ColdFusion Session cookies & HttpOnly

With ColdFusion 901  release now ColdFusion Session Cookies can be marked HttpOnly.  This reduces the chance of session information being compromised on Cross Site Scripting (XSS) attack.
To mark these session Cookies (CFID, CFTOKEN, jsessionid HttpOnly), add the following jvm property -

coldfusion.sessioncookie.httponly=true

Currently there is a limitation on JBoss/Tomcat for marking jsessionid cookie as httponly.

Any other ColdFusion cookies can be marked as HttpOnly by using "httponly" attriibute of cfcookie tag.