The scope for the Application.cfc file contains several built-in variables, which correspond to the attributes that you set in the cfapplication tag. You set the values of these variables in the CFC initialization code, before you define the CFC methods. You can access the variables in any method.
Note: Although Windows is case-insensitive, you must always start the Application.cfc filename with an uppercase A. Both application.cfc and Application.cfc are reserved words. |
Note: If your application has an Application.cfc, and an Application.cfm or onRequestend.cfm page, ColdFusion ignores the CFM pages |
The following table briefly describes the variables that you can set to control the application behavior. For more details, see the cfapplication tag.
| Variable | Default | Description |
|---|---|---|
| name | no name | The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context. For more information on unnamed scopes see Integrating JSP and servlets in a ColdFusion application in Interoperating with JSP pages and servlets in the Developing ColdFusion Applications. |
| applicationTimeout | Administrator value | Life span, as a real number of days, of the application, including all Application scope variables. Use the CFML CreateTimeSpan function to generate this variable's value. |
| authcookie.disableupdate | False | Disable update of cfauthorization cookie using cfcookie or cfheader tag |
| authcookie.timeout | -1 | Auth Cookie age in days. |
| authcookie.samesite | Valid values are Struct, Lax, or None. | |
| cache.useInternalQueryCache | false | If true, ColdFusion will store cached queries in the old non-cool non-Ehcache version of the cache. |
| cache.querysize | Administrator value | Maximum number of queries that can be cached. To be clear, this refers to automatic caching via cachedWithin and cachedAfter in the cfquery/queryExecute tag/function. You can store as many queries as you would like using cachePut. Well, as many as your RAM will allow. Be sensible, people. |
| chartStyleDirectory | Application specific chart styles directory. | |
| clientManagement | no |
|
| clientStorage | Administrator value | Where Client variables are stored; can be cookie, registry, or the name of a data source. |
| customtagpaths | Administrator value | Contains ColdFusion custom tag paths. It is a comma delimited list with absolute path.To use this variable, select the Enable Per App Settings option in the Administrator Server > Settings page.The settings that you define here take precedence over the custom tag paths defined in the Administrator Server Settings > Mappings page for the current application. |
| googleMapKey | The Google Maps API key required to embed Google Maps in your web pages. | |
| datasource | Name of the data source from which the query retrieves data. | |
| datasources | Struct of structs defining datasources.You can use this variable to define a datasource specific to the application . This does not register/update a datasource in ColdFusion Administrator. | |
| loginStorage | cookie | Whether to store login information in the Cookie scope or the Session scope. |
| mappings | Administrator value | A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value. To use this variable, select the Enable Per App Settings option in the Administrator Server Settings > Settings page.The mappings that you define here take precedence over the mappings defined in the Administrator Server Settings > Mappings page for the current application. |
| passArrayByReference | False | Arrays will be passed by reference instead of by value for this application. |
| restSettings.cfclocation | To publish the CFCs only in a particular location, provide comma-separated list of directories where the REST CFCs are located. The directory paths can be absolute or relative.If not set, all the CFCs from the application root are published. | |
| restSettings.skipCFCWithError | When an error occurs, continue publishing, ignoring the CFC that has caused the exception.If true, the CFC with error is ignored and the rest of the CFCs are published. By default it is false.If set to false, in case of an error, the application itself is not published. But other registered application are published.If an error occurs during application startup, the error is printed in console.Each application has separate log files for logging the issues. | |
