Defines web browser cookie variables, including expiration and security options.


Forms tagsVariable manipulation tags


name = "cookie name"  
samesite="Strict | Lax | None" 
domain = ".domain"  
expires = "period"  
httponly = "yes|no"  
path = "URL"  
secure = "yes|no"  
value = "text" 
encodevalue = "yes|no"  
preserveCase = "yes|no"  

Note: You can specify this tag's attributes in an attributeCollection attribute whose value is a structure. Specify the structure name in the attributeCollection attribute and use the tag's attribute names as structure keys.

See also



ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15: Added attribute SameSite.

ColdFusion 10: Added the preserveCase and encodeValue attributes.

ColdFusion MX 6.1:

  • Changed the expires attribute: it now accepts a date time object.
  • Cookie names can include all ASCII characters except commas, semicolons, or whitespace characters.

ColdFusion 9: Added the attribute httponly.









Name of cookie variable. ColdFusion converts cookie names to all-uppercase. Cookie names set using this tag can include any printable ASCII characters except commas, semicolons, or white space characters.


Required if path attribute is specified. Optional otherwise


Domain in which cookie is valid and to which cookie content can be sent from the user's system. By default, the cookie is only available to the server that set it. Use this attribute to make the cookie available to other servers.Must start with a period. If the value is a subdomain, the valid domain is all domain names that end with this string. This attribute sets the available subdomains on the site on which the cookie can be used.
For a domain value that ends in a country code, the specification must contain at least three periods; for example, "". For top-level domains, two periods are required; for example, "". You cannot use an IP address as a domain.




Specify if cookie value should be encoded



session only

Expiration of cookie variable.

  • The cookie expires when the user closes the browser, that is, the cookie is "session only".
  • A date or date/time object (for example, 10/09/97).
  • A number of days (for example, 10, or 100).
  • now: deletes cookie from client cookie.txt file (but does not delete the corresponding variable the Cookie scope of the active page).
  • never: The cookie expires in 30 years from the time it was created (effectively never in web years).




If yes, sets cookie as httponly so that it cannot be accessed using JavaScripts. Note that the browser must have httponly compatibility.




URL, within a domain, to which the cookie applies; typically a directory. Only pages in this path can use the cookie. By default, all pages on the server that set the cookie can access the cookie.

path = "/services/login"

To specify multiple URLs, use multiple cfcookie tags. If you specify path, also specify domain.




Specify if cookie name should be case-sensitive.




If browser does not support Secure Sockets Layer (SSL) security, the cookie is not sent. To use the cookie, the page must be accessed using the https protocol.

  • yes: Variable must be transmitted securely.
  • no














Value to assign to cookie variable. Must be a string or variable that can be stored as a string.




The SameSite attribute tells browsers when and how to fire cookies in first- or third-party situations. SameSite is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.

Values- "Strict | Lax | None".


If this tag specifies that a cookie is saved beyond the current browser session, the client browser writes or updates the cookie in its local cookies file. Until the browser is closed, the cookie resides in browser memory. If the expires attribute is not specified, the cookie is not written to the browser cookies file.
If you use this tag after the cfflush tag on a page, ColdFusion does not send the cookie to the browser; however, the value you set is available to ColdFusion in the Cookie scope during the browser session.

Note: You can also create a cookie that expires when the current browser session expires by using the cfset tag or a CFScript assignment statement to set a variable in the Cookie scope, as in <cfset Cookie.mycookie="sugar">. To get a cookie's value, refer to the cookie name in the Cookie scope, as in <cfif Cookie.mycookie is "oatmeal">.

You can use dots in cookie names, as the following examples show:

<cfcookie name="" value="wilson, john">
<cfset cookie.person.lastname="Santiago">

To access cookies, including cookies that you set and all cookies that are sent by the client, use the Cookie scope. For example, to display the value of the cookie set in the preceding code, use the following line:



<!--- This example shows how to set/delete a cfcookie variable. ---> 
<!--- Select users who have entered comments into a sample database. ---> 
<cfquery name = "GetAolUser" dataSource = "cfdocexamples"> 
SELECT EMail, FromUser, Subject, Posted 
FROM Comments 
<h3>cfcookie Example</h3> 
<!--- If the URL variable delcookie exists, set cookie expiration date 
to NOW ---> 
<cfif IsDefined("url.delcookie") is True> 
<cfcookie name = "TimeVisited" 
value = "#Now()#" 
expires = "NOW"> 
<!--- Otherwise, loop through list of visitors; stop when you match
the string in a visitor's e-mail address. ---> 
<cfloop query = "GetAolUser"> 
<cfif FindNoCase("", Email, 1) is not 0> 
<cfcookie name = "LastAOLVisitor" 
value = "#Email#" 
expires = "NOW" > 
<!--- If the timeVisited cookie is not set, set a value. ---> 
<cfif IsDefined("Cookie.TimeVisited") is False> 
<cfcookie name = "TimeVisited" 
value = "#Now()#" 
expires = "10"> 
<!--- Show the most recent cookie set. ---> 
<cfif IsDefined("Cookie.LastAOLVisitor") is "True"> 
<p>The last AOL visitor to view this site was 
<cfoutput>#Cookie.LastAOLVisitor#</cfoutput>, on 
<!--- Use this link to reset the cookies. ---> 
<p><a href = "cfcookie.cfm?delcookie = yes">Hide my tracks</A> 
<p>No AOL Visitors have viewed the site lately. 
Adobe logo

Sign in to your account