If you have a site that you want to enforce the use of ssl on, one way of doing this is to mark cookies as secure. The secure flag tells the user's browser to only send back the cookie over ssl (HTTPS) connections. This means that the browser will never send a cookie marked secure over a http connection.

This Is A Server Wide Setting

Warning: This setting will affect all sites on that cf instance on your server. This means that all sites must be using ssl as any site which is not will not be able to maintain state using cookies. I was caught by this recently when we setup a new site which did not require or possess an ssl cert onto a server that had originally been configured for ssl only.

A solution to this problem is to create a dedicated cf instance for ssl only websites and another for non ssl enforced websites.

Locate The Jrun-web.xml Config File

To set cookies secure in ColdFusion you need to edit the jrun-web.xml file. If you are using a multi instance setup then you will have one file per instance. Assuming the default install locations the file can be located here:

ColdFusion Standard

ColdFusion Enterprise

Setting The Secure Flag

To set the secure flag on session cookies locate the session-config section of the file and add or modify the cookie config section with the cookie-secure rule so that your config looks something like this.

<jrun-web-app>
      <session-config>
            <cookie-config>
                  <active>true</active>
                  <cookie-secure>true</cookie-secure>
            </cookie-config>
      </session-config>
</jrun-web-app>

Now restart ColdFusion to load the new configuration and test using something like the web developer plugin for firefox to inspect the cookies sent.