I'm in need of some thoughts on CFLOCK. There's backstory to this, but to sum it up I'm fighting an uphill battle with hardware folks that think our using CFLOCK is causing server performance issues on a new Unix server that was built to the absolute minimum specs (not exaggerating). The server has been failing load tests left and right and their approaches have been to claim it's the load testing application's fault and to force us to dumb down the load testing site they are using for testing to the point where we are about three steps away from just putting up a static page there.
In our applications, we use CFLOCK as follows:
1. We only use exclusive locks when setting application and session scoped variables. 2. All application-scoped variables are set only in onApplicationStart(). This includes instatiating CFC's into the application scope to reduce overhead on requests by not having to load and unload the objects on a per-request basis. 3. We lock the setting of the VARIABLES scope inside the init() functions of our CFC's (the only place we set the variables scope in CFC's as well). 4. We set our locks to 10 second timeouts, and all timeouts throw an error because there is no good reason to ignore these errors. 5. We do not, as a general rule, use readonly locks of any kind.
It is the opinion of the hardware people (who have rudimentary CF skills) that we need to at least decrease the timeouts to 2-3 seconds, or get rid of the locks altogether. My gut reply to that is that if the server cannot establish a lock for a given thread in 10 seconds, how would setting it to 2-3 seconds help except to cause the site to throw more errors? As for the second part, the fact they think server importance is more critical than application security says all I need to know IMO.
But I will fully admit to being biased on this, and could use some backup (or corrections) on if our standards are acceptable industry practices, which I believe are.
And no, getting them to add more resources to the server is not an option here. :(