Defines application level variables and event handlers (functions invoked at various application lifecycle events).

component {"myApp"; }

Application.cfc string

Name of application. Up to 64 characters

this.loginStorage string
Default: cookie

cookie: store login information in the Cookie scope.
session: store login information in the Session scope.
  • cookie
  • session

this.clientManagement boolean
Default: false

Enables client variables
  • true
  • false

this.clientStorage string
Default: registry

How client variables are stored
* datasource_name: in ODBC or native data source.
You must create storage repository in the
* registry: in the system registry.
* cookie: on client computer in a cookie. Scalable.
If client disables cookies in the browser, client
variables do not work
  • cookie
  • registry
  • datasource_name

this.setClientCookies boolean
Default: true

No: CFML does not automatically send CFID and CFTOKEN
cookies to client browser; you must manually code CFID and
CFTOKEN on the URL for every page that uses Session or
Client variables
  • true
  • false

this.sessionManagement boolean
Default: false

Enables session variables
  • true
  • false

this.sessionTimeout Timespan

Lifespan of session variables. CreateTimeSpan function and
values in days, hours, minutes, and seconds, separated by

this.applicationTimeout Timespan

Lifespan of application variables. CreateTimeSpan function
and values in days, hours, minutes, and seconds, separated
by commas.

this.setDomainCookies boolean
Default: false

Yes: Sets CFID and CFTOKEN cookies for a domain (not a host)
Required, for applications running on clusters.
  • true
  • false

this.scriptProtect string

Specifies whether to attempt to protect variables from cross-site scripting attacks.
- none: do not protect variables
- all: protect Form, URL, CGI, and Cookie variables
- comma-delimited list of ColdFusion scopes: protect variables in the specified scopes
  • none
  • all
  • form
  • url
  • cookie
  • cgi
  • form,url
  • form,url,cookie
  • form,url,cookie,cgi

this.secureJSONPrefix string

CF 8+ The security prefix to put in front of the value that a ColdFusion function returns in JSON-format
in response to a remote call if the secureJSON setting is true.

this.secureJSON boolean

CF 8+ A Boolean value that specifies whether to add a security prefix in front of any value that a ColdFusion function returns in JSON-format
in response to a remote call.
  • true
  • false

this.customTagPaths string

CF 8+ A comma delimited list of absolute file paths pointing to directories containing custom tags.

this.mappings struct

CF 8+ A structure of application mappings where they key is the mapping and the value is the directory path.

this.welcomeFileList string

CF 8+ A comma separated list of file names that will skip onMissingTemplate invocation - typically only necessary if you are using a built-in web server like Tomcat or JRun.

this.serverSideFormValidation boolean

CF 9+ Enable/Disable ColdFusion‚ server side validation on CFFORM.
  • true
  • false

this.googleMapKey string

CF 9+ the google maps api when cfmap is used.

this.datasource string

CF 9+ Defines the default datasource for the application. As of CF 9.0.1+ it can also accept a struct with keys: name, username, password.

this.s3 struct

CF 9+ A struct with keys accessKeyId, awsSecretKey and defaultLocation.

this.ormEnabled boolean
Default: false

CF 9+ Set to true if you want to use ORM.

this.ormSettings struct

CF 9+ A struct with various Hibernate / ORM configuration options. For details see:

this.smtpServerSettings struct

CF 9+ A struct with possible keys: server, username and password.

this.timeout numeric

CF 9+ The default request timeout in seconds for requests within the application. Can be overridden by the cfsetting tag.

this.debuggingIPAddresses string

CF 9+ A list of IP addresses which show debugging output when debugging is enabled in the Administrator.

this.enableRobustException boolean

CF 9+ Overrides the value of the ColdFusion Administrator checkbox "Enable Robust Exception Information" for the application.

this.sessioncookie.httpOnly boolean
Default: true

CF 10+ Specifies if the session cookies (CFID/CFTOKEN) should have the HTTPOnly cookie flag set. This prevents the cookie value from being read from JavaScript. boolean
Default: false

CF 10+ Specifies if the session cookies (CFID/CFTOKEN) should have the secure cookie flag set. When true the cookies are only sent over a secure transport (e.g. HTTPS).

this.sessioncookie.domain string
Default: false

CF 10+ Specifies the cookie domain the session cookies (CFID/CFTOKEN).

this.sessioncookie.timeout string
Default: 30 years

CF 10+ Specifies the expires value of the session cookies (CFID/CFTOKEN), in days. Set to -1 for browser session cookies.

this.sessioncookie.disableUpdate boolean
Default: false

CF 10+ Prevents the session cookies (CFID/CFTOKEN), from being updated by cfcookie or cfheader tags.

this.javaSettings.loadPaths array

CF 10+ An array of paths containing jar files or java classes.

this.javaSettings.loadColdFusionClassPath boolean
Default: false

CF 10+ Loads the classes using ColdFusions classloader.

this.javaSettings.reloadOnChange boolean
Default: false

CF 10+ Watches the files specified in loadPaths and reloads classes on change.

this.wsChannels array
Default: false

CF 10+ An array of structs used to define WebSocket communication channels.

this.sameFormFieldsAsArray boolean
Default: false

CF 10+ When two form fields are passed with the same name their values will be put into an array when this setting is true.

this.compileExtForInclude string
Default: cfm,cfml

CF 11+ When cfinclude is invoked only file extensions in this list are compiled and executed as CFML, otherwise they are statically included as a string for improved performance and security. You can use * as a wildcard for all. string

