Aliaspooryorik
ColdFusion ORM Book

Why shared hosting is bad

 I've just been catching up on the various mailing lists I'm subscribed to and spotted this comment by Sean Corfield:

if your application is on the same shared host as mine, I can read your application variables. If you have passwords or other sensitive data and your application loads that into application scope - even via a framework - they I have your passwords. This has been true for years and I have to keep reminding people about it. It's a function of how application scope works - each application is a sub-structure of the unnamed web application context for the underlying Java container so it's easy to get access to that and then walk through all the applications running on that server.

I have to admit, I don't know that! I knew that you needed to name you applications uniquely so that you don't have to worry about your application sharing variables with another application (with the same application name) on the server. A common solution is to use something like: Hash( GetCurrentTemplatePath() ) for you application name.

One of our clients decided not use use a VPS and signed up to a cheaper alternative. So after a little bit of googling I found the Java code I needed, wrote a 10 line cfm script and sure enough I could read the session data in the application scope (I'm not going to post the code here, but it's pretty easy to find). Scary stuff!

So heed Sean's words - I will!

10 comments

  1. I've been unable to try it but I have methods for accessing / killing sessions on a server. If the application scope is up for grabs then the session scopes are probably accessible as well. Which is probably even more scary as you'd be able to hijack sessions by retrieving the cfid & cftoken values.

    Comment by David Boyer – April 29, 2010
  2. Hi David, Yes, I could see the cfid and cftoken so session highjacking is a real possibility!

    Comment by John Whish – April 29, 2010
  3. Shared hosting is a security risk.

    I've written code that allows me to inspect all the applications and their sessions that run on our servers. Our case is different in that we only offer web applications as a service and do not allow others to access our servers. There are times when I find it very useful to use the tool I created to see exactly what some user has done and has stored in their session.

    I blogged about this a long time ago and posted a few code snips that would let you access everything. www.trunkful.com/index.cfm/2008/11/25/See-all-applications-and-their-sessions

    Comment by WilGeno – April 29, 2010
  4. @WilGeno, that's a nice little script :) The one I wrote just dumped everything out to see if you could do it.

    Comment by John Whish – April 29, 2010
  5. This is why Railo was built from the ground up so that each host gets its own context, entirely walled off from all the other contexts.

    Comment by Peter Boughton – April 29, 2010
  6. @Peter, I did wonder about that as I know Railo can have a separate web context per site - thanks for posting.

    Comment by John Whish – April 30, 2010
  7. I've never been a fan of shared hosting. Simple fact is that even if you're code is absolutely bang on, your leaving your business in the hands of others.

    For general usage; blog, portfolio, etc, then ColdFusion has never been the answer anyway. The cost, even of standard, just doesn't make sense for hosting a blog. Railo and OpenBD put a new spin on this because of having no price tag, but I'd still be inclined to use some sort of hosted solution, which gives you Wordpress. If you definitely want a CFML solution, then look at www.blog-city.com

    Of course, with the newer cloud options available to us, e.g. Rackspace Cloud, you can grab a fairy cheap Cloud Server, install Railo/OpenBD on it and off you go. Rackspace are still a good option if you do want to run CF, although you'll need a 2GB server to really give CF room to breathe, but you're only talking about $86 a month (you still obviously need a CF license).

    Getting back to the main point. CF was never designed for shared hosting and if you really want to risk your business on it you deserve what you'll ultimately get.

    Comment by Andy Allan – May 02, 2010
  8. @Andy, whilst I agree with you that shared hosting is not ideal, as a company we had the choice of agreeing to deploying to a cheap shared hosting provider or loose the client as they didn't want to pay for more expensive hosting. I think the basic problem applies regardless of which technology you use for the backend.

    Comment by John Whish – May 05, 2010
  9. Hi John,

    We've been very happy with our CF hoster. But the sandbox problem is of such a degree that we've decided to pull all our CF-sites from the hoster and put them on two new own servers running Railo, Tomcat, Apache and Ubuntu. This is a very cheap and not to forget SAFE option that you can offer your clients if they want cheap hosting.

    So even though we've been very happy with CF8, the price-tag, lack of shared hosting running Enterprise edition and lack of direct access to the Administrator, we've found all this in Railo. The roadmap for Railo also includes the new CF9 features and more, and combined with the speed of Railo and the per-client Administrator we're convinced this is the future for us.

    So

    Comment by Sebastiaan – May 10, 2010
  10. @Sebastiaan, yeah running Railo separate contexts definitely something I'm going to looking into :)

    Comment by John Whish – May 12, 2010

Leave a comment

If you found this post useful, interesting or just plain wrong, let me know - I like feedback :)

Please note: If you haven't commented before, then your comments will be moderated before they are displayed.

Please subscribe me to any further comments
 

Search

Wish List

Found something helpful & want to say ’thanks‘? Then visit my Amazon Wish List :)

Categories

Recent Posts