<html>
<head>
<link href="mmres://user_interface_reference.css" rel="stylesheet" type="text/css">
<title>CFAPPLICATION</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">
   <div id="Description">
   <table cellpadding="0" cellspacing="0" border="0" width="100%" class="main">
      <tr> 
         <td valign="top" class="name">CFAPPLICATION</td>
         <td valign="top" nowrap class="compatibility">&nbsp;</td>
      </tr>
      <tr>
         <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
      </tr>


    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">Description</span>
<p>
Defines the scope of a ColdFusion application; enables and disables storage of Client variables; specifies the Client variable storage mechanism; enables Session variables; and sets Application variable timeouts. 
</p>
    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">Category</span>
<p>
Application framework tags
</p>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="syntax"><span class="title">Syntax</span><pre>&lt;cfapplication 
   name = &quot;application_name&quot;
   loginStorage = &quot;cookie&quot; or &quot;session&quot;
   clientManagement = &quot;yes&quot; or &quot;no&quot;
   clientStorage = &quot;datasource_name&quot; or &quot;Registry&quot; or &quot;Cookie&quot; 
   setClientCookies = &quot;yes&quot; or &quot;no&quot; 
   sessionManagement = &quot;yes&quot; or &quot;no&quot;
   sessionTimeout = #CreateTimeSpan(days, hours, minutes, seconds)#
   applicationTimeout = #CreateTimeSpan(days, hours, minutes, seconds)#
   setDomainCookies = &quot;yes&quot; or &quot;no&quot;
   scriptProtect = &quot;none&quot;, &quot;all&quot;, or list&gt;
</pre>    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">See also</span>
<p>
cfassociate, cferror, cflock, cfmodule; Chapter&#160;5, "Application.CFC Reference," on page&#160;1201; Chapter&#160;13, "Designing and Optimizing a ColdFusion&#160;Application" and Chapter&#160;37, "Integrating J2EE and Java Elements in CFML Applications," in ColdFusion MX Developer's Guide
</p>
    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">History</span>
<p>
ColdFusion&#160;MX&#160;7: Added scriptProtect attribute
</p>

<p>
ColdFusion MX&#160;6.1: Added loginStorage attribute
</p>

<p>
ColdFusion&#160;MX:
</p>
<ul>

<li>Changed how persistent scopes are available: Server, Session, and Application scope variables are stored in memory as structures. In earlier releases, only Session and Application scope variables were stored this way. You cannot access the UDF function scope as a structure.</li>

<li>Changed the algorithm for setting the CFTOKEN variable value: if the registry key UUIDToken is a non-zero value, ColdFusion uses a number constructed from the UUID plus a random number. Otherwise, ColdFusion sets the CFTOKEN variable default value using a positive random integer. (In earlier releases, ColdFusion always used a number constructed from the UUID plus a random number.)</li>
</ul>

<p>

</p>
    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">Usage</span>
<p>
This tag is typically used in the Application.cfm file, to set defaults for a ColdFusion application.
</p>
<table>
  <tr valign="top">
    <td width="30"><strong>Note: </strong></td>
    <td>You can also set the application defaults in the Application.cfc file. For more information, see "Application variables" on&#160;page&#160;1201.</td>
  </tr>
</table>
<p>
This tag enables application variables, unless they are disabled in the ColdFusion Administrator. The Administrator setting also overrides the sessionManagement attribute. For more information, see Configuring and Administering ColdFusion&#160;MX. 
</p>

<p>
If ColdFusion is running on a cluster, you must specify clientStorage = &quot;cookie&quot; or a data source name; you cannot specify &quot;registry&quot;.
</p>

<p>
ColdFusion generates an error if the application name is longer than 64 characters. 
</p>

