ColdFusion 11 Wish List

So last week the ColdFusion product team announced a survey to get selected into the pre-release program for the next version of ColdFusion (refuse to call it by the code name since all I think of is Splenda). A lot of this has been rolling around in my head since they published the roadmap last August and really need to get this out before there is a possibility of being included in the pre-release and the requisite NDA. 


ColdFusion 10 did focus on security and by far was the most significant release to address the issue. It is listed on the roadmap, but can still be improved.


One of the areas that would improve the security of ColdFusion would be to make several changes to the installer.

First, Secure Profile should be an opt-out with a checkbox "Disable Secure Profile". In the ColdFusion 10 installer it is an opt-in with "Enable Secure Profile". There are too many administrators that just click through the installer. By explictly making them opt-out of Secure Profile, it would make them think about the implications of not selecting it and most would probably leave it as is. No one wants a less secure install.

Second, the installer on Windows should allow one to change the default user that ColdFusion runs as just like the installer for Linux has done for ages. Those that attack ColdFusion specifically look for Windows installs since the majority of installs are left running as SYSTEM.

Lastly, while the lockdown guide is well done and extremely useful, it should be published as soon as the version is released (May 14, 2012), not 6 months afterwards (November 28, 2012). The lockdown guide should also be prominently displayed on the ColdFusion download page and within the ColdFusion Administrator.


Sandboxing within ColdFusion is probably one of the more under utilized security features the product has had for the longest time. Part of that is due to the fact it requires an Enterprise license to create multiple sandboxes. This is one area where the distinction between Standard and Enterprise should be dropped. Security should never be a for pay feature.

There are several enhancements to sandboxing that should be done as well. The CFIDE sandbox does not apply to scheduled tasks or system probes and it should. If they aren't part of CFIDE sandbox, they should have their own sandbox defined for themselves. All sandboxes should be pre-defined to only allow for access to port 80 so the administrator has to explicity open access to external systems, as opposed to allowing all connections which is the current default. Another minor issue is that it only allows for IP addresses and should allow for fully qualified domain names. Finally, sandboxing should be enabled by default when Secure Profile is enabled.


The ability to create PDFs was one of the best additions to ColdFusion back in version 7. Unfortunately though the functionality has seemed to stagnate. This is the one area that ColdFusion can really set itself apart and excel at; better rendering of HTML to PDF for Section 508 support as noted in bug id 3041212, more integration with PDF forms like noted in bug id 3117809, and handling signatures. The dependence ColdFusion has on iText, jPedal, and OpenOffice should be removed. It was understandable back in ColdFusion 7 and 8 when it was developed by Macromedia. PDF is an Adobe technology, as is ColdFusion; this should be do-able. Hopefully this will happen since the roadmap says, "Revamped and new PDF functionalities".


The strength of ColdFusion has always been its ability to integrate with various back-end technologies like Java, .Net, Exchange, SharePoint, and Office documents. One of the main problems has always been things are never fully baked or key functionality is missing. A prime example is the lack of NTLM and Digest support on HTTP calls. It has been a long requested feature originally logged as bug id 72751 and migrated as bug id 3035879. It is currently marked as Deferred/Not Enough Time from ColdFusion 9.0 Alpha 1 (probably has been asked for longer, but can't find references). There is another bug id 3175165 which is strictly NTLM support and is set as To Fix from ColdFusion 9.0.1, but nothing on Digest. One could argue that this should have been addressed by now so ColdFusion can stay ahead of requirements coming from clients (seriously look at bug id 3175165, the developer is pleading for it so that ColdFusion can stay relevant at a large US Government agency).


Reporting is one area where integration is lacking. It is time to face the fact that ColdFusion Reports and ColdFusion Report Builder are defunct; no real update has occurred since version 8. Just kill it off. Integrating with a modern version of Crystal Reports for all platforms (not just Windows) and allowing for easy integration with Jasper Reports or BIRT should be the focus to solve the lack of good reporting solutions in ColdFusion.

Social Media

The one area of the roadmap that is of concern is "Enabling Enterprise to easily integrate with Social Media Streams". It is extremely buzzword compliant. Hope this does not mean <cftwitter>, <cffacebook>, or <cfsocialmedia> tags or functions. While these sound good in concept, just look at the issues with <cfmap> and the changing of Google Maps API from v2 to v3. There are projects on like (monkeh)Tweet Twitter API that can provide the same integration and faster turnaround to API changes. 

Getting a feed from Twitter is easy; integrating NTLM and Digest authenication is hard. Get back to making hard things easy.


This is an area where ColdFusion has been severely lacking. While there are ColdFusion Archives (CAR) and J2EE Archives (WAR/EAR) in Enterprise, neither for these solutions easily integrates with a build environment. Both require interaction with the ColdFusion Administrator. There needs to be an easy way to script deployments, probably with Ant since pretty much every build environment can interact with it. The other issue with the existing J2EE Archives is that the resulting output is ridiculously large to support even the most basic ColdFusion Application. There needs to be a way to select only needed functionality into the WAR/EAR. If the ColdFusion Application isn't using Flex or <cfform> stuff, should be able to pull it out of the deployment.

