← Back to ColdFusion Administrator Reference

Server Settings - Memory Variables

Configure application, session, and client variable settings

Last updated: October 27, 20258 min read

Overview

The Memory Variables page in the ColdFusion Administrator allows you to configure how ColdFusion handles persistent data across requests. This includes application, session, and client variables, which are essential for maintaining state in web applications. Proper configuration of these settings is critical for both performance and security.

These settings control memory allocation, timeout behavior, and storage mechanisms for different variable scopes. Understanding the tradeoffs between different options helps you optimize your application for both speed and reliability.

Application Variables

Configure application-level variable settings and timeout behavior.

Enable Application Variables

PurposeEnable or disable the Application scope
DefaultEnabled
RecommendationAlways enable for modern applications
ImpactWhen enabled, allows sharing data across all users within an application
ScopeApplication-wide, shared by all sessions
Use Cases: Configuration data, cached queries, application-level counters

Default Application Timeout

PurposeHow long application scope persists after last access
Default2 days (48 hours)
RangeMinimum 1 day, can be overridden in Application.cfc
RecommendationSet to application restart frequency
ImpactLonger timeouts mean application scope persists through periods of inactivity
Memory Impact: Application variables consume memory until timeout expires

Maximum Application Timeout

PurposeAbsolute maximum that applications can set in Application.cfc
Default7 days (168 hours)
RecommendationSet based on your longest-running application needs
SecurityPrevents applications from setting excessively long timeouts
Best Practice: Keep reasonable limits to ensure proper memory management

Best Practices for Application Variables

  • Use for data that needs to be shared across all users
  • Initialize in Application.cfc onApplicationStart()
  • Use locking (cflock) when modifying application variables
  • Avoid storing large datasets in application scope
  • Consider using cachePut() for cached data instead
  • Remember that application scope is cleared on server restart

Session Variables

Configure session-level variable settings and cookie security options.

Enable Session Variables

PurposeEnable or disable the Session scope
DefaultEnabled
RecommendationEnable for stateful web applications
ImpactWhen enabled, maintains user-specific data across requests
ScopePer-user, isolated between different users
Use Cases: User authentication state, shopping carts, user preferences

Default Session Timeout

PurposeHow long session persists after last user activity
Default20 minutes
RangeTypically 10-60 minutes
Recommendation20-30 minutes for most applications
SecurityShorter timeouts reduce session hijacking risk
Tradeoffs: Longer timeouts improve user experience but increase memory usage and security risk

Maximum Session Timeout

PurposeMaximum that applications can set in Application.cfc
Default2 days (2880 minutes)
Recommendation1-4 hours for public applications
SecurityShorter maximum timeouts improve security
Consideration: Balance between security and convenience

Use J2EE Session Variables

PurposeUse servlet container session management instead of ColdFusion
DefaultDisabled
RecommendationEnable for clustering and better session management
RequirementsMust be enabled for session replication across cluster nodes
Benefits:
  • More reliable session tracking
  • Better clustering support
  • Simpler session cookie management
  • Compatible with load balancers
Migration Note: Changes session cookie names (JSESSIONID vs CFID/CFTOKEN)

Session Cookie Settings

HTTPOnly FlagPrevents JavaScript access to session cookies (security best practice)
Secure FlagEnsures cookies only sent over HTTPS (required for production)
SameSite AttributeControls cross-site request behavior
SameSite Options:
  • Strict: Cookies only sent in first-party context
  • Lax: Cookies sent with safe cross-site requests (default)
  • None: Cookies sent with all requests (requires Secure flag)

Best Practices for Session Variables

  • Always enable J2EE sessions for production applications
  • Set HTTPOnly and Secure flags on session cookies
  • Use SameSite=Lax or Strict to prevent CSRF attacks
  • Regenerate session ID after authentication (session fixation prevention)
  • Clear sensitive data from session on logout
  • Don't store large objects in session scope
  • Implement proper session timeout handling in application
  • Monitor session memory usage under load

Client Variables

Configure client variable settings (legacy feature - not recommended for new applications).

