Application.cfc

Defines application level variables and event handlers (functions invoked at various application lifecycle events).

component { this.name="myApp"; }

Application.cfc

this.name string

Name of application. Up to 64 characters

this.loginStorage string
Default: cookie

This defines where to store login information.
Values:
  • cookie
  • session

this.clientManagement boolean
Default: false

Enables client variables
Values:
  • true
  • false

this.clientStorage string
Default: registry

This determines where client variables are stored.
* datasource_name: in ODBC or native data source.
You must create storage repository in the Administrator.
* registry: in the system registry.
* cookie: on client computer in a cookie. Scalable.
If client disables cookies in the browser, client variables do not work
Values:
  • cookie
  • registry
  • datasource_name

this.setClientCookies boolean
Default: true

This determines whether to send CFID and CFTOKEN cookies to the client browser.
* No: CFML does not automatically send CFID and CFTOKEN cookies to client browser; you must manually code CFID and CFTOKEN on the URL for every page that uses Session or Client variables
Values:
  • true
  • false

this.sessionManagement boolean
Default: false

Enables session variables
Values:
  • true
  • false

this.sessionTimeout numeric

Lifespan of session variables. CreateTimeSpan function and values in days, hours, minutes, and seconds, separated by commas

this.applicationTimeout numeric

Lifespan of application variables. CreateTimeSpan function and values in days, hours, minutes, and seconds, separated by commas.

this.setDomainCookies boolean
Default: false

Yes: Sets CFID and CFTOKEN cookies for a domain (not a host) Required, for applications running on clusters.
Values:
  • true
  • false

this.scriptProtect string

Specifies whether to attempt to protect variables from cross-site scripting attacks.
* none: do not protect variables
* all: protect Form, URL, CGI, and Cookie variables
- comma-delimited list of ColdFusion scopes: protect variables in the specified scopes
Values:
  • none
  • all
  • form
  • url
  • cookie
  • cgi
  • form,url
  • form,url,cookie
  • form,url,cookie,cgi

this.secureJSONPrefix string

CF 8+ The security prefix to put in front of the value that a ColdFusion function returns in JSON-format
in response to a remote call if the secureJSON setting is true.

this.secureJSON boolean

CF 8+ A Boolean value that specifies whether to add a security prefix in front of any value that a ColdFusion function returns in JSON-format
in response to a remote call.
Values:
  • true
  • false

this.customTagPaths string

CF 8+ A comma delimited list of absolute file paths pointing to directories containing custom tags.

this.mappings struct

CF 8+ A structure of application mappings where they key is the mapping and the value is the directory path.

this.welcomeFileList string

CF 8+ A comma separated list of file names that will skip onMissingTemplate invocation - typically only necessary if you are using a built-in web server like Tomcat or JRun.

this.serverSideFormValidation boolean

CF 9+ Enable/Disable ColdFusion, server side validation on CFFORM.
Values:
  • true
  • false

this.googleMapKey string

CF 9+ the google maps api when cfmap is used.

this.datasource string

CF 9+ Defines the default datasource for the application. As of CF 9.0.1+ it can also accept a struct with keys: name, username, password.

this.s3 struct

CF 9+ A struct with keys accessKeyId, awsSecretKey and defaultLocation.

this.ormEnabled boolean
Default: false

CF 9+ Set to true if you want to use ORM.

this.ormSettings struct

CF 9+ A struct with various Hibernate / ORM configuration options. For details see: https://helpx.adobe.com/coldfusion/developing-applications/coldfusion-orm/configure-orm/orm-settings.html

this.smtpServerSettings struct

CF 9+ A struct with possible keys: server, username and password.

this.timeout numeric

CF 9+ The default request timeout in seconds for requests within the application. Can be overridden by the cfsetting tag.

this.debuggingIPAddresses string

CF 9+ A list of IP addresses which show debugging output when debugging is enabled in the Administrator.

this.enableRobustException boolean

CF 9+ Overrides the value of the ColdFusion Administrator checkbox "Enable Robust Exception Information" for the application.

this.enableNullSupport boolean
Default: false

CF 2018+ Lucee 4.1+ To be able to support legacy applications, use null keyword as an application-level setting. This means that your server level setting could be OFF and you can have null turned ON only for selected applications.
Values:
  • true
  • false

this.sessioncookie.httpOnly boolean
Default: true

CF 10+ Specifies if the session cookies (CFID/CFTOKEN) should have the HTTPOnly cookie flag set. This prevents the cookie value from being read from JavaScript.

