I've long suspected the Blazer web browser as a primary culprit in crashing my Treo. And so I was really pleased to have found an alternative, a newly released free version of Opera called Opera Mini that works on the Treo (you can download it via your PC, or on the Treo itself by going to that same URL).

Opera Mini is a Java app, so you'll need a JVM (I am using WebSphere Everyplace Micro Environment). And as a Java app (as opposed to a native Palm app) the menus and controls are quite different to those of typical Palm applications (the menu button, as an example, does nothing).

But, it is fast, it works, and it has yet to crash my Treo! So, despite a rather clunky interface (what is with that obnoxious flashing status bar at the bottom of the screen?), I have made Opera Mini the default browser on my Treo.

Amazon.com has been paying for Google AdWords for my name for quite some time now. And now they are also paying for the AdWords "MySQL Crash Course" (and linking to that search term which find my new MySQL book). Cool!

Andrea Veggiani, creator of CFXML_Blog, has started again and built a brand new ColdFusion based blogging app. What follows is his own description:

The official site is: http://www.avblog.org and the main features are:

• Both XML files or DB can be used for storage
• XML-RPC support for compatibility with client desktop like Qumana or Blogjet (support for blogger, metaweblog and movable type API)
• Google Talk integration (it's possible to read the blog and to edit posts and an alert is sent upon new comment receiving)
• Captcha images for spam prevenction
• Trackbacks support
• Autoping support
• Fully skinnable
• FCkeditor, TinyMCE supported (the user can choose what to use)
• CFMX 7.0 administration via Flash Forms
• Posts can be made via email
• Plugins included for Photoblog, Mini CMS and File Repository

The licence is GPL and the code now has no more italian words :) (in cfxml_blog i remember many complaints about that).

The Twin Cities ColdFusion User Group has been added to my upcoming tour, and I am now scheduled to be in Minneapolis on March 2nd. If you are in the area, be sure to drop by.

Other venues will be added. And there will be some changes, too (I have a scheduling conflict the week of March 6th, and will post revise dates for the San Diego, Phoenix, and Denver meetings as soon as I have them). More to follow.

Software Development Magazine's Jolt Product Excellence and Productivity Awards have been presented annually to showcase products that have "jolted" the industry with their significance and made the task of creating software faster, easier, and more efficient. And this year ColdFusion MX 7 has been nominated in the Web Development Tools category.

Onkyo produces high-end audio and reproduction equipment, including home theatre systems, speakers, DVD players, satellite radio receivers, and more. The multi-lingual Onkyo website which features product information, dealer locator, catalogs, downloadable software and manuals, and much more is all powered by ColdFusion MX. Thanks to Daniel Hoviss for sending this link my way.

Joe Danziger has launched a new blog dedicated to AJAX use with ColdFusion. Joe is the author of a recent CFDJ article on building a ColdFusion + AJAX shopping cart. Welcome Joe, we look forward to your postings.

I'll be presenting at a seminar on ColdFusion and Flex in NYC next week. The following is a copy and paste from the flyer. (If you want the flyer e-mailed to you, let me know).

Ray Camden has posted comments on my newly released MSQL Crash Course. Thanks, Ray.

The ColdFusion MX 7 Web Application Construction Kit has won Best Book in the 2005 MX Developer’s Journal / ColdFusion Developer’s Journal Readers Choice Awards, with Advanced ColdFusion MX 7 Application Development winning 2nd runner-up.

And in addition, my Tip-of-the-Day (which has not been updated in a couple of years, ever since I moved all of the content over to my blog, and which probably should not have even been a nominee in this category) won as Best CF Web Services. Humm.

Thanks to all who voted!

SeeFusion has been around for a while now, but I recently got the chance to take it for a spin, and wanted to share my thoughts. SeeFusion is a utility that lets you peak under the CF hood, allowing you to see lots of what's going on, and much of it in real time. I've previously mentioned that this type of monitoring is planned for ColdFusion "Scorpio", but SeeFusion is available right now, and I'd expect that even once we ship "Scorpio" serious ColdFusion developers will probably want both (hey, the more info the better).

SeeFusion tracks three types of requests; currently running requests (real-time), recently completed requests, and long running requests. It also features a JDBC wrapper that makes it possible to inspect detailed query related information, debug output, a dashboard for monitoring multiple servers at once, and much more. Lots of details, screenshots, and a live demo are all available online.

This is an incredibly impressive utility, and one that will be immensely useful to all ColdFusion developers. And with licenses starting at $150, SeeFusion could pay for itself the first time you use it. Check it out!

Adobe is the Platinum sponsor of CFUNITED 2006. I plan on attending, as do others on the ColdFusion team, and hope you do, too!

It looks like I am going to get the opportunity to present to user groups all over the U.S. in February and March. The subject will be Flex 2, with an in depth look at what this means for us ColdFusion developers, and will include coverage of Flex Builder 2 as well as new ColdFusion Flex integration technologies.