Enable Client Variables

PurposeEnable or disable the Client scope
DefaultDisabled
RecommendationDisable for modern applications (legacy feature)
AlternativeUse session variables or browser localStorage instead
ImpactWhen enabled, stores client-specific data persistently

Client Storage Options

Cookie Storage

Storage Location
Data stored in browser cookies
Pros
Simple setup, no database required
Cons
4KB size limit, sent with every request, security concerns

Not Recommended: Cookie storage is inefficient and insecure

Database Storage

Storage Location
Dedicated database tables (CFGLOBALDATA, CFDATA)
Pros
Persistent across browser sessions, no size limits
Cons
Database overhead, maintenance required

ColdFusion creates tables automatically. Old records must be purged periodically.

Registry Storage

Platform
Windows Only
Status
Legacy feature (not recommended)
Limitation
Not available on Linux/Unix systems

Not Recommended: Performance and maintenance issues

Default Client Store

PurposeChoose where client variables are stored by default
OptionsCookie, Registry, or named datasource
RecommendationIf using client variables, use database storage
Override: Can be overridden in Application.cfc with this.clientStorage

Purge Data for Clients Not Visiting for (days)

PurposeAutomatically delete old client variable data
Default90 days
Recommendation30-90 days depending on usage patterns
ImpactPrevents database bloat from inactive users
Consideration: Set based on how long users remain inactive

Disable Global Client Variable Updates

PurposePrevent automatic HITCOUNT and LASTVISIT updates
DefaultDisabled (updates enabled)
RecommendationEnable this option (disable updates) to reduce database writes
PerformanceSignificant performance improvement when enabled
ImpactHITCOUNT and LASTVISIT will not be automatically updated

Why Client Variables Are Deprecated

  • Session variables provide better performance for temporary data
  • Browser localStorage/sessionStorage better for client-side persistence
  • Database or cache services better for long-term user data
  • Client variables require maintenance (purging old data)
  • Security concerns with cookie-based storage
  • Modern alternatives are more flexible and efficient

Memory vs Database Storage

Memory Storage (Application/Session Variables)

  • Pros:
  • Extremely fast access (no I/O overhead)
  • No database connection required
  • Simple to implement and use
  • No serialization overhead for objects
  • Cons:
  • Data lost on server restart
  • Limited by available RAM
  • Not shared across clustered servers (without session replication)
  • Memory leaks can cause issues

Database Storage (Client Variables)

  • Pros:
  • Survives server restarts
  • Can store much larger datasets
  • Accessible across multiple servers
  • Can be backed up with regular database backups
  • Cons:
  • Slower than memory access
  • Database overhead and maintenance
  • Serialization required for complex objects
  • Can cause database contention under load

When to Use Each

  • Use Memory (Application/Session): Most web application data, temporary state, caching
  • Use Database: Long-term user preferences, audit trails, data that must survive restarts
  • Use Cache Services: Large datasets, distributed caching, microservices architecture

Security Best Practices

Session Security

  • Enable J2EE Sessions: More secure than ColdFusion sessions
  • HTTPOnly Cookies: Prevents XSS attacks from stealing session cookies
  • Secure Flag: Ensures cookies only transmitted over HTTPS
  • SameSite Attribute: Protects against CSRF attacks
  • Session Regeneration: Regenerate session ID after authentication
  • Short Timeouts: Reduce exposure window for stolen sessions

Session Fixation Prevention

  • Session fixation occurs when attacker sets victim's session ID
  • Solution: Regenerate session ID after login
  • ColdFusion 2021+: Use sessionRotate() function
  • Older versions: Manually rotate JSESSIONID or CFID/CFTOKEN
  • Always regenerate on privilege escalation