<p>
The CFTOKEN variable is 8 bytes in length. Its range is 10000000 -99999999.
</p>
<table>
  <tr valign="top">
    <td width="30"><strong>Note: </strong></td>
    <td>If you specify ClientStorage=cookie, any Client scope variables set following a cfflush tag are not saved in the Client browser.</td>
  </tr>
</table>    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">Protecting variables from cross-site scripting attacks</span>
<p>
The ScriptProtect attribute lets you protect one or more variable scopes from cross-site scripting attacks, where a client attempts to get your application to send malicious code back to a user's browser. In these attacks, user input (for example, from form fields or from URL variables) sets a CF variable which is destined for user output. The submitted data includes malicious code, such as JavaScript or an applet or object reference, which then executes on the user's system. 
</p>
<table>
  <tr valign="top">
    <td width="30"><strong>Note: </strong></td>
    <td>The ColdFusion MX Administrator Settings page Enable Global Script Protection option determines the default script protection setting. You can use the scriptProtect attribute to override the Administrator setting. You can also use the Application.cfc initialization code to set the protection value.</td>
  </tr>
</table>
<p>
The ColdFusion MX cross-site scripting protection operation is done when ColdFusion MX processes the application settings at the beginning of a request. Thus, it can process the URL, and Cookie, CGI, and Form variables in a user's request. By default, it replaces occurrences of the following tag names with the text InvalidTag: object, embed, script, applet, and meta. It allows these names in plain text, replaces the words if they are used as tag names. 
</p>

<p>
You can specify any or all ColdFusion scopes for protection, but only the Form, URL, CGI, and Cookie scopes have variables that are often provided by unknown sources. Also, protecting a scope requires additional processing. For these reasons, the all attribute value applies protection to only the four scopes.
</p>

<p>
The script protection mechanism applies a regular expression that is defined in the cf_root/lib/neo-security.xml file in the server configuration, or the cf_root/WEB-INF/cfusion/lib/neo-security.xml file in the J2EE configuration to the variable value. You can customize the patterns that ColdFusion replaces by modifying the regular expression in the CrossSiteScriptPatterns variable. 
</p>
    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">Locking server, application, and session variables</span>
<p>
When you set or update variables in the server, application, and session scopes, use the cflock tag with the scope attribute set to the following value: 
</p>
<ul>

<li>For server variables, specify &quot;server&quot;</li>

<li>For application variables, specify &quot;application&quot;</li>

<li>For session variables, specify &quot;session&quot;</li>
</ul>

<p>
In some cases, you should also lock code that reads variables in these scopes. For information about locking scopes, see cflock on&#160;page&#160;522.
</p>
    </td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="CLEARSEPARATION">&nbsp;</td>
  </tr>
  <tr>
    <td valign="top" colspan="2" class="description"><span class="title">Example</span><pre>&lt;!--- This example shows how to use cflock to prevent race conditions during 
data updates to variables in Application, Server, and Session scopes. ---&gt;
&lt;h3&gt;cfapplication Example&lt;/h3&gt;
&lt;p&gt;cfapplication defines scoping for a ColdFusion application and enables or 
disables application and/or session variable storage. This tag is placed in 
a special file called Application.cfm that automatically runs before any 
other CF page in a directory (or subdirectory) where the Application.cfm 
file appears.&lt;/p&gt;

&lt;cfapplication name = &quot;ETurtle&quot; 
sessionTimeout = #CreateTimeSpan(0, 0, 0, 60)# 
sessionManagement = &quot;Yes&quot;&gt;

&lt;!--- Initialize session and application variables used by E-Turtleneck. ---&gt; 
&lt;cfparam name=&quot;application.number&quot; default=&quot;1&quot;&gt;
&lt;cfparam name=&quot;session.color&quot; default= &quot;&quot;&gt;
&lt;cfparam name=&quot;session.size&quot; default=&quot;&quot;&gt;

&lt;cfif IsDefined(&quot;session.numPurchased&quot;) AND 
IsNumeric(trim(session.cartTotal))&gt;
&lt;!--- Use the application scope for the application variable to prevent race 
condition. This variable keeps track of total number of turtlenecks sold. --
-&gt;
   &lt;cflock scope = &quot;Application&quot; timeout = &quot;30&quot; type = &quot;Exclusive&quot;&gt;
   &lt;cfset application.number = application.number + session.numPurchased&gt;
   &lt;/cflock&gt;
&lt;/cfif&gt;

&lt;cfoutput&gt;
E-Turtleneck is proud to say that we have sold #application.number# turtlenecks 
to date.
&lt;/cfoutput&gt;
&lt;!--- End of Application.cfm ---&gt; 
</pre>
         </td>
      </tr>
   </table>
   </div>
<div id="NAME">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">NAME</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">See Description</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">


