Whatever message this page gives is out now! Go check it out!
cfapplication
Last update:
May 18, 2026
Description
Defines the scope of a ColdFusion application; enables and disables storage of Client variables; specifies the Client variable storage mechanism; enables Session variables; and sets Application variable time-outs.
Category
Syntax
<cfapplication
datasource="data_source_name"
name = "application name"
applicationTimeout = #CreateTimeSpan(days, hours, minutes, seconds)#
clientManagement = "yes|no"
clientStorage = "data_source_name|Registry|Cookie"
loginStorage = "cookie|session"
passarraybyreference = "true | false"
searchimplicitscopes = "true | false"
googleMapKey = "map key"
scriptProtect = "none|all|list"
serverSideFormValidation = "yes|no"
sessionManagement = "yes|no"
sessionTimeout = #CreateTimeSpan(days, hours, minutes, seconds)#
setClientCookies = "yes|no"
setDomainCookies = "yes|no"
compileextforinclude = "comma_separated_list"
strictnumbervalidation = "true|false">Note: You can specify this tag's attributes in an attributeCollection whose value is a structure. Specify the structure name in the attributeCollection and use the tag's attribute names as structure keys.
See also
cfassociate , cferror , cflock , cfmessagebox ; Application.CFC Reference; Designing and Optimizing a ColdFusion Application and Integrating JEE and Java Elements in CFML Applications in the Developing ColdFusion Applications
History
ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15: You can use the SameSite attribute and pass the struct to authCookie. See the snippet below.
ColdFusion 11: Added attributes - compileextforinclude and strictnumbervalidation
ColdFusion 9: Added datasource , googleMapKey, and serverSideFormValidation attributeColdFusion 8: Added secureJSON and SecureJSONPrefix attributesColdFusion MX 7: Added scriptProtect attributeColdFusion MX 6.1: Added loginStorage attributeColdFusion MX:
- Changed how persistent scopes are available: Server, Session, and Application scope variables are stored in memory as structures. In earlier releases, only Session and Application scope variables were stored this way. You cannot access the UDF function scope as a structure.
- Changed the algorithm for setting the CFTOKEN variable value: if the registry key UUIDToken is a nonzero value, ColdFusion uses a number constructed from the UUID plus a random number. Otherwise, ColdFusion sets the CFTOKEN variable default value using a positive random integer. (In earlier releases, ColdFusion always used a number constructed from the UUID plus a random number.)
Attributes
Attribute | Req/Opt | Default | Description |
authCookie | Optional | Struct containing ColdFusion Authentication cookie related properties | |
datasource | Optional | Name of the data source from which the query retrieves data. | |
name | See Description | Name of application. Up to 64 characters. For Application and Session variables: Required. For Client variables: Optional | |
applicationTimeout | Optional | Specified in Variables page of ColdFusion Administrator | Lifespan of application variables. CreateTimeSpan function and values in days, hours, minutes, and seconds, separated by commas. |
clientManagement | Optional | no |
|
clientStorage | Optional | registry | How client variables are stored:
|
exchangeServerVersion | Optional | 2007 | Specifies the Microsoft Exchange Server version. The values are:
|
googleMapKey | Optional | The Google Maps API key required to embed Google Maps in your web pages. | |
loginStorage | Optional | cookie |
|
passArrayByReference | Optional | False | True if array is to be passed by reference. |
searchImplicitscopes | Optional | False | False if implicit scopes should not be searched by default. This attribute covers look-up in the following implicit scopes:
|
scriptProtect | Optional | Determined by ColdFusion Administrator Enable Global Script Protection setting | Specifies whether to protect variables from cross-site scripting attacks
Enabling the global site protection replaces all the null bytes (%00) with an %20. This is to prevent Null Byte injection Attacks as part of the Protection. To disable this protection just for cookie scope the following workaround can be used.
|
secureJSON | Optional | Administrator value | |
serverSideFormValidation | Optional | yes | If no, disables validation on cfform fields when the form is submitted. |
secureJSONPrefix | Optional | Administrator value | The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true. The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to //, the JavaScript comment character). For more information see Improving security in the Developing ColdFusion Applications. |
sessionCookie | Optional | Struct containing ColdFusion session cookie related properties. | |
sessionManagement | Optional | no |
|
sessionTimeout | Optional | Specified in Variables page of ColdFusion Administrator | Life span of session variables. CreateTimeSpan function and values in days, hours, minutes, and seconds, separated by commas. |
setClientCookies | Optional | yes |
|
setDomainCookies | Optional | no |
|
| compileextforinclude | Optional | Specify the list of allowed file extensions (as a comma separated list) for the <cfinclude> tag. Specifying a wildcard ('*') in the list makes any file included using the <cfinclude> tag to be compiled. If any file included using the <cfinclude> tag is not found in this list, their content will be statically included. By default, files with the extensions cfm and cfml are always compiled irrespective of this setting. See cfinclude . | |
| strictnumbervalidation | Optional | true | In ColdFusion 10 and earlier versions, the IsValid function allowed currency symbols at the start and commas inside the number. Starting from ColdFusion 11, this function evaluates on a more strict basis. Setting this value to false makes the isValid function to behave in the older way. This setting effects cfargument , cfparam and cfform tags wherever integer & numeric validation is used. Based on this setting, the validation reflects in those tags as well. |
Usage
This tag is typically used in the Application.cfm file, to set defaults for a ColdFusion application.