Session Hijacking Prevention

  • Session hijacking occurs when attacker steals session cookies
  • Prevention Strategies:
  • Use HTTPS exclusively (Secure flag on cookies)
  • Enable HTTPOnly flag to prevent JavaScript access
  • Implement session timeout and idle timeout
  • Validate user agent and IP address (with caution)
  • Monitor for suspicious session activity
  • Implement proper logout functionality

Data Security in Variables

  • Never store passwords or sensitive credentials in session/application scope
  • Encrypt sensitive data before storing in variables
  • Use secure tokens instead of actual sensitive data
  • Clear sensitive data on logout
  • Be aware that memory dumps can expose variable data

Performance Considerations

Memory Management

  • Each session consumes memory - monitor with longer timeouts
  • Application variables shared across all users (efficient)
  • Avoid storing large objects or query results in session
  • Use weak references for cached objects when possible
  • Monitor heap usage related to session count

Calculating Memory Usage

  • Formula: Memory = (Sessions × Average Session Size) + Application Scope
  • Example: 1000 sessions × 100KB + 50MB app scope = 150MB
  • Guideline: Keep session data under 50-100KB per user
  • Monitoring: Use FusionReactor or server monitoring tools

Session Cleanup

  • ColdFusion automatically cleans up expired sessions
  • Cleanup occurs during garbage collection cycles
  • Don't rely on onSessionEnd() for critical cleanup
  • Implement application-level cleanup for important resources

Clustering Considerations

  • J2EE sessions required for session replication
  • Session replication increases network traffic
  • Sticky sessions reduce replication overhead
  • Consider external session storage (Redis, Memcached) for large clusters
  • Test failover behavior thoroughly

Common Issues and Solutions

Sessions Not Persisting

Symptom: Users logged out unexpectedly
Solutions:
  • Increase session timeout if appropriate
  • Check browser cookie settings
  • Verify cookie domain and path configuration
  • Ensure consistent HTTPS usage
  • Check for session timeout too short
  • Look for domain/path mismatch in cookie settings

Memory Issues with Sessions

Symptom: Server running out of memory, frequent GC
Solutions:
  • Reduce session timeout
  • Remove large objects from session
  • Increase JVM heap size
  • Use external session storage
  • Implement session size monitoring
  • Check for memory leaks (sessions not expiring)

Application Scope Not Initializing

Symptom: Application variables undefined or empty
Solutions:
  • Verify application variables are enabled
  • Check onApplicationStart() for errors
  • Use applicationStop() to force reinitialization
  • Ensure this.name is set in Application.cfc

Client Variable Database Bloat

Symptom: Client variable tables growing very large
Solutions:
  • Reduce purge interval
  • Disable global client variable updates
  • Manually purge old data periodically
  • Consider migrating away from client variables

Monitoring and Maintenance

Key Metrics to Monitor

  • Active Sessions: Current number of active user sessions
  • Session Creation Rate: New sessions per minute/hour
  • Average Session Size: Memory consumed per session
  • Session Timeout Rate: How many sessions expire vs logout
  • Memory Usage: Heap consumption attributed to sessions
  • Peak Concurrent Sessions: Maximum simultaneous sessions

Monitoring Tools

  • ColdFusion Administrator: View active sessions and memory usage
  • Server Monitor: Detailed session and memory metrics (Enterprise only)
  • FusionReactor: Advanced monitoring and alerting
  • SeeFusion: Real-time session monitoring
  • JVM Tools: VisualVM, JConsole for heap analysis

Regular Maintenance Tasks

  • Review session timeout settings quarterly
  • Monitor memory usage trends
  • Purge old client variable data (if using client variables)
  • Test session failover in clustered environments
  • Review and update security settings (cookie flags, etc.)
  • Audit session storage for sensitive data

Related Resources

Server Settings - SettingsGeneral server configuration and request handlingJava and JVM SettingsJVM memory configuration and heap tuningPerformance Optimization FrameworkComprehensive performance tuning methodologyColdFusion Administrator ReferenceComplete administrator guide and settings reference