This week I helped out a client resolve an issue due to a change in behavior from CF9 to CF10. CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel.

I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.

Internet Explorer pioneered a great security feature for cookies called HTTPOnly, when this flag is set the browser does not allow JavaScript to access the cookie. Now that all modern browsers support this flag it can reduce the risk of session hijacking due to cross site scripting.

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.

Firefox 2.0.0.5, which was released just the other day, now supports it.