  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">For Application and Session variables: Required. </td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">
  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">For Client variables: Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<p>Name of application. Up to 64 characters.</p>

  </td>
  </tr>
  </table>
</div>
<div id="LOGINSTORAGE">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">LOGINSTORAGE</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "cookie"

<ul>

<li>cookie: store login information in the Cookie scope.</li>

<li>session: store login information in the Session scope.</li>
</ul>


  </td>
  </tr>
  </table>
</div>
<div id="CLIENTMANAGEMENT">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">CLIENTMANAGEMENT</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "no"

<ul>

<li>yes: enables client variables.</li>

<li>no</li>
</ul>


  </td>
  </tr>
  </table>
</div>
<div id="CLIENTSTORAGE">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">CLIENTSTORAGE</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "registry"


<p>How client variables are stored:</p><ul>

<li>datasource_name: in ODBC or native data source. You must create storage repository in the Administrator.</li>

<li>registry: in the system registry.</li>

<li>cookie: on client computer in a cookie. Scalable. If client disables cookies in the browser, client variables do not work.</li>
</ul>


  </td>
  </tr>
  </table>
</div>
<div id="SETCLIENTCOOKIES">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">SETCLIENTCOOKIES</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "yes"

<ul>

<li>yes: enables client cookies.</li>

<li>no: ColdFusion does not automatically send CFID and CFTOKEN cookies to client browser; you must manually code CFID and CFTOKEN on the URL for every page that uses Session or Client variables.</li>
</ul>


  </td>
  </tr>
  </table>
</div>
<div id="SESSIONMANAGEMENT">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">SESSIONMANAGEMENT</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "no"

<ul>

<li>yes: enables session variables.</li>

<li>no</li>
</ul>


  </td>
  </tr>
  </table>
</div>
<div id="SESSIONTIMEOUT">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">SESSIONTIMEOUT</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "Specified in Variables page of ColdFusion Administrator"


<p>Lifespan of session variables. CreateTimeSpan function and values in days, hours, minutes, and seconds, separated by commas. </p>

  </td>
  </tr>
  </table>
</div>
<div id="APPLICATIONTIMEOUT">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">APPLICATIONTIMEOUT</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "Specified in Variables page of ColdFusion Administrator"


<p>Lifespan of application variables. CreateTimeSpan function and values in days, hours, minutes, and seconds, separated by commas.</p>

  </td>
  </tr>
  </table>
</div>
<div id="SETDOMAINCOOKIES">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">SETDOMAINCOOKIES</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "no"

<ul>

<li>yes: uses domain cookies for CFID and CFTOKEN cookies and for all Client variables when using cookies for client variable storage. Required for applications running on clusters.</li>

<li>no: uses host-specific cookies for CFID, CFTOKEN, and all client variable cookies.</li>
</ul>


  </td>
  </tr>
  </table>
</div>
<div id="SCRIPTPROTECT">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>  
<td valign="top" class="name">SCRIPTPROTECT</td>
  <td valign="top" nowrap class="compatibility">&nbsp;</td>
  </tr>
  <tr>
  <td colspan="2" class="divider"><img src="dwres:18084" width="100%" height="1"></td>
  </tr>

  <tr>
  <td valign="top" class="syntax">&nbsp;</td>
  <td valign="top" nowrap class="requirements">Optional</td>
  </tr>
  <tr>
  <td colspan="2" class="clearseparation">&nbsp;</td>
  </tr>
  <tr>
  <td valign="top" colspan="2" class="description">

<strong>Default value:</strong> "Determined by ColdFusion MX Administrator Enable Global Script Protection setting"


<p>Specifies whether to protect variables from cross-site scripting attacks</p><ul>

<li>none: do not protect variables</li>

<li>all: protect Form, URL, CGI, and Cookie variables</li>

<li>comma-delimited list of ColdFusion scopes: Protect variables in the specified scopes. </li>
</ul>

<p>For more information, see Usage.</p>

  </td>
  </tr>
  </table>
</div>

  </body>
</html>
