Safe Scheduled Tasks

Last updated: October 4, 20259 min read

Configure ColdFusion scheduled tasks with proper security controls, timeouts, and monitoring to ensure reliable automation without compromising server security.

Scheduled Task Security

Scheduled tasks can become vectors for security vulnerabilities if not properly configured:

  • Use allowlisted output directories defined in pathfilter.json to restrict file operations
  • Never allow tasks to write output to arbitrary file system locations
  • Configure tasks to run with minimal privileges necessary for their function
  • Validate and sanitize any parameters passed to scheduled tasks
  • Log all task execution details to maintain a complete audit trail

Path Filtering for Task Output

You should configure pathfilter.json to restrict where scheduled tasks are allowed to write files:

// /opt/coldfusion/cfusion/lib/pathfilter.json
{
  "allowedPaths": [
    "/var/app/reports",
    "/var/app/exports",
    "/var/app/backups"
  ],
  "deniedPaths": [
    "/etc",
    "/root",
    "/home",
    "/opt/coldfusion/cfusion"
  ]
}
Important: Review and update path allowlists after every ColdFusion update or hotfix.

Timeouts and Error Handling

You should always configure appropriate timeouts to prevent hung tasks from consuming server resources indefinitely:

  • Set an explicit request timeout value for each task based on expected execution time
  • Configure retry logic to handle transient failures gracefully
  • Implement exponential backoff between retry attempts to avoid overwhelming resources
  • Send alerts to operations teams when tasks experience repeated failures
  • Log comprehensive details including task start time, end time, duration, and final status
<cfsetting requestTimeout="300"> <!--- 5 minutes --->

<cftry>
    <!--- Task logic here --->
    <cflog file="scheduled_tasks"
        type="information"
        text="Task completed: taskName=dailyReport, duration=#getTickCount() - startTick#ms">

    <cfcatch>
        <cflog file="scheduled_tasks"
            type="error"
            text="Task failed: taskName=dailyReport, error=#cfcatch.message#">

        <!--- Send alert to ops team --->
        <cfmail to="ops@example.com" from="cf@example.com" subject="Task Failed">
            Scheduled task failed: #cfcatch.message#
        </cfmail>
    </cfcatch>
</cftry>

Clustering Considerations

In clustered environments, you need to prevent duplicate task execution across multiple nodes:

  • External Scheduler: Use cron or Windows Task Scheduler to invoke tasks on only one designated node
  • Database Locking: Acquire a database lock before task execution to prevent other nodes from running the same task
  • Distributed Lock: Use Redis or a similar distributed system to manage cluster-wide locks
  • Leader Election: Implement leader election so that only the leader node executes scheduled tasks
<!--- Example: Database lock pattern --->
<cfquery name="getLock" datasource="mydb">
    UPDATE task_locks
    SET locked_by = <cfqueryparam value="#server.coldfusion.rootDir#">,
        locked_at = <cfqueryparam value="#now()#" cfsqltype="cf_sql_timestamp">
    WHERE task_name = <cfqueryparam value="dailyReport">
      AND (locked_at IS NULL OR locked_at < <cfqueryparam value="#dateAdd('n', -10, now())#" cfsqltype="cf_sql_timestamp">)
</cfquery>

<cfif getLock.recordCount GT 0>
    <!--- We got the lock, run task --->
    <cftry>
        <!--- Task logic --->
        <cffinally>
            <!--- Release lock --->
            <cfquery datasource="mydb">
                UPDATE task_locks SET locked_by = NULL, locked_at = NULL
                WHERE task_name = <cfqueryparam value="dailyReport">
            </cfquery>
        </cffinally>
    </cftry>
<cfelse>
    <!--- Another node is running this task --->
    <cflog file="scheduled_tasks" type="information"
        text="Task skipped - already running on another node">
</cfif>

Monitoring and Alerting

You should implement comprehensive monitoring to ensure scheduled tasks are running reliably:

  • Track task execution duration using the Performance Monitoring Toolset (PMT)
  • Configure alerts to notify you immediately of task failures or timeouts
  • Monitor for tasks that stop running entirely and miss their scheduled execution times
  • Create a dashboard that shows the last run time and current status for all tasks
  • Perform trend analysis on task performance over time to identify degradation

Best Practices

  • Use database-driven schedules instead of the CF Administrator so you can version control your task configurations
  • Store all task configuration and code in version control for auditability and rollback capability
  • Always test scheduled tasks thoroughly in staging environments before deploying to production
  • Implement tasks to be idempotent so they're safe to run multiple times without adverse effects
  • Consider using message queues for long-running background work instead of scheduled tasks
  • Document all task dependencies and data flow to help with troubleshooting and maintenance

Scheduled Tasks Checklist

  • Output directories allowlisted in pathfilter.json
  • Request timeout configured for each task
  • Error handling and logging implemented
  • Retry logic for transient failures
  • Cluster-safe execution (locks or external scheduler)
  • Monitoring and alerting configured
  • Tasks documented with purpose and dependencies
  • Test coverage for task logic

Gotchas

  • Tasks run with same permissions as ColdFusion server - limit file system access
  • Missed schedules aren't automatically re-run - implement monitoring
  • Long-running tasks can accumulate if frequency exceeds duration
  • Task configuration in Administrator not version controlled - use database
  • Cluster without coordination runs tasks on all nodes - use locking
  • Pathfilter changes require ColdFusion restart to take effect

References

Need Help?

Convective can help design and implement reliable scheduled task architectures.

Find out more