Coldfusion 10 websockets invoke feature does seem broken to me after actual testing and further investigation of the new documentation pages and other projects (this thing is complicated!). I spent over an hour trying to get something to execute before the invoked function is run. I can't!

There are new "channel listener functions" documented here: http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d318518767eb3aa135858633ee-7ff9.html

However, the documentation clearly states that the "invoke" feature doesn't have a listener function. It also appears Application.cfc or the cfc listener don't execute on each request at all when invoke is run.

This seems like a design flaw. The language needs more event listeners or you can't use websockets without adding security to every function in your application.

The security within each function could be done like the code below, but it is not very practical to modify every function in an application:

<cfscript> local.meta=GetMetaData(this[url.method]); if(not structkeyexists(local.meta, 'access') or local.meta.access NEQ 'remote'){ throw("Function access must be set to remote."); } </cfscript>

You could also consider using a web server proxy in front of Coldfusion and use regular expressions to verify the request information so that only the websocket portion of your application has to be open on the public websocket port. Nginx 1.4+ has support for websocket proxying now: http://nginx.org/en/docs/http/websocket.html Note: I have not tested using nginx websocket proxy yet. If it works, this would be a far easier solution.