Variables in CFML; Cookie Scope
The CFML Cookie Scope is an abstracted interface to standard HTTP Cookies. It allows CFML developer's to create, edit and delete cookies using CFML. Since cookies are an accepted Internet standard and not specific to ColdFusion they are interchangeable between application languages. In other words cookies created by one application engine (ColdFusion, ASP, JSP, PHP, JavaScript, etc) are editable by all other application engines (on the same server).
Unlike other variable scopes Cookies are stored on the end user's machine and may persist for an indefinite amount of time. However for reasons of security and privacy Cookies have many limitations. The standard rules for cookies are as follows. Note that it is the browser, not ColdFusion that must support and enforce these rules:
- Cookies are associated with a single browser/machine. Cookies set in Netscape Navigator, for example, are not accessible to Internet Explorer on the same machine. Most browsers also extend this to log ons: cookies available a user with a browser are not available to another user on the same browser and machine.
- Cookies are associated with a single domain (and possibly a specific path within that domain). This means that cookies set by one server cannot be seen by another.
- Cookies marked as "Secure" will only be visible when the browser is in secure (SSL) mode.
In addition there are specific limits to the number and size of cookies. Again it is the browser's responsibility to honor these specifications:
- No more than 4kb of information can be stored in a cookie. This includes data used to define the name and structure of the cookie as well.
- No more than 20 cookies will be saved for any one host name/server. When this limit is reached the oldest cookies will be deleted first.
- No more than 300 cookies, in total across all domains, will be stored. Note that Internet Explorer does not use this 300 cookies limit and instead honors the bounds set for the general Internet cache.
Cookies may include an expiration date indicating when they should be deleted. These are often known as persistent cookies. Cookies lacking an expiration date exist only until the browser is closed and are not written the client hard disk, these are known as session cookies.
In CFML you can create cookies either directly (by using <cfset cookie.myvar = "Value"> or via the more feature rich <CFCOOKIE> tag. There are several considerations to take into account before using cookies:
- Cookies are browser/user controlled and can be disabled by the end user. No indication of this is returned to ColdFusion so it's recommended that you specifically test them first (this usually involves attempting to set a cookie value and then reading it on a second page).
- In versions of ColdFusion prior to CFMX the use of a CFLOCATION tag would destroy any cookies set on the template previously.
- Although cookies can be accessed directly they can only hold string values. Any attempt to assign a cookie a complex data value will result in an error.
- By default if ColdFusion session or client management is enabled (via the CFAPPLICATION tag) two persistent cookies will be automatically set: "CFID" and "CFTOKEN" (together these values create a unique ID for the CFCOOKIE user session). The SETCLIENTCOOKIES="NO" attribute of CFAPPLICATION can be set to prevent this behavior.
- CFMX administrators may choose to enable J2EE session management. If both this and session management (via the CFAPPLICATION tag) are enabled a session cookie named "JSESSIONID" containing a unique ID conforming to the J2EE specification will be created.
More general information about cookies can be found at cookiecentral.com or in the original specification proposal, RFC 2965.