this.sessioncookie.secure boolean
Default: false

CF 10+ Specifies if the session cookies (CFID/CFTOKEN) should have the secure cookie flag set. When true the cookies are only sent over a secure transport (e.g. HTTPS).

this.sessioncookie.domain string
Default: false

CF 10+ Specifies the cookie domain the session cookies (CFID/CFTOKEN).

this.sessioncookie.timeout string
Default: 30 years

CF 10+ Specifies the expires value of the session cookies (CFID/CFTOKEN), in days. Set to -1 for browser session cookies.

this.sessioncookie.disableUpdate boolean
Default: false

CF 10+ Prevents the session cookies (CFID/CFTOKEN), from being updated by cfcookie or cfheader tags.

this.sessioncookie.samesite string

CF2018u9+ 2016u15+ This is a security feature used to mitigate CSRF ( Cross Site Request Forgery) attacks. It tells the browser if the cookie should be sent with a cross-site request.
* strict - prevents the cookie from being sent to the target site in all cross-browsing contexts.
* lax - provides a balance between security and usability by maintaining a user session after user arrives from an external link.
* none - provides no protection.

Note: The default value of the SameSite attribute differs with each browser.
See https://owasp.org/www-community/SameSite for more info.
Values:
  • Strict
  • Lax
  • None

this.authcookie.samesite string

CF2018u9+ 2016u15+ This is a security feature used to mitigate CSRF ( Cross Site Request Forgery) attacks. It tells the browser if the cookie should be sent with a cross-site request.
* strict - prevents the cookie from being sent to the target site in all cross-browsing contexts.
* lax - provides a balance between security and usability by maintaining a user session after user arrives from an external link.
* none - provides no protection.

Note: The default value of the SameSite attribute differs with each browser.
See https://owasp.org/www-community/SameSite for more info.
Values:
  • Strict
  • Lax
  • None

this.javaSettings.loadPaths array

CF 10+ An array of paths containing jar files or java classes.

this.javaSettings.loadColdFusionClassPath boolean
Default: false

CF 10+ Loads the classes using ColdFusions classloader.

this.javaSettings.reloadOnChange boolean
Default: false

CF 10+ Watches the files specified in loadPaths and reloads classes on change.

this.wsChannels array
Default: false

CF 10+ An array of structs used to define WebSocket communication channels.

this.sameFormFieldsAsArray boolean
Default: false

CF 10+ When two form fields are passed with the same name their values will be put into an array when this setting is true.

this.compileExtForInclude string
Default: cfm,cfml

CF 11+ When cfinclude is invoked only file extensions in this list are compiled and executed as CFML, otherwise they are statically included as a string for improved performance and security. You can use * as a wildcard for all.

this.security.antiSamyPolicy string

CF 11+ Path to an AntiSamy XML policy file for use with isSafeHTML and getSafeHTML functions.

this.strictNumberValidation boolean
Default: true

CF 11+ Makes isValid, cfargument, cfparam, and cfform more strict with regard to how the treat integer or numeric validation when the string contains a currency.

this.inMemoryFileSystem.enabled boolean

CF 11+ Enables or disables in memory file system.

this.inMemoryFileSystem.size numeric

CF 11+ Memory limit in MB for the in memory file system.

this.datasources struct

CF 11+ This struct of structs is used to define multiple application specific datasources. This value is a structure whose keys are the name of the datasource to be created, and the values are another structure with keys such as: database, driver, host, username, password, url. Lucee / Railo also support this setting, but are configured with keys class, connectionString, username, password.
CF2021 added MongoDB as a valid datasource type.

this.serialization.preserveCaseForStructKey boolean
Default: false

CF 11+ Preserves the case of your variable names when generating JSON using the serializeJSON function.

this.serialization.preserveCaseForQueryColumn boolean
Default: false

CF 11.0.5+ Preserves the case of your query column names when generating JSON using the serializeJSON function.

this.serialization.serializeQueryAs string
Default: row

CF 11+ Sets the default method for serializing a query.
Values:
  • row
  • column
  • struct

this.customSerializer numeric

this.locale string
Default: en_US

Lucee 4+ The default locale used for formatting dates, numbers.

this.timezone string

Lucee 4+ CF 2021+ The default timezone used for date handling.
Values:
  • America/Chicago
  • America/New_York
  • UTC

this.sessionType string

Lucee 4+ Use CFML or JEE based sessions.
Values:
  • cfml
  • jee

this.sessionStorage string
Default: memory

Lucee 4+ The name of the storage provider for session variables.