Vote Up Existing Bugs, Suggest Enhancements

So even if you don't get into the pre-release for ColdFusion 11, what can you do? The best thing would be to go through the existing bugs to see if any issues you have are currently reported and vote it up. While the Adobe Bugbase is a pain to search, try the simple interface that Adam Cameron created. If you have an enhancement, submit it to the Adobe Bugbase and then get people to vote it up. Follow @cfbugnotifer on Twitter. See something on the Twitter feed, vote it up, retweet, get involved in the future of ColdFusion.

  1. #1 by Andy Peterson - March 25, 2013 at 3:54 PM

    With regards to Reporting, it just so happens that I was cleaning out old files and found a "Cold Fusion Pro 2.0" box, "for Windows NT or 95." It came bundled with Crystal Reports and a 300 page manual. It was so sweet. That relationship dissolved somewhere down the road, and then Crystal priced themselves out of the market, and now we're stuck with SSRS, which always has painful deployment issues for us. Sometime recently Crystal's price has come back waaaaay down - so much that we are looking at it again. Too bad the CF/CR relationship could not be reestablished, but I know there's a tendency not to rely on others' products in the deployment of CF.

    In the Integration vein, to the degree CF can integrate with NTLM, .NET, Sharepoint and other technologies that are on the scene in many organizations, the greater position it will be in in order to survive in this competitive space.
  2. #2 by Henry - March 26, 2013 at 6:07 PM

    - cfdocument should really make use of the webkit engine underneath.
    - websockets should work over SSL
    - cfscript-complete
    - improve wsconfig, clumsy in CF10, ALL doesn't work for IIS
  3. #3 by Justin Treher - March 27, 2013 at 8:00 AM

    The NTLM business is definitely of concern. Ignoring that feature just screams for DoD to finally phase out CF altogether for .NET.

    I'm also nervous about the social media entry. Knowing that any amount of time was spent on the 2013 equivalent of the CF8 UI tools is infuriating. It's not like cfmail, these APIs are so mercurial that baking in a feature that gets an update once every 18-24 months is not worth the effort for the end developer or the CF team.

    ++ a million to enhancement to PDFs and reporting--this is what corporate end users really need to be more efficient.
  4. #4 by David Epler - March 27, 2013 at 11:12 AM

    The thing that bugs me the most is the ever increasing need to put more things into ColdFusion and never go back an fix things that were added in previous releases.

    At some level I can kind of understand the lack of NTLM. It isn't really a standard and until recently was pretty much reverse engineered until Microsoft published it. But missing Digest when there is a RFC for it just boggles the mind. There are ways to get NTLM into CF with a few projects on riaforge or calling Java direct, but doing so misses the "making hard things easy".

    ColdFusion does not need additional reasons for someone to remove it from their environment, yet by not ensuring good integration, they are providing more nails for the coffin.

    The last thing is the relentless need for backwards compatibility. There should be no reason why ParameterExists should still work when it was marked to deprecate eons ago with CF 4.0.1. There needs to be a MAJOR language cleanup and serious consideration to legacy and forward looking version of CFML. Will it happen probably not, because it isn't something shiny and looks good for marketing, but really has become a critical issue.

  5. #5 by Jason Gray - April 14, 2013 at 3:29 PM

    I couldn't agree more with the comments about PDFs, better rendering of HTML to PDF for Section 508 support. You would think it is one of the features that should clearly set ColdFusion apart with Adobe behind both.

    I also wish CFML had a <cftimeout time="value is milliseconds"> tag for a block of code. I know CFML has a <cfthread> tag, but I don't want to deal with the cfthread scope or the copying of variables into tag as deep copying is very slow and expensive. I would want it to work somewhat like <cftransaction>.

    I have also had some problems with the <cfthread> tag and I think it calls the deprecated Thread.stop under the covers, I could be wrong or maybe it has changed since CF9. Read more:
  6. #6 by Mark Conger - May 29, 2013 at 11:18 PM

    Thank you, David for a very candid, yet optimistic outlook on CF 11's future.

    I've been away from CF for several versions now (I started at 3 and stopped at 8) so please take my suggestions with that in mind. But, I would like to get back into development or at least be able to partially hire it out for current needs. That said, here's my 2 cents.

    I just discovered BIRT this week and I'm SOLD that it's a great fit for CF. It's just an amazing work - and all for free. I really hope Adobe considers a friendly relationship with it, if not integrating it all together.

    Second, I did not see any reference to cloud data sources. All the big players are there now - Amazon, Google, Rackspace, etc. all with solid data solutions. Perhaps CF already plays well with them (remember, I've been away a while) but if not, I really hope there is an effort to make cloud data, even Google Spreadsheets, an easy integration.

(will not be published)
Leave this field empty: