Defines web browser cookie variables, including expiration and
security options.

  <cfcookie name = "cookie name">

 cfcookie(name = "cookie name");

Attribute Reference

name string

Name of cookie variable. CFML converts cookie names
to all-uppercase. Cookie names set using this tag can
include any printable ASCII characters except commas,
semicolons or white space characters.

value string

Value to assign to cookie variable. Must be a string or
variable that can be stored as a string.

expires any

Expiration of cookie variable.

* The default: the cookie expires when the user closes the
browser, that is, the cookie is "session only".
* A date or date/time object (for example, 10/09/97)
* A number of days (for example, 10, or 100)
* now: deletes cookie from client cookie.txt file
(but does not delete the corresponding variable the
Cookie scope of the active page).
* never: The cookie expires in 30 years from the time it
was created (effectively never in web years).

secure boolean

If browser does not support Secure Sockets Layer (SSL)
security, the cookie is not sent. To use the cookie, the
page must be accessed using the https protocol.

path string

URL, within a domain, to which the cookie applies;
typically a directory. Only pages in this path can use the
cookie. By default, all pages on the server that set the
cookie can access the cookie.

path = "/services/login"

domain string

Domain in which cookie is valid and to which cookie content
can be sent from the user's system. By default, the cookie
is only available to the server that set it. Use this
attribute to make the cookie available to other servers.

Must start with a period. If the value is a subdomain, the
valid domain is all domain names that end with this string.
This attribute sets the available subdomains on the site
upon which the cookie can be used.

httpOnly boolean

CF 9+ Specify whether cookie is http cookie or not

encodevalue boolean

CF 10+ Specify if cookie value should be encoded

preserveCase boolean
Default: false

CF 10+ Specify if cookie name should be case-sensitive

samesite string

CF 2018+ Tells browsers when and how to fire cookies in first-
or third-party situations. SameSite is used to
identify whether or not to allow a cookie to be
  • strict
  • lax
  • none

Sample code using the cfcookie tag

cfcookie(name="TimeVisited", value=Now(), domain="", path="/coldfusion" expires=30, httponly="yes", encodevalue="yes" )

<cfcookie name="TimeVisited" value=Now() domain="" path="/coldfusion" expires=30 httponly="yes" encodevalue="yes" />

cookie.TimeVisited = { value="#Now()#", domain="", path="/coldfusion", expires=30, httponly="yes", encodevalue="yes" }; 

<cfheader name="Set-Cookie" value="TimeVisited=#Now()#; path=/coldfusion;; expires=30; HttpOnly;"/>

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub