With ColdFusion 901 release now ColdFusion Session Cookies can be marked HttpOnly. This reduces the chance of session information being compromised on Cross Site Scripting (XSS) attack.
To mark these session Cookies (CFID, CFTOKEN, jsessionid HttpOnly), add the following jvm property -
Currently there is a limitation on JBoss/Tomcat for marking jsessionid cookie as httponly.
Any other ColdFusion cookies can be marked as HttpOnly by using "httponly" attriibute of cfcookie tag.