Application variables

The scope for the Application.cfc file contains several built-in variables, which correspond to the attributes that you set in the cfapplication tag. You set the values of these variables in the CFC initialization code, before you define the CFC methods. You can access the variables in any method.

Note: Although Windows is case-insensitive, you must always start the Application.cfc filename with an uppercase A. Both application.cfc and Application.cfc are reserved words.

Note: If your application has an Application.cfc, and an Application.cfm or onRequestend.cfm page, ColdFusion ignores the CFM pages

The following table briefly describes the variables that you can set to control the application behavior. For more details, see the cfapplication tag.

Variable Default Description
name no name The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context. For more information on unnamed scopes see Integrating JSP and servlets in a ColdFusion application in Interoperating with JSP pages and servlets in the Developing ColdFusion Applications.
applicationTimeout Administrator value Life span, as a real number of days, of the application, including all Application scope variables. Use the CFML CreateTimeSpan function to generate this variable's value.
authcookie.disableupdate False Disable update of cfauthorization cookie using cfcookie or cfheader tag
authcookie.timeout -1 Auth Cookie age in days.
authcookie.samesite   Valid values are Struct, Lax, or None.
cache.useInternalQueryCache false If true, ColdFusion will store cached queries in the old non-cool non-Ehcache version of the cache.
cache.querysize Administrator value Maximum number of queries that can be cached. To be clear, this refers to automatic caching via cachedWithin and cachedAfter in the cfquery/queryExecute tag/function. You can store as many queries as you would like using cachePut. Well, as many as your RAM will allow. Be sensible, people.
chartStyleDirectory   Application specific chart styles directory.
clientManagement no
  • yes: enables client variables.

  • no

clientStorage Administrator value Where Client variables are stored; can be cookie, registry, or the name of a data source.
customtagpaths Administrator value Contains ColdFusion custom tag paths. It is a comma delimited list with absolute path.To use this variable, select the Enable Per App Settings option in the Administrator Server > Settings page.The settings that you define here take precedence over the custom tag paths defined in the Administrator Server Settings > Mappings page for the current application.
googleMapKey   The Google Maps API key required to embed Google Maps in your web pages.
datasource   Name of the data source from which the query retrieves data.
datasources   Struct of structs defining datasources.You can use this variable to define a datasource specific to the application . This does not register/update a datasource in ColdFusion Administrator.
loginStorage cookie Whether to store login information in the Cookie scope or the Session scope.
mappings Administrator value A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value. To use this variable, select the Enable Per App Settings option in the Administrator Server Settings > Settings page.The mappings that you define here take precedence over the mappings defined in the Administrator Server Settings > Mappings page for the current application.
passArrayByReference False Arrays will be passed by reference instead of by value for this application.
restSettings.cfclocation   To publish the CFCs only in a particular location, provide comma-separated list of directories where the REST CFCs are located. The directory paths can be absolute or relative.If not set, all the CFCs from the application root are published.
restSettings.skipCFCWithError   When an error occurs, continue publishing, ignoring the CFC that has caused the exception.If true, the CFC with error is ignored and the rest of the CFCs are published. By default it is false.If set to false, in case of an error, the application itself is not published. But other registered application are published.If an error occurs during application startup, the error is printed in console.Each application has separate log files for logging the issues.
restSettings.restEnabled False If true, then ColdFusion searches the directory containing a set of REST-enabled CF components. 
restSettings.autoRegister False Enable auto registration of an application.
restSettings.useHost False Specifies the host name. If true, then the host name is parsed from the URL.  

Explicitly naming the hostname will make the host name. If the host name is not mentioned, then the usehost name will be defaulted.

restSettings.serviceMapping   If not specified, then the application defined in is taken as default.
restSettings.isDefault False If true, application will be made as default app.
scriptprotect None

If true, it adds protection from external scripts and cross-site scripting. Valid values are:

  • Form
  • URL
  • Cookie
  • CGI

The flag protects from the following:

  • object
  • embed
  • script
  • applet
  • meta

The feature is a set of regular expressions located in lib/neo-security.xml that replaces the tags: object, embed, script, applet, and meta with the tag name InvalidTag, when they are passed as input to the Form, URL, CGI, and Cookie scopes.