this.localMode string
Default: classic

Lucee 4+ Defines how the local scope of a function is invoked when a variable with no scope definition is used. When classic the local scope is only invoked when the key already exists in it, with modern the local scope is always assumed on unscoped variables.
Values:
  • classic
  • modern

this.scopeCascading string
Default: standard

Lucee 4+ Depending on this setting Lucee scans certain scopes to find a variable when the variable is called without a scope (For Example: #myVar# instead of #variables.myVar#). When strict, only scans the variables scope, small only scans variables, url, and form scopes. When standard (the ColdFusion standard way) scans all scopes: variables,cgi,url,form,cookie
Values:
  • standard
  • strict
  • small

this.typeChecking boolean

Lucee 4+ If set to false Lucee ignores type definitions with function arguments and return values

this.compression boolean
Default: false

Lucee 4+ Enables Gzip compression on the HTTP response when true

this.passArrayByReference boolean
Default: false

CF 2016+ true: Arrays will be passed by reference instead of by value for this application.
Values:
  • true
  • false

this.searchImplicitScopes boolean
Default: true

CF 2016+ Defines the way non-scoped variables are found.
false: Only the variables, local and arguments scopes are searched.
true: Default and < CF2016 behavior. All scopes are searched in the following order: local, arguments, thread local, query, thread, variables, cgi, cffile, url, form, cookie, client.
Values:
  • true
  • false

this.blockedExtForFileUpload string

CF 2018.0.3+ CF 2016.0.10+ CF 11.0.18+ Lucee 5.2.9.36+ Lucee 5.3.3.1+ 0 A comma delimited list of file extensions to be blocked from upload via cffile, fileUpload or fileUploadAll. You can specify * (not yet supported on Lucee) to block all extensions or use an empty string to allow all (previous behavior). If not specified the values specified in ColdFusion Administrator take precedence.

this.security.samlsettings.idp array

CF 2021+ Used with SAML / SSO to create/configure the Identity Provider. See https://helpx.adobe.com/coldfusion/using/saml-coldfusion.html for more detail.
NOTE: The SAML Package must be installed.

this.security.samlsettings.sp array

CF 2021+ Used with SAML / SSO to create/configure the Service Provider. See https://helpx.adobe.com/coldfusion/using/saml-coldfusion.html for more detail.
NOTE: The SAML Package must be installed.

Links more information about Application.cfc

A very basic script example

component {
    this.name = "AppName";
    this.datasource = "AppDataSource";
    this.sessionManagement = true;

    function onApplicationStart() {
        application.config="xyz";
    }

 }

This example uses getCurrentTemplatePath and getDirectoryFromPath to dynamically get the directory that the current Application.cfc resides in and then defines some mappings relative to that. You want to avoid using expandPath in Application.cfc because the path will be relative to the current template path not the Application.cfc path.

component {
    this.name = "AppName";
    this.appBasePath = getDirectoryFromPath(getCurrentTemplatePath());
    this.mappings["/components"] = this.appBasePath & "components";
    this.mappings["/frameworks"] = this.appBasePath & "frameworks";

}

The minimum required to create a WebSocket channel is the name attribute. A channel can also specify a custom channel listener CFC, if not specified the ChannelListener.cfc, available in wwwroot/CFIDE/websocket directory is called (Using Channel Listeners).

Note: Though you can use any number of sub-channels, you do not specify them as they are dynamically created (dot notation). To subscribe to channels you create a WebSocket object using the cfwebsocket tag in your CFM template.

component {
    this.name = "AppName";
    this.wschannels = [{name=channelName, cfclistener=channel_listener_CFC}];
}

This example shows how to map to directories that are a level up from the Application.cfc (web root) as well as how to handle an application that will need to be deployed on multiple operating systems (Mac, Unix, Windows) due to differing developer environments. It uses Find to determine if we need to use forward or back slashes in our paths and ListDeleteAt to drop the current directory from the path. We can then build the path for our mappings and custom tags using this information.

component {
    this.name = "AppName";
    this.currentPath = getDirectoryFromPath( getCurrentTemplatePath() );
    this.delim = find("/", this.currentPath) ? "/" : "\";
    this.basePath = listDeleteAt(this.currentPath, listLen(this.currentPath, this.delim), this.delim);
    this.mappings["/components"] = this.basePath & this.delim & "components";
    this.mappings["/frameworks"] = this.basePath & this.delim & "frameworks";
    this.customtagpaths = this.basePath & this.delim & "customtags";

}

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub