I'm working with an Apache server setup where we want to use SetEnv in the vhost to define if the code is running in development, beta or production. The actual web application is running on Coldfusion 8/JRun . I've set the value in the vhost using the following code:
<VirtualHost *:80>
...
SetEnv COLDFUSION_ENVIRONMENT development
...
</VirtualHost>
The app reads this value just fine. However, if I use the Modify Headers plugin in Firefox to send a header named COLDFUSION_ENVIRONMENT with another value, e.g. foobar, then the value coming from the browser is used in the application, not the value defined in the vhost. The question of course is why and how can I prevent this? Using an environment variable seems to be pretty common in order to determine on what server an app is running, so if this indeed is the way to do it, it looks like a pretty big security hole to me as it would open up the option to switch into development mode on the productions server... Is there some other best practice way to do this in Coldfusion?
Update:
I was able to work around the original issue by using the following instead of SetEnv:
<VirtualHost *:80>
...
RequestHeader set COLDFUSION_ENVIRONMENT development
...
</VirtualHost>
However, it still feels like a hack and I would still like to know why Coldfusion is basically ignoring SetEnv values if you send them as a header and also if there is a best practice or not.
