System information

ManualsBrandsMACROMEDIA ManualsComputer equipmentCOLDFUSION 5 - INSTALING AND CONFIGURING SERVER

Adobe documentation - Confidential

ColdFusion Administrator Settings

In this section several recommendations are made for ColdFusion server settings. It is important to

understand that changes to some of these settings may affect how your website functions, and

performs. Be sure to understand the implications of all settings before making any changes.

Server Settings > Settings

Setting

Default

Recommendation

Description

Timeout Requests

after

Checked / 60 Sec.

Checked / 5 Sec.

Set this value as low as possible. Any

templates (such as scheduled tasks)

that might take longer, should use

the cfsetting tag. For example:

<cfsetting

requesttimeout="60">

Use UUID for

cftoken

Unchecked

Checked

The default cftoken values are

sequential and make it fairly easy to

hijack sessions by guessing a valid

CFID / CFTOKEN pair. This setting is

not necessarily required if J2EE

session are enabled, however it

doesn’t hurt to turn it on anyways.

Disable CFC Type

check

Unchecked

Developers may rely on the

argument types, enabling this

setting might allow attackers to

cause new exceptions in the

application. This setting may be

enabled if the developer(s) have

built the application to account for

this.

Disable access to

internal ColdFusion

Java components

Unchecked

Checked

The internal ColdFusion Java

components may allow

administrative duties to be

performed.

Some developers may write code

that relies on these components.

This practice should be avoided as

these components are not

documented.

Adobe documentation - Confidential