Currently planned locations are:

• AZ: Phoenix
• CA: Sacramento, San Diego, San Francisco
• CO: Denver
• DC: Washington
• GA: Atlanta
• IL: Chicago
• MO: Kansas City
• NY: New York
• PA: Philadelphia
• WA: Seattle

Venues in Europe are still being finalized. I'll post more details when I have them.

Pete Freitag has posted comments on my newly released MSQL Crash Course. Thanks, Pete.

If you are upgrading to SQL Server 2005, pay attention to this one ...

SQL Server has long supported two forms of OUTER JOIN syntax, the ANSI syntax (using LEFT OUTER JOIN, RIGHT OUTER JOIN, etc.), and the simplified T-SQL syntax (using *= and =*). If you've always used ANSI syntax then you are safe, but if you have any existing code that uses the simplified T-SQL syntax, that code will not run on SQL Server 2005, and the following error message will be returned:

The query uses non-ANSI outer join operators ("*=" or "=*"). To run this query without modification, please set the compatibility level for current database to 80 or lower, using stored procedure sp_dbcmptlevel. It is strongly recommended to rewrite the query using ANSI outer join operators (LEFT OUTER JOIN, RIGHT OUTER JOIN). In the future versions of SQL Server, non-ANSI join operators will not be supported even in backward-compatibility modes.

Fortunately, that message also provides the solution. Using the sp_dbcmptlevel stored procedure you set the backwards compatibility level so that the old style outer joins work. Until you manually fix them all, that is.

I presented an introduction to Flex Builder 2 this evening to my local CFUG, the Detroit Area ColdFusion User Group. Some of the attendees had seen Flex previously, but none had actually used it themselves. This made showing it off both fun and easy.

And to make things more interesting, I used a very recent build of Flex Builder 2 (so recent that I had to rework some of my demos minutes before we started). No, it did not crash, but I did have to close and reopen my project a few times. But hey, the new features make it so worthwhile! ;-)

All in all, a very good meeting. And a 5 minute commute home from a CFUG is a pleasant rarity!

The TIOBE Programming Community Index for January 2006 has been released. Java and C have treaded places for the #1 and #2 spots (Java is now in the lead), Python and Delphi are slipping, C# is on the rise, Ruby misses the top 20 by one spot ... and ColdFusion climbed from 25th to 16th (the biggest mover on the board).

There are some real oddballs here, too. ActionScript below Prolog and Ada? PL/SQL as a programming language (but no other SQL implementations)? And it gets worse, too.

Now, just to be brutally honest, I have no faith in these numbers and in what they are supposed to mean. And so I don't read much (if at all) into rankings and comparative movements. But, one point may be worthy of consideration. Assuming that the data compilation and analysis used the same techniques and patterns this year as they did last, TIOBE has discovered massive growth in ColdFusion use this past year.

Several users have wanted to know if ColdFusion supports SQL Server 2005. And the answer appears to be yes. I am using ColdFusion MX 7.01 with the default SQL Server driver, and am connected to SQL Server 2005, and so far so good. Microsoft does have a new SQL Server 2005 JDBC driver in beta, but thus far I have not installed it, and not needed to. All testing thus far has worked flawlessly, using basic statements as well as browsing tables and schemas via RDS.

The only two issues I ran into were minor configuration and security setting defaults that needed to be tweaked.

First of all, by default SQL Server 2005 has TCP/IP connections disabled. To enable TCP/IP support, use the SQL Server Configuration Manager tool, select SQL Server 2005 Network Configuration, select Protocols, double-click on TCP/IP, and turn on Enabled.

The next gotcha was the user account. I created a SQL Server user account for ColdFusion, but by default SQL Server 2005 only uses Windows Authentication (which is generally not how ColdFusion would authenticate). To enable support for SQL Server Authentication, right-click on the server in Microsoft SQL Server Management Studio, select Properties, Security, and set Server Authentication to SQL Server and Windows Authentication.

And that seems to do the trick.

Lego Mindstorms is one of the best toys-for-overgrown-kids out there, and now Lego has one-upped themselves with the announcement of the Mindstorms NXT, the next generation Mindstorms featuring a new 32bit brick, new sensors (including sound and touch), and Bluetooth support. The product is due out in the fall of 2006, so you have a few more months to get work done before your productivity takes a scheduled nosedive. Oh, and here's the best part, Lego is looking for 100 users to join the Mindstorms Users Panel, lucky individuals who will get their hands on the NXT four months ahead of the rest of civilization.

Yes, a new codename for a new update to ColdFusion. "Scorpio" (which Tim Buntel and I announced at CFUNITED last year) is still the next major version of ColdFusion, but we have some goodies up our sleeve that you'll really want sooner than that, and thus ColdFusion "Mystic" (as first leaked by Damon Cooper).