| restSettings.restEnabled | False | If true, then ColdFusion searches the directory containing a set of REST-enabled CF components. |
| restSettings.autoRegister | False | Enable auto registration of an application. |
| restSettings.useHost | False | Specifies the host name. If true, then the host name is parsed from the URL. |
| restSettings.host | Explicitly naming the hostname will make the host name. If the host name is not mentioned, then the usehost name will be defaulted. |
|
| restSettings.serviceMapping | If not specified, then the application defined in this.name is taken as default. | |
| restSettings.isDefault | False | If true, application will be made as default app. |
| scriptprotect | None | If true, it adds protection from external scripts and cross-site scripting. Valid values are:
The flag protects from the following:
The feature is a set of regular expressions located in lib/neo-security.xml that replaces the tags: object, embed, script, applet, and meta with the tag name InvalidTag, when they are passed as input to the Form, URL, CGI, and Cookie scopes. |
| sessioncookie.httponly | True | Specify whether session cookies have to be set as httponly or not. i.e. accessible only to Http requests |
| sessioncookie.secure | False | Specify whether session cookies have to be set as secure or not. i.e. returned on any type of connection or only secured (https) connections |
| sessioncookie.domain | Domain for which the cookie should be set. This should match exactly with the domain, with which application would be accessed | |
| sessioncookie.timeout | 30 years |
Session Cookie age in days |
| sessioncookie.disableupdate | False | Disable update of cfid and cftoken cookie using cfcookie or cfheader tag |
| serverSideFormValidation | yes | Whether to enable validation on cfform fields when the form is submitted. |
| sessionManagement | no | Whether the application supports Session scope variables. |
| sessionTimeout | Administrator value | Life span, as a real number of days, of the user session, including all Session variables. Use the CFML CreateTimeSpan function to generate this variable's value. |
| setClientCookies | True | Whether to send CFID and CFTOKEN cookies to the client browser. |
| setDomainCookies | False | Whether to set CFID and CFTOKEN cookies for a domain (not just a host). |
| security.antisamypolicy | Specify the location of antisamy file to be used when no antisamy policy file is passed to the getSafeHTML or isSafeHTML functions. The policy file can be relative to the Application CFC path or an absolute path can be provided. | |
| compileextforinclude | Specify the list of allowed file extensions as a comma-separated list for the cfinclude tag. Specifying a wildcard * in the list makes any file included using the cfinclude tag to be compiled. If any file included using the cfinclude tag is not found in this list, their content will be statically included. By default, files with the cfm and cfml extensions are always compiled irrespective of this setting. | |
| strictnumbervalidation | True/False. Default is true. The IsValid function for the integer and numeric types allowed the currency symbols at the start and commas inside the number. In ColdFusion 11, the isValid function behaves in a different way. Setting strictnumbervalidation to false makes the isValid function to behave in a way just like in the previous versions (ColdFusion 10 or earlier). Note that this setting also changes the behavior of the following tags: |
|
| secureJSON | Administrator value | A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call. The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to false). You can override this value in the cffunction tag.For more information see Improving security in Ajax programming rules and techniques in the Developing ColdFusion Applications. |
| secureJSONPrefix | Administrator value | The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true. The default value is the value of the Prefix serialized JSON setting in the Administrator Server Settings > Settings page (which defaults to //, the JavaScript comment character).For more information see Improving security in Ajax programming rules and techniques in the Developing ColdFusion Applications. |
