CF Sessions and httponly

httponly is an attribute of a cookie that will restrict the browser from accessing the cookie (or manipulating it) - which is really good for session ids because it will prevent malicious scripts from sending the id off to some rogue server where the "bad guys" can use it to make authenticated requests to a system. Up until now, to add http only to your ColdFusion code it wasn't easy; But now, in CF 9.0.1, just add the jvm argument -Dcoldfusion.sessioncookie.httponly=true in the CF admin JVM and you are all set. CFID, CFToken and jSessionid (if you are using it) will all get the Httponly flag added. sweet. for more info on how to do this other ways with older versions of CF, checkout Pete Frietag's blog entry