Ray Camden's new project, ColdFusion Cookbook is up and running. Check it out! (And contribute, too)!

Apparently CNet's News.com staff writers Declan McCullough and Anne Broache just can't resist the lure of sensationalism and fearmongering. After yesterday's blatantly inaccurate and highly inflammatory Government Web sites are keeping an eye on you (which undoubtedly generated lots of page views and thus advertising revenue for CNet), they followed up today with Part 2 entitled Congress' hands caught in the cookie jar.

The highlight of the story (complete with a high impact icon) is this: "Although they have promised to abstain from using cookies to track visits to their Web sites, at least 23 U.S. senators do so. Overall, 66 members of Congress use the tracking devices."

The story picks Sen. John McCain (R-Ariz) as its first example, citing that he "has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices", and then points out that "visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035". (Hey, what can be more sensational that tying the story to a Senator who happens to be in the news for his efforts in combating unethical political behavior?).

And of course the experts have been unable to resist the urge to jump in so as to sound significant and outraged. Sonia Arrison, director of technology studies at the Pacific Research Institute, a nonprofit group in San Francisco exclaims that "it's willful ignorance. They're complete hypocrites. How can they accuse companies of poor data management when they're not doing it on their own Web sites?" And Jim Harper, director of information studies at the Cato Institute, a free-market think tank, adds "the irony is rich".

There is just one big problem with this story. And that is that this is fearmongering at its best; scaring the public, and taking advantage of government officials who did nothing wrong but whom will inevitably have to make a show of fixing the problem.

Why is this just fearmongering and sensationalism? Consider this quote: "In many cases, politicians seemed to be unaware of their use of Web tracking technology until being contacted this week.". Or this story subtitle, "Dozens of U.S. senators are quietly tracking visits to their Web sites even though they have publicly pledged not to do so.".

Tracking Visits? Web tracking technology? Is this a display of utter ignorance or simply wanton disregard for the facts so long as it generates clickthroughs?

Cookies do not equal tracking. Yes, cookies could be used to track users, but the presence of a cookie does not mean that anything is being tracked. Politicians seemed to be unaware of their use of tracking, because, well, there is no tracking going on!

But, facts appear to be unimportant to Declan McCullagh and Anne Broache. Even though the ColdFusion team explained the facts to them repeatedly (both before and after the initial story ran), they have once again opted to capitalize on sensationalism, taking advantage of the public's fear and politician's sensitivity to the perception of impropriety.

But hey, to hell with facts, I am sure the clickthroughs make it all worthwhile.

(If, unlike Declan McCullagh and Anne Broache, you want the facts, see my previous post).

CNet's News.com is running a story by staff writers Declan McCullagh and Anne Broache with the sensational title Government Web sites are keeping an eye on you.

The key points of the article are:

• A 2003 directive makes it illegal for federal agency web sites to track user activity or monitor user behavior.
• Some government agencies are using cookies on their sites (although there is no report of what those cookies are and what it is that is stored in them).
• "Many of the cookies appearing on the errant Web sites were generated by ColdFusion, the popular Web authoring tool ... which sets them to expire about 30 years in the future".
• WebTrends and ColdFusion are the only products mentioned as the ones creating cookies.
• The article does not actually state that ColdFusion is doing bad things (with the exception of "one Smithsonian Institution Web staffer, who initially denied the existence of persistent cookies detected by CNET News.com on the National Air and Space Museum's site, said that ColdFusion settings were probably to blame"), but there is a sense of guilt-by-association here.

This is yet another alarmist article, decrying the presence of cookies without any explanation of what they are used for and what is stored in them. Blanket statements about cookies are irresponsible. But that is not my real concern here. The bigger issue is ColdFusion, cookies, and "30 year" persistence.

So, what are these "30 year" cookies? Where does that number come from, and what does it actually mean?

First let me make this very clear: ColdFusion does not store any data in cookies. Ever.

But ColdFusion does create cookies for you. How? If you use CLIENT or SESSION variables then identifier cookies are created. These contain an id and a token (the combination of which make up a unique client identifier) but no actual data is ever stored in cookies. These cookies are persistent cookies, they don't expire, although the SESSION or CLIENT that they identify does indeed expire.

Granted, the presence of CFID and CFTOKEN (or jsessionid) cookies may alarm some users, but the fact of the matter is that these cookies present neither a privacy nor a security concern.

This is all explained quite clearly in the ColdFusion documentation. As is how to a) maintain session-state without using cookies at all, and b) how to make these identifier cookies persist only until the end of the browser session.

So, to clarify, ColdFusion does create cookies if you use session-state management, but these store simple identifiers (a number or a UUID, and no actual data), and cookie use can be disabled altogether (although this is not the default behavior).