CF 11+ Path to an AntiSamy XML policy file for use with isSafeHTML and getSafeHTML functions.

this.strictNumberValidation boolean
Default: true

CF 11+ Makes isValid, cfargument, cfparam, and cfform more strict with regard to how the treat integer or numeric validation when the string contains a currency.

this.inMemoryFileSystem.enabled boolean

CF 11+ Enables or disables in memory file system.

this.inMemoryFileSystem.size numeric

CF 11+ Memory limit in MB for the in memory file system.

this.datasources struct

CF 11+ Create multiple an application specific datasources. This value is a structure whose keys are the name of the datasource to be created, and the values are another structure with keys such as: database, driver, host, username, password, url. Lucee / Railo also support this setting, but are configured with keys class, connectionString, username, password

this.serialization.preserveCaseForStructKey boolean
Default: false

CF 11+ Preserves the case of your variable names when generating json using the serializeJSON function.

this.serialization.preserveCaseForQueryColumn boolean
Default: false

CF 11.0.5+ Preserves the case of your query column names when generating json using the serializeJSON function.

this.customSerializer numeric

this.locale string
Default: en_US

Lucee 4+ The default locale used for formatting dates, numbers.

this.timezone string

Lucee 4+ The default timezone used for date handling.
  • America/Chicago
  • America/New_York
  • UTC

this.sessionType string

Lucee 4+ Use cfml or jee based sessions.
  • cfml
  • jee

this.sessionStorage string
Default: memory

Lucee 4+ The name of the storage provider for session variables.

this.localMode string
Default: classic

Lucee 4+ Defines how the local scope of a function is invoked when a variable with no scope definition is used. When classic the local scope is only invoked when the key already exists in it, with modern the local scope is always assumed on unscoped variables.
  • classic
  • modern

this.scopeCascading string
Default: standard

Lucee 4+ Depending on this setting Lucee scans certain scopes to find a variable when the variable is called without a scope (For Example: #myVar# instead of #variables.myVar#). When strict, only scans the variables scope, small only scans variables, url, and form scopes. When standard (the ColdFusion standard way) scans all scopes: variables,cgi,url,form,cookie
  • standard
  • strict
  • small

this.typeChecking boolean

Lucee 4+ If set to false Lucee ignores type definitions with function arguments and return values

this.compression boolean
Default: false

Lucee 4+ Enables Gzip compression on the HTTP response when true

this.passArrayByReference boolean
Default: false

CF 2016+ true: Arrays will be passed by reference instead of by value for this application.
  • true
  • false

this.searchImplicitScopes boolean
Default: true

CF 2016+ Defines the way non-scoped variables are found.
false: Only the variables, local and arguments scopes are searched.
true: Default and < CF2016 behavior. All scopes are searched in the following order: local, arguments, thread local, query, thread, variables, cgi, cffile, url, form, cookie, client.
  • true
  • false

this.blockedExtForFileUpload string

CF 2018.0.3+ CF 2016.0.10+ CF 11.0.18+ Lucee Lucee 0 A comma delimited list of file extensions to be blocked from upload via cffile, fileUpload or fileUploadAll. You can specify * (not yet supported on Lucee) to block all extensions or use an empty string to allow all (previous behavior). If not specified the values specified in ColdFusion Administrator take precedence.

Links more information about Application.cfc

Examples sample code using the Application.cfc function

A very basic script example

component { = "AppName";
    this.datasource = "AppDataSource";
    this.sessionManagement = true;

    function onApplicationStart() {


This example uses getCurrentTemplatePath and getDirectoryFromPath to dynamically get the directory that the current Application.cfc resides in and then defines some mappings relative to that. You want to avoid using expandPath in Application.cfc because the path will be relative to the current template path not the Application.cfc path.

component { = "AppName";
    this.appBasePath = getDirectoryFromPath(getCurrentTemplatePath());
    this.mappings["/components"] = this.appBasePath & "components";
    this.mappings["/frameworks"] = this.appBasePath & "frameworks";


The minimum required to create a WebSocket channel is the name attribute. A channel can also specify a custom channel listener CFC, if not specified the ChannelListener.cfc, available in wwwroot/CFIDE/websocket directory is called (Using Channel Listeners).

Note: Though you can use any number of sub-channels, you do not specify them as they are dynamically created (dot notation). To subscribe to channels you create a WebSocket object using the cfwebsocket tag in your CFM template.

component { = "AppName";
    this.wschannels = [{name=channelName, cfclistener=channel_listener_CFC}];

This example shows how to map to directories that are a level up from the Application.cfc (web root) as well as how to handle an application that will need to be deployed on multiple operating systems (Mac, Unix, Windows) due to differing developer environments. It uses Find to determine if we need to use forward or back slashes in our paths and ListDeleteAt to drop the current directory from the path. We can then build the path for our mappings and custom tags using this information.

component { = "AppName";
    this.currentPath = getDirectoryFromPath( getCurrentTemplatePath() );
    this.delim = find("/", this.currentPath) ? "/" : "\";
    this.basePath = listDeleteAt(this.currentPath, listLen(this.currentPath, this.delim), this.delim);
    this.mappings["/components"] = this.basePath & this.delim & "components";
    this.mappings["/frameworks"] = this.basePath & this.delim & "frameworks";
    this.customtagpaths = this.basePath & this.delim & "customtags";


Fork me on GitHub