As you are probably aware ColdFusion allows you to use the integrated J2EE sessions that are provided as part of the J2EE server (by enabling the Use J2EE session variables setting in ColdFusion Administrator).

If you use the cflogin tag to manage authentication you should consider setting loginstorage="session" in your Application.cfc or Application.cfm file for better security.

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.

Firefox 2.0.0.5, which was released just the other day, now supports it.

Greg Yardley has created a firefox plugin called Objection in response to my, and other blog posts about the privacy concerns of Local Shared Objects, or Flash Cookies.

The plugin adds a clear button for Local Shared Objects to the privacy options in Firefox.

There is lots of buzz going on over marketers using Flash's Local Shared Objects to store client side information, instead of traditional http cookies. This is a response to a report from Jupiter research stating that 38% of web users delete cookies on a regular basis.