Using HTTPOnly cookies prevents session cookies from being hijacked via a javascript XSS attack on modern browsers. The method of implementing this depends on the version of Coldfusion you are running, or if you are running Railo the jsp servlet engine you are using.
To enable http only sessions in railo when using the resin engine we must edit the resin.conf file. For me this was located in the '[path_to_railo]/railo[version number]/conf/' directory. Open this file, uncomment the following line and restart railo.
To enable http only sessions in railo on tomcat we have the choice of editing the context.xml file to make this setting global for all sites, or editing an individual context in the server.xml file.
In either instance open the relevant config file in the "/[path_to_railo]/railo/tomcat/conf/" directory. and change the following.
The ColdFusion 9.0.1 update adds support for httponly cookies using a java system property called 'coldfusion.sessioncookie.httponly'. To turn this on edit editing the jvm.config and add the following.
-Dcoldfusion.sessioncookie.httponly=true
If you are running a standalone cf server you can add this in the ColdFusion Administrator.
If you have not yet applied the latest patches (you did read what I said about patching didnt you), OR if you want to fix the problem in your code you can force httponly cookies by adding the following to your 'Application.cfc' file.
If you are running CF 8 or older you can achieve the same effect by adding the following to your 'Application.cfc' file.
If you are using the 'Application.cfm' file then use the following code.
So there you have it, setting your cookies as http only in ColdFusion/Railo. Please keep in mind this is only one step in making your server more secure.
Thanks to @vexeddeveloper for pointing out that the web server issues the cookie before CF/Railo can grab it and secure it. For information on securing the cookie in apache you can follow their guide at http://www.vexeddeveloper.com/post.cfm/httponly-and-secure-cookies. Im not too familiar with using the mod_security module myself so I will do some investigating when I have time to figure out how this approach works.