| serialization.preservecaseforstructkey | False | Boolean that determines if case for struct keys should be preserved when serializing a struct to JSON. |
| serialization.serializequeryas | row | Determines how queries should be serialized to JSON. Possible values are row, column, and struct. |
| serialization.preserveCaseForQueryColumn | false | If true, column case will be preserved. |
| sessioncookie.samesite |
Valid values are Strict, Lax, or None. | |
| welcomeFileList | A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found. Use this variable to prevent ColdFusion from invoking the onMissingTemplate handler if all of the following items are true:
|
|
| smtpServersettings | A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator. | |
| sameformfieldsasarray | false | If the form fields have the same name, ColdFusion converts the form fields as an array instead of a list. To do this, in the Application.cfc, specify the following: this.sameformfieldsasarray = "true". Note: The empty string values will be preserved only if this is set to true. |
| timeout | This number represents how long an individual request can take. Timeout set using overrides the timeout in the Application.cfc using this.timeout="". | |
| debuggingIPAddresses | A list of IP addresses that need debugging. | |
| enablerobustexception | Overrides the default administrator settings. It does not report compile-time exceptions. | |
| javaSettings | A structure allowing you to specify Java class paths to be made available to your code. Valid keys are: loadPaths (an array of paths to include when searching for Java libraries), loadColdFusionClassPath (a boolean indicating if the default class path should be used, defaults to false), and reloadOnChange (a boolean indicating if the classpaths should be reloaded when they change, the default is false). | |
| javasettings.watchInterval | Specifies the time interval in seconds after which to verify any change in the class files or JAR files. This attribute is applicable only if the reloadOnChange attribute is set to true. The default value is 60 seconds. | |
| javasettings.watchExtensions | Specifies the extensions of the files to monitor for changes. By default, only .class and .jar files are monitored. | |
| searchimplicitscopes | False | Allows you to enable or disable searching for an un-scoped variable in implicit scopes. NOTE: In ColdFusion (2023 release) Update 7, the default value for this flag is changed to FALSE. |
| serialization.structmetadata | Set the data type info for a struct value. For example, if this.serialization.structmetadata = {zipcode="String"};, you need not define the data type for zipcode for the struct that contains this key. If you define the datatype for zipcode in the struct itself, then the defined datatype at struct level takes priority over the one defined in Application.cfc. | |
| enableNullSupport | false | Allows you to enable or disable support for NULL variables. Possible values are true or false. |
| cache.engine | ehcache | Specified the cache engine to be used. You can use the following engines:
|
| cache.configFile | Path to the properties file of the caching engine. | |
| restSettings.generateRESTDoc | false | If true, then ColdFusion server generates Swagger doc automatically. |
| blockedExtForFileUpload | A comma-separated list of file extensions for the files that must be blocked for uploading. | |
| useJavaAsRegexEngine | false | If true, then Java is used as regex engine over the default engine. |
| timeZone |
If true, if you execute any date/time function, the time zone returned will be the same as set in this flag. |
Form fields with same name
Assume that the form fields have same name. In this case, ColdFusion converts the form fields as an array instead of a list.To do this, in the Application.cfc, specify the following: this.sameformfieldsasarray = "true".The default value is false.
Application.cfc is unable to resolve nested cfincludes from outside the directory where te file resides. To resolve this, add the flag -Dcoldfusion.application.recur_resolve.include=true needs be added in jvm.config.
Enhancements made in ColdFusion (2021 release)
this.timeZone
There is a new flag, this.timeZone, which you can set it to any valid time zone. After setting the time zone, if you execute any date/time function, the time zone returned will be the same as set in Application.cfc. For example,
