Scotch on the Rocks 2010, Day 1 part 1

Submitted by Falken on

This years Scotch on the Rocks was based in central London, a conveniently small walk from Trafalgar Square itself.
The venue was a perfectly well layed out Tiger Tiger, with large rooms for the talks and funky mezzanine chill out reception area.


Adobe took the opening keynote and launched straight into a review of the ColdFusion 9 launch, re-capping some very important (for us) changes such as being free for non-live deployment (testing, developer desktop, hot spare etc) as well as it's other new features.
Turning to the ColdFusion Builder IDE, it seems the majority of the audience in a show of hands is on Dreamweaver or CFEclipse, with only a few Builder users. Some cool extensions for Builder were shown off, such as Apptaculer that generates ORM CFCs as well as master/detail screens. It also lets you configure user friendly field names and field editors. It can do bulk table prefix/plural removal, and is generally a very powerful wizard to kick start a new CF9 project with.
As you can use Flex in extensions, you can also do some neat reporting tools too.
Next up was a lightning quick run though of Catalyst, which is now out to play with.
It still rocks just as much as when it was previewed last year as a designer-centric workflow tool. This part turned into a bit of a Catalyst demo which was odd as there was a whole talk about it later.
Eventually we do see wiring to ColdFusion to the project using Flash Builder, and an  Apptaculer generated CFC. This used the built in data services support as so was very easy to do.
Then we saw some demos of Air running on Andriod, this got a huge round of applause, and is very cool to see in real life, as the support is very nearly literally only just out :-)
The keynote ended with news on the next minor update to ColdFusion.
ColdFusion 9.0.1 has more complete CFScript support for things like cfdbinfo, pop, imap as well as handy language syntax like "" loops. Also confirmed as multi-DSN ORM, so you can use ORM with more than one database in each Application. It was also ace to get some never-seen-before information like support for most file operations on Amazon S3, and the ability to use HQL in cfquery; the later means I might never have to write (DB specfic) SQL ever again, which was something we aimed for with the Reactor project.
The only date I could coax out of anyone was "second half of year" unfortunately, but it certainly looks ready !  

Mastering the ColdFusion Application Framework

Ben Nadel (Epicenter Consulting)
Ben's talk on what you can do with 'just' Application.cfc was a bit of a mind opener.
He started by saying that "Your code is not the application, the application is just some stuff in memory" before explaining that only code in functions knows about your application, so anything in the psudo-constructor outside of a function executes 'before' the request starts.
One next trick as looking up the current Application settings (are cookies on etc.) by simply instancing the Application CFC and inspecting it.
I also learnt how to pronounce WDDX though I'm not sure it's a habit I should get into as it sounds really odd :-)
Ben also sets the to hash(getCurrentTemplatePath()) to avoid any chance of clash, I guess it's also handy for moving Application.cfc around, but I'm not sure many people do that, but that would really make CFLOG output look very ugly. Stick to a reverse dotted domain name and a small salt value (for security) if you don't have a dedicated server and I think you'll be OK.
Next Ben showed how you could use onCFCRequest() to cache a CFC used for AJAX (or Flex remoting, I suppose) calls, so it isn't created each time, and also to do better error handling. And of course this is all transparent to client, it's just using the normal path to CFC and 'returnFormat' paramter, only we're intercepting the request and doing the grunt work ourselves.
This has applications for being used as a replacement for things like FacadeStarter that would normally be called from onApplicationStart() to make sure things like ColdSpring Remote Proxies are created, the advantage being that you can delay creating each one until it is used, rather than doing them all at once, which in a large application could cause time outs after a server restart.
For his next trick, Ben showed as that even if your device (such as a phone or 3rd party Flash/ActiveX) doesn't have support for sending CFID/CFTOKEN cookies or URL parameters, and can't or wont alter their API to pass them, you can create the cookie.cftoken etc in the Application.cfc psuedo constructor (that runs before the request really gets going remember ! SMS API's for instance will often just give you one unique token per-device, so you have to manufacture the cookies from that.
It's also apparently a common problem with security audits that there is a CFID and CFTOKKEN cookie present (even though modern ColdFusion engines use random values, as opposed to just incrementing them like in the old days). Ben has a cool work around that packs the CFID and CFTOKEN in to a single custom cookie, then deletes them from the url and form scopes so users cant override them. Again, the trick is to set CFID and CFTOKEN back in the Applicaiton.cfc pseudo constructor before the request does it's security checked. By setting them to expires 'now' the cookies never get back to the browser. Very cool stuff.
Also interesting was a demo of a bug (or is it just bad but defined behaviour) for several requests starting at same time *when session cookies already set*; such as a initial HTML page with a FRAMESET to two CFML pages. Ben of course has a super-easy fix; just set an exclusive session lock (even though you don't need it) in both onSessionStart() and onRequestStart().
As well as showing how to minimise memory usage by only creating long lived sessions for real people (as opposed to search spiders) or logged in users, there was also a variation on the CFID/CFTOKEN recreation that worked by encrypting them to a replacement cookie, then decrypting them. Again the trick was to make this transparent to the code was to decrypt outside any method in Application.cfc This technique means you can have call a CFC just by appending a simple key to the URL, and it'll still get the same session.