So, is there an actual risk here? Can cookies contain more sensitive information and persist for "30 year"?

Well, no, not if they are ColdFusion generated cookies. But developers can indeed opt to do so.

The ColdFusion <cfcookie> tag is used to create (and update and delete) cookies. ColdFusion developers can use this tag to store data in cookies, and they can (although they should not) store sensitive data in these cookies. The <cfcookie> tag EXPIRES attribute specifies how long the cookie should persist for. By default, cookies expire when the browser closes. But it is also possible to specify an actual date and time for them to expire, as well as "never" which (as the documentation explains) makes the cookie expire "in 30 years from the time it was created (effectively never in web years).".

In other words, ColdFusion developers can create cookies that do indeed have a "30 year" lifetime, but that is not the default behavior, that is something a developer must consciously decide to make happen. As such, this scenario cannot be what the story refers to (ColdFusion tracking occurring without anyone knowing that it was going on).

So, we are back to CFID and CFTOKEN, the identifier cookies, which we know store no user data and do no monitoring.

Now, it could be argued that ColdFusion should not use cookie identifiers by default. There are two primary ways to identify sessions, cookies and URL tokens, and the default could indeed be to use the latter. This would be a valid suggestion, but as any developer who has opted to go down this road knows, this makes development far more complex. As such, I believe that the default behavior is what it should be (because, the identifier cookies do not store anything sensitive, they store no data at all).

It could also be argued that the default lifetime of these cookies should be lower. That is something we need to consider, although I suspect that as dramatic as "30 year" sounds, the same article would have been written even for a shorter duration.

The only way around this (without defaulting to URL tokens) would be for the identifier cookies to be browser cookies (expiring when the browser closes), and that is an option worth considering. This would not actually make any real difference (because, once again, these are identifier cookies only), but it could help placate ignorant alarmists.

But ColdFusion is still creating cookies. Do these violate the OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002?

The text reads: "agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors' activity on the Internet". It does not prohibit all persistent cookies, only those used to "track visitors' activity on the Internet". The text does not explain what "track" actually means, but the context is clear, cookies are prohibited when used for the tracking of user activity. Indeed, the text goes on to say that persistent cookies may be used (subject to approval and authorization) so long as the agency posts "clear notice in the agency's privacy policy of the nature of the information collected, the purpose and use for the information, whether and to whom the information will be disclosed; and the privacy safeguards applied to the information collected.". This clarifies things quite a bit, and explains what the concern is; the collection of information (and possible subsequent disclosure).

ColdFusion's identifier cookies track nothing, they identify a session which quickly times out (the default time out is 20 minutes, and the default server imposed maximum is 2 days). No data is collected, there is no risk of future disclosure, there is no tracking. And as such, these identifier cookies do not violate the privacy provisions!

With all of this in context, consider the following quotes from the story:

• "Many of the cookies appearing on the errant Web sites were generated by ColdFusion, the popular Web authoring tool. When the software creates certain types of cookies, it automatically assigns them a default persistent setting." The only cookies that persist by default are the identifier cookies, which store no data and do no tracking.
• "Many agencies appeared to have no inkling that their Web sites were configured to record the activities of users." Configured to record the activities of users?
• "Representatives at several agencies said they were astonished to see cookies on their Web sites, and they blamed their Web designer's lack of understanding of ColdFusion's default settings." Again, if developers did not put the cookies there, then the only cookies are the identifier cookies.

My big problem with this story is that it leaves the impression that ColdFusion performs tracking and stores data, and that this occurs whether or not developers are aware of it. And this is just blatantly false!

Unless a developer opts to do so, there is no recording of user activity, there is no sensitive data stored in cookies, and there is no risk or violation of federal directives. It is as simple as that.

By weaving together partial facts, incomplete explanations, and tales of panicked reactions, Declan McCullagh and Anne Broache have traded journalist integrity and technical understanding for ignorant alarmist sensationalism. They should be ashamed of themselves!

The CF Docs Bots were offline the past few days. Apparently, my serial number for JBuddy-CF expired at the end of 2005. I've updated the serial number, and the bots are all back online. Sorry about that.

The addresses are unchanged:

• AIM: cflivedocs
• Google Talk: cfdocs@gmail.com
• Yahoo IM: cflivedocs

A ColdFusion user asked me for a way to programmatically determine if a URL exists, so I threw together this UDF. It uses <cfhttp> to attempt to retrieve a specified URL (not resolving any internal URLs, and not throwing an error upon failure). If an HTTP status code 404 is returned then the UDF returns false, otherwise it returns true. The code is not just checking for status code 200 (or 2xx, for that matter), and this means that codes like 401 (unauthorized) and 403 (forbidden) will return true (these status codes do not necessarily mean that the URL does not exist).

Updated as per Steve's sugestion and Gus' important feedback.