Lucee Tag Reference

<cfcookie>

Defines cookie variables, including expiration and security options.

Body

This tag can't have a body.

Example

<cfcookie
[domain=string]
[encodevalue=boolean]
[expires=object]
[httponly=boolean]
name=string
[path=string]
[preservecase=boolean]
[samesite=Strict|Lax|None]
[secure=boolean]
[value=string]>
This tag is also supported within cfscript
<cfscript>
cookie
[domain=string]
[encodevalue=boolean]
[expires=object]
[httponly=boolean]
name=string
[path=string]
[preservecase=boolean]
[samesite=Strict|Lax|None]
[secure=boolean]
[value=string];
</cfscript>

Attributes

The attributes for this tag are fixed. Except for the following attributes no other attributes are allowed.
Name Type Required Description
domain string No Domain in which cookie is valid and to which cookie content
can be sent from the user's system. By default, the cookie
is only available to the server that set it. Use this
attribute to make the cookie available to other servers.

Must start with a period. If the value is a subdomain, the
valid domain is all domain names that end with this string.
This attribute sets the available subdomains on the site
upon which the cookie can be used. 
encodevalue boolean No if set to true, Lucee url encodes the given name and value if necessary. 
expires any No Schedules the expiration of a cookie variable. Can be specified as a date (as in, 10/09/97),
number of days (as in, 10, 100), "Now", or "Never". Using Now effectively deletes the cookie from
the client browser. 
httponly boolean No If HttpOnly is set to true, this cookie is marked as HttpOnly, by adding the HttpOnly attribute to it.
HttpOnly cookies are not supposed to be exposed to client-side scripting code, and may therefore help mitigate certain kinds of cross-site scripting attacks. 
name string Yes The name of the cookie variable. 
path string No URL, within a domain, to which the cookie applies;
typically a directory. Only pages in this path can use the
cookie. By default, all pages on the server that set the
cookie can access the cookie.

path = "/services/login" 
preservecase boolean No if set to true Lucee keep the original case for the name, otherwise the name is converted to a upper case string 
samesite string No It will help to prevent Cross-Site Request Forgeries. Enabling this attribute on the cookie will instruct the browser to afford this cookie certain protections. 
secure boolean No Yes or No. Specifies that the variable must transmit securely. If the browser does not support
Secure Socket Layer (SSL) security, the cookie is not sent. 
value string No The value assigned to the cookie variable.