sessioncookie.httponly True Specify whether session cookies have to be set as httponly or not. i.e. accessible only to Http requests False Specify whether session cookies have to be set as secure or not. i.e. returned on any type of connection or only secured (https) connections
sessioncookie.domain   Domain for which the cookie should be set. This should match exactly with the domain, with which application would be accessed
sessioncookie.timeout 30 years
Session Cookie age in days
sessioncookie.disableupdate False Disable update of cfid and cftoken cookie using cfcookie or cfheader tag
serverSideFormValidation yes Whether to enable validation on cfform fields when the form is submitted.
sessionManagement no Whether the application supports Session scope variables.
sessionTimeout Administrator value Life span, as a real number of days, of the user session, including all Session variables. Use the CFML CreateTimeSpan function to generate this variable's value.
setClientCookies True Whether to send CFID and CFTOKEN cookies to the client browser.
setDomainCookies False Whether to set CFID and CFTOKEN cookies for a domain (not just a host).
security.antisamypolicy   Specify the location of antisamy file to be used when no antisamy policy file is passed to the getSafeHTML or isSafeHTML functions. The policy file can be relative to the Application CFC path or an absolute path can be provided.
compileextforinclude   Specify the list of allowed file extensions as a comma-separated list for the cfinclude tag. Specifying a wildcard * in the list makes any file included using the cfinclude tag to be compiled. If any file included using the cfinclude tag is not found in this list, their content will be statically included. By default, files with the cfm and cfml extensions are always compiled irrespective of this setting.

True/False. Default is true. The IsValid function for the integer and numeric types allowed the currency symbols at the start and commas inside the number.

In ColdFusion 11, the isValid function behaves in a different way. Setting strictnumbervalidation to false makes the isValid function to behave in a way just like in the previous versions (ColdFusion 10 or earlier). Note that this setting also changes the behavior of the following tags:

secureJSON Administrator value A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call. The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to false). You can override this value in the cffunction tag.For more information see Improving security in Ajax programming rules and techniques in the Developing ColdFusion Applications.
secureJSONPrefix Administrator value The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true. The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to //, the JavaScript comment character).For more information see Improving security in Ajax programming rules and techniques in the Developing ColdFusion Applications.
serialization.preservecaseforstructkey False Boolean that determines if case for struct keys should be preserved when serializing a struct to JSON.
serialization.serializequeryas row Determines how queries should be serialized to JSON. Possible values are row, column, and struct.
serialization.preserveCaseForQueryColumn false If true, column case will be preserved.
  Valid values are Strict, Lax, or None.

A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found. Use this variable to prevent ColdFusion from invoking the onMissingTemplate handler if all of the following items are true:

  • Your web server (for example, web.xml file) has a welcome file list with CFML pages such as index.cfm that it tries to run if a URL specifies a path ending in a directory.
  • The web server sends a request for CFML pages the welcome list to ColdFusion without first determining if the page exists.
  • You want to support directory browsing in directories that do not have any of the files on the welcome file list.
    You specify this variable only if the Application.cfc file also specifies an onMissingTemplate handler. It must have the same list of files as your web.xml welcome file list.Note: You do not need to use the welcomeFileList variable with most "pure" web servers, such as Apache. The welcomeFileList variable has to be used with most integrated web and application servers.
smtpServersettings   A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.
sameformfieldsasarray false If the form fields have the same name, ColdFusion converts the form fields as an array instead of a list. To do this, in the Application.cfc, specify the following: this.sameformfieldsasarray = "true". Note: The empty string values will be preserved only if this is set to true.
timeout   This number represents how long an individual request can take. Timeout set using overrides the timeout in the Application.cfc using this.timeout="".
debuggingIPAddresses   A list of IP addresses that need debugging.
enablerobustexception   Overrides the default administrator settings. It does not report compile-time exceptions.
javaSettings   A structure allowing you to specify Java class paths to be made available to your code. Valid keys are: loadPaths (an array of paths to include when searching for Java libraries), loadColdFusionClassPath (a boolean indicating if the default class path should be used, defaults to false), and reloadOnChange (a boolean indicating if the classpaths should be reloaded when they change, the default is false).
javasettings.watchInterval   Specifies the time interval in seconds after which to verify any change in the class files or JAR files. This attribute is applicable only if the reloadOnChange attribute is set to true. The default value is 60 seconds.
javasettings.watchExtensions   Specifies the extensions of the files to monitor for changes. By default, only .class and .jar files are monitored.
searchimplicitscopes False

Allows you to enable or disable searching for an un-scoped variable in implicit scopes.

NOTE: In ColdFusion (2023 release) Update 7, the default value for this flag is changed to FALSE.

serialization.structmetadata   Set the data type info for a struct value. For example, if this.serialization.structmetadata = {zipcode="String"};, you need not define the data type for zipcode for the struct that contains this key. If you define the datatype for zipcode in the struct itself, then the defined datatype at struct level takes priority over the one defined in Application.cfc.
enableNullSupport false Allows you to enable or disable support for NULL variables. Possible values are true or false.
cache.engine ehcache

Specified the cache engine to be used. You can use the following engines:

  • Ehcache
  • JCS
  • Memcached
  • Redis
cache.configFile   Path to the properties file of the caching engine.
restSettings.generateRESTDoc false If true, then ColdFusion server generates Swagger doc automatically.
blockedExtForFileUpload   A comma-separated list of file extensions for the files that must be blocked for uploading.
useJavaAsRegexEngine false If true, then Java is used as regex engine over the default engine.
  If true, if you execute any date/time function, the time zone returned will be the same as set in this flag.

