)
- Check debug output settings
✅ Solutions
// In Apache config or .htaccess
<LocationMatch "^/CFIDE/(administrator|adminapi|componentutils)">
Require ip 127.0.0.1
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</LocationMatch>
// Restart Apache
sudo systemctl restart apache2
// In web.config for CFIDE directory
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add allowed="true" ipAddress="127.0.0.1" />
<add allowed="true" ipAddress="192.168.1.0" subnetMask="255.255.255.0" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
// In CF Admin: Server Settings > Settings
// Administrator URL Path: /cf-secure-admin-abc123
// Creates new path, old path disabled
// Access via: /cf-secure-admin-abc123/
// In CF Admin: Debugging & Logging > Debug Output Settings
// Enable: "Display debug output"
// Restrict to IP addresses:
127.0.0.1
192.168.1.0/24
// Or in Application.cfc
this.debuggingIPAddresses = "127.0.0.1,192.168.1.100";
// Linux firewall (iptables)
sudo iptables -A INPUT -p tcp --dport 8500 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8500 -j DROP
sudo iptables -A INPUT -p tcp --dport 8012 -j DROP
// Make persistent
sudo iptables-save > /etc/iptables/rules.v4
🛡️ Prevention
Run Lockdown Guide on install, regular security scans, IP whitelisting from start, never expose CF ports
Need Expert Help?
Convective provides 24/7 ColdFusion support and troubleshooting services. Our team has solved thousands of complex CF issues across 20+ years.
Get Expert Support