Today I’ve been doing some post-configuration testing of a JRun cluster I setup running ColdFusion MX 7.0 with multiple instances on each server and ran into a very strange problem. The application I was testing suddenly had an execution time of almost 5 seconds per page load for no apparent reason. I finally tracked down the offending code to a single tag which was surprising– a simple <cfapplication name=”namehere” /> tag.
After changing various JVM and configuration options, removing an instance from the cluster to test it individually without worrying about session replication, etc., I finally figured-out the problem. Apparently the new Global Script Protection feature was making the execution time bloat from 31ms (which is pretty amazing for all of the stuff the particular app does during each page load) to the range of 4600ms for the cfapplication tag on a simple page load. Ouch. Has anyone else experienced this?
So I’ve been thinking about the above problem over the weekend, and I think I have an idea why it’s taking so long to process the cfapplication tag on that particular application. I have the feeling the global script protection scans various scopes, including the request scope. The request scope for the application I was testing has a pointer to a large API which is actually cached in the server scope. I wonder if it’s checking all of the objects in the request scope for cross site scripting related strings?
Without really looking at the documentation much until after the problem, I saw that it was only checking CGI, Form, and Cookie scopes which made sense.. I just couldn’t figure out why this kept happening, and the Request scope was about the only thing I could think of. Turns-out after trying to narrow down the problem, it only happened in a really strange test case. It appears it was choking on some encrypted cookie values, but ONLY if I requested a page directly from the server and port rather than through a webserver which was part of a JRun cluster. Totally bizarre. No word yet if this is a bug or not, but it seems quite minor at this point.