Form fields with same name

Assume that the form fields have same name. In this case, ColdFusion converts the form fields as an array instead of a list.To do this, in the Application.cfc, specify the following: this.sameformfieldsasarray = "true".The default value is false.


Application.cfc is unable to resolve nested cfincludes from outside the directory where te file resides. To resolve this, add the flag -Dcoldfusion.application.recur_resolve.include=true needs be added in jvm.config.

Enhancements made in ColdFusion (2021 release)


There is a new flag, this.timeZone, which you can set it to any valid time zone. After setting the time zone, if you execute any date/time function, the time zone returned will be the same as set in Application.cfc. For example,


component {


    writeOutput("The time at the configured time zone is: " & now())

MongoDb settings

this.datasources = { 
    "local"= { 
    "mymongodb"= { 
        "init"= true 

AWS Cloud Features (SQS, SNS, S3, DynamoDB)

component { 
   function OnApplicationStart() { 
      application.awsCred = { 
         "credentialAlias" : "<alias name>", 
         "vendorName" : "AWS", 
         "region" : "<region name>", 
         "secretAccessKey" : "<AWS Secret>", 
         "accessKeyId" : "<AWS Key>" 
      application.awsConf = { 
         "serviceName" = "<Service name>", 
         "alias" : “<alias name>”, 
         "clientOverrideConfig": { 
            "apiCallAttemptTimeout": "<timeout>" 
      application.accountKey = "<Account Key>"; 


Manual Configuration = [{ 
    name: '<IDP name>', 
    description: '<Description>', 
    entityID: '<Entity ID obtained from Identity Provider>', 
    ssoURL: '<Single Sign-On URL>', 
    sloURL: '<Logout URL>', 
    ssoBinding: '<post/redirect>', 
    sloBinding: '<post/redirect>', 
    SIGNREQUESTS: true/false, 
    ENCRYPTREQUESTS: true/false, 
    SignCertificate: '<Certificate>' , 
    EncryptCertificate: '<Certificate>' 

Using File location of IDP metadata = [ 
    name: '<IDP name>', 
    file:'<IDP metadata file location>' 

Using URL = [ 
    name: '<IDP name>', 
    url:'<IDP metadata URL>' 

Add SP using Application.cfc = [{ 
    name: '<SP name>', 
    entityId: '<Entity ID for SP>', 
    acsURL: '<Assertion Consumer Service URL>', 
    sloURL: '<Logout URL>', 
    ACSBINDING: '<post/redirect>', 
    SLOBINDING: '<post/redirect>', 
    SIGNREQUESTS: true/false, 
    SIGNKEYSTOREPATH: '<Path to sign keystore>', 
    SIGNKEYSTOREPASSWORD: '<keystore password>', 
    SIGNKEYSTOREALIAS: '<keystore alias>', 
    requestStore: 'Redis', strict: 'true' 

Azure Blob credentials

application.blobCred = { 
    "vendorName" : "AZURE", 
    "connectionString" : "key" 

Azure Blob configuration

application.blobConf = { 
    "serviceName" : "AZURE_BLOB" 
    "options" : { 
        "absorbConditionalErrorsOnRetry" : true/false, 
        "concurrentRequestCount" : 5, 
        "useTransactionalContentMD5" : true/false, 
        "storeBlobContentMD5" : true/false, 
        "disableContentMD5Validation": true/fasle, 
        "singleBlobPutThresholdInBytes" : 12345, 
        "skipEtagLocking" : true/false, 
        "retryPolicyFactory": { 
            "retryPolicyType" : "EXPONENTIAL" | "LINEAR" | "NONE", 
            "deltaBackoffIntervalInMs" : 12, 
            "maxAttempts" : 3, 
            "resolvedMinBackoff" : 1 
        "maximumExecutionTimeInMs" : 2, 
        "timeoutIntervalInMs" : 1 

Enhancements made in ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15

Added the followinng flags:

  • this.sessioncookie.samesite = "Strict | Lax | None"
  • this.authcookie.samesite= "Strict | Lax | None"


component {

       = "MyApp";

                this.sessioncookie.samesite = "Strict";

                this.authcookie.samesite = "Lax";

                this.sessionmanagement = true;


Enhancements made in ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18

blockedExtForFileUpload to specify a comma-separated list of file extensions for file that must be blocked for uploading.