Note: You can also set the application defaults in the Application.cfc file. For more information, see Application variables.
This tag enables application variables, unless they are disabled in the ColdFusion Administrator. The Administrator setting also overrides the sessionManagement attribute. For more information, see Configuring and Administering ColdFusion. If ColdFusion is running on a cluster, specify clientStorage = "cookie" or a data source name; you cannot specify "registry".ColdFusion generates an error if the application name is longer than 64 characters. The CFTOKEN variable is 8 bytes in length. Its range is 10000000 -99999999.
Note: If you specify ClientStorage=cookie, any Client scope variables set following a cfflush tag are not saved in the Client browser.
Protecting variables from cross-site scripting attacks
The ScriptProtect attribute lets you protect one or more variable scopes from cross-site scripting attacks, where a client attempts to get your application to send malicious code back to a user's browser. In these attacks, user input (for example, from form fields or from URL variables) sets a CF variable which is destined for user output. The submitted data includes malicious code, such as JavaScript or an applet or object reference, which then executes on the user's system.
Note: The ColdFusion Administrator Settings page Enable Global Script Protection option determines the default script protection setting. You can use the scriptProtect attribute to override the Administrator setting. You can also use the Application.cfc initialization code to set the protection value.
The ColdFusion cross-site scripting protection operation is done when ColdFusion processes the application settings at the beginning of a request. Thus, it can process the URL, and Cookie, CGI, and Form variables in a user's request. By default, it replaces occurrences of the following HTML tag names with the text InvalidTag: object, embed , script, applet, and meta. It allows these names in plain text, and replaces the words if they are used as tag names. You can specify any or all ColdFusion scopes for protection, but only the Form, URL, CGI, and Cookie scopes have variables that are often provided by unknown sources. Also, protecting a scope requires additional processing. For these reasons, the all attribute value applies protection to only the four scopes.
The script protection mechanism applies a regular expression that is defined in the cf_root/lib/neo-security. xml file in the server configuration, or the cf_root/WEB-INF/ cfusion /lib/neo-security. xml file in the JEE configuration to the variable value. You can customize the patterns that ColdFusion replaces by modifying the regular expression in the CrossSiteScriptPatterns variable.
The script protection mechanism applies a regular expression that is defined in the cf_root/lib/neo-security. xml file in the server configuration, or the cf_root/WEB-INF/ cfusion /lib/neo-security. xml file in the JEE configuration to the variable value. You can customize the patterns that ColdFusion replaces by modifying the regular expression in the CrossSiteScriptPatterns variable.
Locking server, application, and session variables
When you set or update variables in the server, application, and session scopes, use the cflock tag with the scope attribute set to the following value:
- For server variables, specify server
- For application variables, specify application
- For session variables, specify session In some cases, you must also lock code that reads variables in these scopes. For information about locking scopes, see cflock .
Example
<!--- This example shows how to use cflock to prevent race conditions during data updates to variables in Application, Server, and Session scopes. --->
<h3>cfapplication Example</h3>
<p>cfapplication defines scoping for a ColdFusion application and enables or disables application and/or session variable storage. This tag is placed in a special file called Application.cfm that automatically runs before any other CF page in a directory (or subdirectory) where the Application.cfm file appears.</p>
<cfapplication name = "ETurtle"
sessionTimeout = #CreateTimeSpan(0, 0, 0, 60)#
sessionManagement = "Yes">
<!--- Initialize session and application variables used by E-Turtleneck. --->
<cfparam name="application.number" default="1">
<cfparam name="session.color" default= "">
<cfparam name="session.size" default="">
<cfif IsDefined("session.numPurchased") AND IsNumeric(trim(session.cartTotal))>
<!--- Use the application scope for the application variable to prevent race condition. This variable keeps track of total number of turtlenecks sold. --->
<cflock scope = "Application" timeout = "30" type = "Exclusive">
<cfset application.number = application.number + session.numPurchased>
</cflock>
</cfif>
<cfoutput>
E-Turtleneck is proud to say that we have sold #application.number# turtlenecks to date.
</cfoutput>
<!--- End of Application.cfm --->Example - with SameSite attribute
<cfset cookiest = {httponly='true', timeout=createTimeSpan(1, 0, 0, 0), samesite='Strict | Lax | None'}>
<cfset authcookiest = {samesite='Strict | Lax | None'}>
<cfapplication name="newApp" sessionmanagement="Yes" authCookie=#authcookiest# sessioncookie=#cookiest# >
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Share additional feedback to help us improve.
0/255
|
