Defines application level variables and event handlers (functions invoked at various application lifecycle events).

component {"myApp"; }


Name of application. Up to 64 characters

Default: cookie

cookie: store login information in the Cookie scope.
session: store login information in the Session scope. Values:
  • cookie
  • session

Default: NO

enables client variables

Default: registry

How client variables are stored
* datasource_name: in ODBC or native data source.
You must create storage repository in the
* registry: in the system registry.
* cookie: on client computer in a cookie. Scalable.
If client disables cookies in the browser, client
variables do not work Values:
  • cookie
  • registry
  • datasource_name

Default: YES

No: CFML does not automatically send CFID and CFTOKEN
cookies to client browser; you must manually code CFID and
CFTOKEN on the URL for every page that uses Session or
Client variables

Default: NO

enables session variables


Lifespan of session variables. CreateTimeSpan function and
values in days, hours, minutes, and seconds, separated by


Lifespan of application variables. CreateTimeSpan function
and values in days, hours, minutes, and seconds, separated
by commas.

Default: NO

Yes: Sets CFID and CFTOKEN cookies for a domain (not a host)
Required, for applications running on clusters.


Specifies whether to attempt to protect variables from cross-site scripting attacks.
- none: do not protect variables
- all: protect Form, URL, CGI, and Cookie variables
- comma-delimited list of ColdFusion scopes: protect variables in the specified scopes Values:
  • none
  • all
  • form
  • url
  • cookie
  • cgi
  • form,url
  • form,url,cookie
  • form,url,cookie,cgi


CF 8+ The security prefix to put in front of the value that a ColdFusion function returns in JSON-format
in response to a remote call if the secureJSON setting is true.


CF 8+ A Boolean value that specifies whether to add a security prefix in front of any value that a ColdFusion function returns in JSON-format
in response to a remote call.


CF 8+ A file path to a directory containing custom tags.


CF 8+ A structure of application mappings where they key is the mapping and the value is the directory path.


CF 8+ A comma seperated list of file names that will skip onMissingTemplate invocation - typically only necessary if you are using a builtin web server like Tomcat or JRun.


CF 9+ Enable/Disable ColdFusion‚ server side validation on CFFORM.


CF 9+ the google maps api when cfmap is used.


CF 9+ Defines the default datasource for the application. As of CF 9.0.1+ it can also accept a struct with keys: name, username, password.


CF 9+ A struct with keys accessKeyId, awsSecretKey and defaultLocation.

Default: false

CF 9+ Set to true if you want to use ORM.


CF 9+ A struct with various Hibernate / ORM configuration options. For details see:


CF 9+ A struct with possible keys: server, username and password.


CF 9+ The default request timeout in seconds for requests within the application. Can be overridden by the cfsetting tag.


CF 9+ A list of IP addresses which show debugging output when debugging is enabled in the Administrator.


CF 9+ Overrides the value of the ColdFusion Administrator checkbox "Enable Robust Exception Information" for the application.

Default: true

CF 10+ Specifies if the session cookies (CFID/CFTOKEN) should have the HTTPOnly cookie flag set. This prevents the cookie value from being read from JavaScript.
Default: false

CF 10+ Specifies if the session cookies (CFID/CFTOKEN) should have the secure cookie flag set. When true the cookies are only sent over a secure transport (eg HTTPS).

Default: false

CF 10+ Specifies the cookie domain the session cookies (CFID/CFTOKEN).

Default: 30 years

CF 10+ Specifies the expires value of the session cookies (CFID/CFTOKEN), in days. Set to -1 for browser session cookies.

Default: false

CF 10+ Prevents the session cookies (CFID/CFTOKEN), from being updated by cfcookie or cfheader tags.


CF 10+ An array of paths containing jar files or java classes.

Default: false

CF 10+ Loads the classes using ColdFusions classloader.

Default: false

CF 10+ Watches the files specified in loadPaths and reloads classes on change.

Default: false

CF 10+ An array of structs used to define WebSocket communication channels. Example available below.

Default: cfm,cfml

CF 11+ When cfinclude is invoked only file extensions in this list are compiled and executed as CFML, otherwise they are statically included as a string for improved performance and security. You can use * as a wildcard for all.

CF 11+ Path to an AntiSamy XML policy file for use with isSafeHTML and getSafeHTML functions.

Default: true

CF 11+ Makes isValid, cfargument, cfparam, and cfform more strict with reguard to how the treat integer or numeric validation when the string contains a currency.


CF 11+ Enables or disables in memory file system.


CF 11+ Memory limit in MB for the in memory file system.


CF 11+ Create multiple an application specific datasources. This value is a structure whos keys are the name of the datasource to be created, and the values are another structure with keys such as: database, driver, host, username, password, url. Lucee / Railo also support this setting, but are configured with keys class, connectionString, username, password

Default: true

CF 11+ Preserves the case of your variable names when generating json using the serializeJSON function.


Default: en_US

Lucee 4+ The default locale used for formatting dates, numbers.


Lucee 4+ The default timezone used for date handling. Values:
  • America/Chicago
  • America/New_York
  • UTC


Lucee 4+ Use cfml or jee based sessions. Values:
  • cfml
  • jee

Default: memory

Lucee 4+ The name of the storage provider for session variables.

