There's a couple of things you need to understand with regard to Application.cfc and "variables". Since the various methods in Application.cfc (e.g. onRequestStart(), onApplicationStart(), etc.) are functions, they generally behave like functions in any other CFC component. If you store things in the "variables" scope, then it is accessible to all methods within the CFC. However, since each page request initially calls Application.cfc and runs the appropriate methods, and when running onRequest() it includes the target page of the request, your "variables" scope is refreshed on each request.
If you want to store data in variables that will persist across requests, you need to use one of the scopes that persist, such as Application, Session, or Client (although I'd avoid using Client if at all possible). If the data needs to be accessible globally, store it in Application; if it is specific to a single user's session, store it in Session.
If you want to store data that will only "live" during the length of the specific request, store it in the Request scope.
Thanks for getting back to me. That is useful info about how the cfc works!
Basically I am just looking for the most secure way to store an sftp connection account/password. Someone will fill out a form and a file will be SFTP'd. I used to have the passowrd in application.cfm.
What would be the best way to set this password? On the page itself? Or would it be more secure trying to get it working via application.cfc?
For security reasons, I would try to avoid embedding the password anywhere in your ColdFusion code. You might put it in a "config" file outside of the webroot, then use ColdFusion to read it into an appropriately scoped variable. Assuming you don't <cfdump> or WriteDump() your variable scopes anywhere in your production code, and that you don't have "Enable Request Debugging Output" enabled on your production server, you could store the password in either the Application scope or a local page's variables scope. If there is only one page that will do FTP communication, then loading the password into a variable on that page would be fine. If you modularize the FTP stuff so it can be reused elsewhere in your application, then put the password in a variable in the application scope.
Since you'll need to pass an the password to the FTP connection, you can't hash it for added security, which is the best way to handle passwords. But you can encrypt/de-encrypt it using various functions within ColdFusion. I'd consider at least storing it in an encrypted form in the "config" file. While being no where near perfect security, it is better than storing the password in plain text in a file.
Thanks for the help! I think I will go with the config file and read it in.