There is an interesting change in the CF9.0.1 updater that will make CF sites more secure. The CFID and CFToken cookies will now be marked as httpOnly. What this means is your browser will not allow JavaScript to access the CFID and CFToken cookies. I think this will greatly help to reduce XSS hacks on CF sites.

If you are using jSessionID instead of CFID/CFToken, you need to take an additional step. jSessionID is a session cookie, session cookies aren’t httpOnly by default. But if you add a “-Dcoldfusion.sessioncookie.httponly=true” argument in your jvm.config file, all your session cookies will be httpOnly, including jSessionID.

It would be nice if there was an option to the CFCOOKIE tag to mark a cookie as httpOnly or not. Lacking that, you could always send the cookies yourself using cfheader or java.


  1. John Sieber says:

    I could be wrong, but I thought that I remembered reading that httpOnly attribute was added to the CFCOOKI tag in CF9. Thanks for the tip about adding httpOnly support for jSessionID's as well!

  2. Ryan says:

    You are right John, you can specify httpOnly per-cookie using the CFCOOKIE tag now!

  3. Knut says:

    You wrote: …“-Dcoldfusion.sessioncookie.httponly=true”…

    Does this also work in CF-8.0.1 ???

  4. Ryan says:

    No this is for CF 9 only.

  5. Peter Lorimer says:

    Could this issue cause CFGRID to stop populating from a query after the 9.0.1 update?

  6. Ryan says:

    Peter – no I don’t see how this would cause any issues with CFGRID.