Application.cfc
component {
this.timeZone="US/Pacific"
}
timezone.cfm
<cfscript>
writeOutput("The time at the configured time zone is: " & now())
</cfscript>
MongoDb settings
this.datasources = {
"local"= {
type="mongodb"
},
"mymongodb"= {
type="mongodb",
host="mongodb://10.192.217.184:27017/",
"init"= true
}
}
AWS Cloud Features (SQS, SNS, S3, DynamoDB)
component {
function OnApplicationStart() {
application.awsCred = {
"credentialAlias" : "<alias name>",
"vendorName" : "AWS",
"region" : "<region name>",
"secretAccessKey" : "<AWS Secret>",
"accessKeyId" : "<AWS Key>"
};
application.awsConf = {
"serviceName" = "<Service name>",
"alias" : “<alias name>”,
"clientOverrideConfig": {
"apiCallAttemptTimeout": "<timeout>"
}
};
application.accountKey = "<Account Key>";
}
}
SAML
Manual Configuration
this.security.samlsettings.idp = [{
name: '<IDP name>',
description: '<Description>',
entityID: '<Entity ID obtained from Identity Provider>',
ssoURL: '<Single Sign-On URL>',
sloURL: '<Logout URL>',
ssoBinding: '<post/redirect>',
sloBinding: '<post/redirect>',
SIGNREQUESTS: true/false,
ENCRYPTREQUESTS: true/false,
SignCertificate: '<Certificate>' ,
EncryptCertificate: '<Certificate>'
}];
Using File location of IDP metadata
this.security.samlsettings.idp = [
{
name: '<IDP name>',
description:'<Description>',
file:'<IDP metadata file location>'
}
];
Using URL
this.security.samlsettings.idp = [
{
name: '<IDP name>',
description:'<Description>',
url:'<IDP metadata URL>'
}
];
Add SP using Application.cfc
this.security.samlsettings.sp = [{
name: '<SP name>',
description:'<Description>',
entityId: '<Entity ID for SP>',
acsURL: '<Assertion Consumer Service URL>',
sloURL: '<Logout URL>',
ACSBINDING: '<post/redirect>',
SLOBINDING: '<post/redirect>',
SIGNREQUESTS: true/false,
WANTASSERTIONSSIGNED: true/false,
LOGOUTRESPONSESIGNED: true/false,
SIGNKEYSTOREPATH: '<Path to sign keystore>',
SIGNKEYSTOREPASSWORD: '<keystore password>',
SIGNKEYSTOREALIAS: '<keystore alias>',
requestStore: 'Redis', strict: 'true'
}];
Azure Blob credentials
application.blobCred = {
"vendorName" : "AZURE",
"connectionString" : "key"
}
Azure Blob configuration
application.blobConf = {
"serviceName" : "AZURE_BLOB"
"options" : {
"absorbConditionalErrorsOnRetry" : true/false,
"concurrentRequestCount" : 5,
"useTransactionalContentMD5" : true/false,
"storeBlobContentMD5" : true/false,
"disableContentMD5Validation": true/fasle,
"singleBlobPutThresholdInBytes" : 12345,
"skipEtagLocking" : true/false,
"retryPolicyFactory": {
"retryPolicyType" : "EXPONENTIAL" | "LINEAR" | "NONE",
"deltaBackoffIntervalInMs" : 12,
"maxAttempts" : 3,
"resolvedMinBackoff" : 1
},
"locationMode" : "PRIMARY_ONLY" | "PRIMARY_THEN_SECONDARY" | "SECONDARY_ONLY" | "SECONDARY_THEN_PRIMARY",
"maximumExecutionTimeInMs" : 2,
"timeoutIntervalInMs" : 1
}
}
Enhancements made in ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15
Added the followinng flags:
- this.sessioncookie.samesite = "Strict | Lax | None"
- this.authcookie.samesite= "Strict | Lax | None"
Application.cfc
component {
this.name = "MyApp";
this.sessioncookie.samesite = "Strict";
this.authcookie.samesite = "Lax";
this.sessionmanagement = true;
}
Enhancements made in ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18
blockedExtForFileUpload to specify a comma-separated list of file extensions for file that must be blocked for uploading.
For example,
{
this.name="app name";
this.blockedExtForFileUpload="cfm, cfc, jsp"; //Specify other file extensions
}
The setting blockedExtForFileUpload only applies to the following tags and functions:
You can use "*" (star) to block all files or use "" (empty string) to allow all extensions.
If you are trying to upload a file using the cffile tag and you want to override the blocked file extensions defined at the server level, specify the extensions. The list overrides the global settings.
For example, you have blocked the extensions, " cfm , cfc , asp, aspx " in ColdFusion Administrator, but want to upload files of type aspx for your application, use the code below to override the global settings.
component {
this.name="myApp";
this.blockedExtForFileUpload="cfm, cfc, asp";
}
Enhancements made in ColdFusion (2018 release)
- enableNullSupport that specifies if you want to enable support for NULL variables.
- cache.engine to specify the type of cache engine to be used.