Default: classic

Lucee 4+ Defines how the local scope of a function is invoked when a variable with no scope definition is used. When classic the local scope is only invoked when the key already exists in it, with modern the local scope is always assumed on unscoped variables. Values:
  • classic
  • modern

Default: standard

Lucee 4+ Depending on this setting Lucee scans certain scopes to find a variable when the variable is called without a scope (For Example: #myVar# instead of #variables.myVar#). When strict, only scans the variables scope, small only scans variables, url, and form scopes. When standard (the ColdFusion standard way) scans all scopes: variables,cgi,url,form,cookie Values:
  • standard
  • strict
  • small


Lucee 4+ If set to false Lucee ignores type defintions with function arguments and return values

Default: false

Lucee 4+ Enables Gzip compression on the HTTP response when true

Default: false

CF 2016+ true: Arrays will be passed by reference instead of by value for this application.

Default: true

CF 2016+ Defines the way non-scoped variables are found.
false: Only the variables, local and arguments scopes are searched.
true: Default and < CF2016 behaviour. All scopes are searched in the following order: local, arguments, thread local, query, thread, variables, cgi, cffile, url, form, cookie, client.

Links more information about Application.cfc

Examples sample code using the Application.cfc function

Simple Application.cfc Example

A very basic script example

component { = "AppName";
    this.datasource = "AppDataSource";
    this.sessionManagement = true;

    function onApplicationStart() {


Adding relative mappings in Application.cfc

This example uses getCurrentTemplatePath and getDirectoryFromPath to dynamically get the directory that the current Application.cfc resieds in and then defines some mappings relative to that. You want to avoid using expandPath in Application.cfc because the path will be relative to the current template path not the Application.cfc path.

component { = "AppName";
    this.appBasePath = getDirectoryFromPath(getCurrentTemplatePath());
    this.mappings["/components"] = this.appBasePath & "components";
    this.mappings["/frameworks"] = this.appBasePath & "frameworks";


Defining WebSocket Channels

The minimum required to create a WebSocket channel is the name attribute. A channel can also specify a custom channel listener CFC, if not specified the ChannelListener.cfc, available in wwwroot/CFIDE/websocket directory is called (Using Channel Listeners).

Note: Though you can use any number of sub-channels, you do not specify them as they are dynamically created (dot notation). To subscribe to channels you create a WebSocket object using the cfwebsocket tag in your CFM template.

component { = "AppName";
    this.wschannels = [{name=channelName, cfclistener=channel_listener_CFC}];

Relative mappings - Advanced Example

This example shows how to map to directories that are a level up from the Application.cfc (web root) as well as how to handle an application that will need to be deployed on multiple operating systems (Mac, Unix, Windows) due to differing developer environments. It uses Find to determine if we need to use forward or back slashes in our paths and ListDeleteAt to drop the current directory from the path. We can then build the path for our mappings and custom tags using this information.

component { = "AppName";
    this.currentPath = getDirectoryFromPath( getCurrentTemplatePath() );
    this.delim = find("/", this.currentPath) ? "/" : "\";
    this.basePath = listDeleteAt(this.currentPath, listLen(this.currentPath, this.delim), this.delim);
    this.mappings["/components"] = this.basePath & this.delim & "components";
    this.mappings["/frameworks"] = this.basePath & this.delim & "frameworks";
    this.customtagpaths = this.basePath & this.delim & "customtags";


Full Application/Request Lifecycle Methods

This shows all of the built-in Application.cfc methods.

component { 
        Application variables 
    */ = "YourAppName" & hash(getCurrentTemplatePath()); 
    this.applicationTimeout = createTimeSpan(1,0,0,0); 
    this.sessionTimeout = createTimeSpan(1,0,0,0); 
    this.sessionManagement = true; 
    this.setClientCookies = false; 
        First function run when ColdFusion receives the first request for a page in the application. 
    public boolean function onApplicationStart() { 
        return true; 
        Last function run when Application times out or server is shut down. 
    public void function onApplicationEnd(struct applicationScope={}) { 
        Run when first setting up a session. 
    public void function onSessionStart() { 
        Run when a session ends. 
    public void function onSessionEnd(required struct sessionScope, struct applicationScope={}) { 
        First page-processing function run when a page request starts. 
        Return False to prevent ColdFusion from processing the request. 
    public boolean function onRequestStart(required string targetPage) { 
        return true; 
        Runs when a request starts, after the onRequestStart event handler. 
        This method is optional. If you implement this method, it must explicitly call the requested page to process it. 
    public void function onRequest(required string targetPage) { 
        include arguments.targetPage; 
        Intercepts any HTTP or AMF calls to an application based on CFC request. 
        Whereas onRequest handles only requests made to ColdFusion templates, this function controls Ajax, Web Service, and Flash Remoting requests. 
    public void function onCFCRequest(string cfcname, string method, struct args) { 
        Runs at the end of a request, after all other CFML code. 
    public void function onRequestEnd() { 
        Runs when you execute the CFML tag cfabort or cfscript "abort". 
        If showError attribute is specified in cfabort, onError method is executed instead of onAbort. 
        When using cfabort, cflocation, or cfcontent tags, the onAbort method is invoked instead on onRequestEnd. 
    public void function onAbort(required string targetPage) { 
        Runs when an uncaught exception occurs in the application. 
        This method overrides any error handlers that you set in the ColdFusion Administrator or in cferror tags. It does not override try/catch blocks. 
    public void function onError(required any exception, required string eventName) { 
        Runs when a request specifies a non-existent CFML page. 
        True, or no return value, specifies that the event has been processed. If the function returns false, ColdFusion invokes the standard error handler. 
    public boolean function onMissingTemplate(required string targetPage) { 
        return true; 

Fork me on GitHub