User Guide

ManualsBrandsMacromedia ManualsOtherCOLFUSION MX 7-CFML REFERENCE

42 Chapter 2: ColdFusion Tags

Usage

This tag is typically used in the Application.cfm file, to set defaults for a ColdFusion application.

Note: You can also set the application defaults in the Application.cfc file. For more information, see

“Application variables” on page 945.

This tag enables application variables, unless they are disabled in the ColdFusion Administrator.

The Administrator setting also overrides the

sessionManagement attribute. For more

information, see Configuring and Administering ColdFusion MX.

If ColdFusion is running on a cluster, you must specify

clientStorage = "cookie" or a data

source name; you cannot specify

"registry".

ColdFusion generates an error if the application name is longer than 64 characters.

The CFTOKEN variable is 8 bytes in length. Its range is 10000000 —99999999.

Note: If you specify ClientStorage=cookie, any Client scope variables set following a cfflush tag

are not saved in the Client browser.

Protecting variables from cross-site scripting attacks

The ScriptProtect attribute lets you protect one or more variable scopes from cross-site

scripting attacks, where a client attempts to get your application to send malicious code back to a

user’s browser. In these attacks, user input (for example, from form fields or from URL variables)

sets a CF variable which is destined for user output. The submitted data includes malicious code,

such as JavaScript or an applet or object reference, which then executes on the user’s system.

Note: The ColdFusion MX Administrator Settings page Enable Global Script Protection option

determines the default script protection setting. You can use the

scriptProtect attribute to override

the Administrator setting. You can also use the Application.cfc initialization code to set the protection

value.

setDomainCookies Optional no • yes: uses domain cookies for CFID and

CFTOKEN cookies and for all Client

variables when using cookies for client

variable storage. Required for applications

running on clusters.

• no: uses host-specific cookies for CFID,

CFTOKEN, and all client variable cookies.

scriptProtect Optional Determined by

ColdFusion MX

Administrator

Enable Global

Script

Protection

setting

Specifies whether to protect variables from

cross-site scripting attacks

• none: do not protect variables

• all: protect Form, URL, CGI, and Cookie

variables

• comma-delimited list of ColdFusion scopes:

Protect variables in the specified scopes.

For more information, see Usage.

Attribute Req/Opt Default Description