Enhancements made in ColdFusion (2016 release)
- serialization.structmetadata that defines the datatype for a struct key.
- There is a new application setting, searchImplicitScopes. When set to false, an un-scoped variable is not searched in implicit scopes.
- passArrayByReference setting, which when set to true, enables you to pass arrays by reference instead of value.
Enhancements made in ColdFusion 11
In ColdFusion 11, you can register application-specific datasources in Application.cfc. These datasources will be specific to that application and will not be available through the Administrator. If there is a name clash with a server-wide datasource, the one specific to the application will be given the priority.
this.datasources.dsn2={
"driver"="MSSQLServer",
"username"="sa",
"password"="password",
"url"="jdbc:macromedia:sqlserver:
//localhost\MSSQL2008;databaseName=regression;;sendStringParametersAsUnicode=
false;querytimeout=0;MaxPooledStatements=1000"
};
With a custom driver:
this.datasources.dsn3 = {
"driver" = "other",
"url"="jdbc:sqlserver://localhost\MSSQL2008;databaseName=pubs;sendStringParametersAsUnicode=false;querytimeout=0;MaxPooledStatements=1000",
"username" = "sa",
"password" = "S33N0Ev!l",
"class"="com.microsoft.sqlserver.jdbc.SQLServerDriver"
};
The following drivers are supported:
- MSSQLServer
- Oracle
- Sybase
- DB2
- Informix
- MySQL_DD
- PostgreSQL
- MSAccess
- Apache Derby Embedded
Apache Derby Client
MySQL5
ODBCSocket
Other (for custom driver)
Use this.datasources as shown in the examples below.
// Application.cfc
component {
this.name = "DSNTest";
this.datasources = {
mssql_app = {
database = "<DBName>",
host = "<HostNameOrIP>",
port = "<portNumber>",
driver = "MSSQLServer",
username = "username",
password = "password" }
};
this.datasource = "mssql_app";
}
<!--- query.cfm --->
<cfscript>
employees = queryExecute("SELECT * FROM TableName ",[], {datasource="mssql_app"});
writeOutput(employees);
</cfscript>
Enhancements made in ColdFusion 9.0.1
Application.cfc lets you specify data source authentication details for the data source. The data source settings can now be a string or a struct. When string, it is considered to be the data source name and authentication information is taken from the data source defined in the ColdFusion Administrator.
You can specify the authentication information using a struct value for data source. The following are the key names:
- name: data source name
- username: Username for the data source
password: Password for the data source
Example<this.datasource={name='cfartgallery', username="user", password="passwd"}>
or
<this.datasource="cfartgallery">
Note: The same convention is used for ORM default data source where you can specify the data source authentication information in the ormsettings.
The following application-specific attributes have been added for Amazon S3 integration:
- accessKeyId: ID for Amazon S3 account.
- awsSecretKey: Secret key for S3 account.
defaultLocation:}}The default location of Amazon S3 bucket creation. A bucket on S3 storage can be in one of the following regions: {{US, EU, or US-WEST.The defaultLocation provided in the Application.cfc defines the default location for the bucket that you create. The default value is US.
Examplethis.s3.accessKeyId = "key_ID";
this.s3.awsSecretKey = "secret_key";
this.s3.defaultLocation="location";
</cfscript>
Application-specific In-memory file system
You can use in-memory file system specific to applications. This enables application isolation for your virtual file system. That is, the file created in the in-memory file system by one application will not be accessible to another application.
The settings can be specified in the Application.cfc as follows:
Variable |
Description |
|---|---|
this.inmemoryfilesystem.enabled |
Set the value to true to enable in-memory file system for application. This is the default setting. |
this.inmemoryfilesystem.size |
Specify the memory limit in MB for the in-memory file system.You can also specify the value in the ColdFusion Administrator (Server Settings > Settings > Memory Limit per Application for In-Memory Virtual File System).The lesser value is considered. |