For example,

{"app name";
    this.blockedExtForFileUpload="cfm, cfc, jsp"; //Specify other file extensions

The setting blockedExtForFileUpload only applies to the following tags and functions:

You can use "*" (star) to block all files or use "" (empty string) to allow all extensions.

If you are trying to upload a file using the  cffile tag and you want to override the blocked file extensions defined at the server level, specify the extensions. The list overrides the global settings.

For example, you have blocked the extensions,  " cfm , cfc , asp, aspx " in ColdFusion Administrator, but want to upload files of type aspx for your application, use the code below to override the global settings.

component {"myApp";
        this.blockedExtForFileUpload="cfm, cfc, asp";

Enhancements made in ColdFusion (2018 release)

  • enableNullSupport that specifies if you want to enable support for NULL variables.
  • cache.engine to specify the type of cache engine to be used.

Enhancements made in ColdFusion (2016 release)

  • serialization.structmetadata that defines the datatype for a struct key.
  • There is a new application setting, searchImplicitScopes. When set to false, an un-scoped variable is not searched in implicit scopes.
  • passArrayByReference setting, which when set to true, enables you to pass arrays by reference instead of value.

Enhancements made in ColdFusion 11

In ColdFusion 11, you can register application-specific datasources in Application.cfc. These datasources will be specific to that application and will not be available through the Administrator. If there is a name clash with a server-wide datasource, the one specific to the application will be given the priority. 


With a custom driver:

this.datasources.dsn3 = { 
    "driver" = "other", 
    "username" = "sa", 
    "password" = "S33N0Ev!l",             


The following drivers are supported:

  • MSSQLServer
  • Oracle
  • Sybase
  • DB2
  • Informix
  • MySQL_DD
  • PostgreSQL
  • MSAccess
  • Apache Derby Embedded
  • Apache Derby Client

  • MySQL5

  • ODBCSocket

  • Other (for custom driver)

Use this.datasources as shown in the examples below.

// Application.cfc
component { = "DSNTest";
        this.datasources = { 
                mssql_app = { 
                    database = "<DBName>", 
                    host = "<HostNameOrIP>", 
                    port = "<portNumber>", 
                    driver = "MSSQLServer", 
                    username = "username", 
                    password = "password" } 
        this.datasource = "mssql_app";
<!--- query.cfm --->
    employees = queryExecute("SELECT * FROM TableName ",[], {datasource="mssql_app"});

Enhancements made in ColdFusion 9.0.1

Application.cfc lets you specify data source authentication details for the data source. The data source settings can now be a string or a struct. When string, it is considered to be the data source name and authentication information is taken from the data source defined in the ColdFusion Administrator.
You can specify the authentication information using a struct value for data source. The following are the key names:

  • name: data source name
  • username: Username for the data source
  • password: Password for the data source

    <this.datasource={name='cfartgallery', username="user", password="passwd"}>



    Note: The same convention is used for ORM default data source where you can specify the data source authentication information in the ormsettings.

    The following application-specific attributes have been added for Amazon S3 integration:

  • accessKeyId: ID for Amazon S3 account.
  • awsSecretKey: Secret key for S3 account.
  • defaultLocation:}}The default location of Amazon S3 bucket creation. A bucket on S3 storage can be in one of the following regions: {{US, EU, or US-WEST.The defaultLocation provided in the Application.cfc defines the default location for the bucket that you create. The default value is US.

    this.s3.accessKeyId = "key_ID";
    this.s3.awsSecretKey = "secret_key";

Application-specific In-memory file system

You can use in-memory file system specific to applications. This enables application isolation for your virtual file system. That is, the file created in the in-memory file system by one application will not be accessible to another application.
The settings can be specified in the Application.cfc as follows:




Set the value to true to enable in-memory file system for application. This is the default setting.


Specify the memory limit in MB for the in-memory file system.You can also specify the value in the ColdFusion Administrator (Server Settings > Settings > Memory Limit per Application for In-Memory Virtual File System).The lesser value is considered.


Schneller und einfacher Hilfe erhalten

Neuer Benutzer?

Adobe MAX 2024

Adobe MAX
Die Konferenz für Kreative

14. bis 16. Oktober in Miami Beach und online

Adobe MAX

Die Konferenz für Kreative

14. bis 16. Oktober in Miami Beach und online

Adobe MAX 2024

Adobe MAX
Die Konferenz für Kreative

14. bis 16. Oktober in Miami Beach und online

Adobe MAX

Die Konferenz für Kreative

14. bis 16. Oktober in Miami Beach und online