Preventing Session Hijacking
Session hijacking is a valid concern for all web developers. One of the easiest ways to hijack a session is by reading cookies and impersonating a user at one of the popular web sites. In Coldfusion, you can secure your cookies like so:

<!---<cfif IsDefined("Cookie.cfID") AND IsDefined("Cookie.cfToken")>
	<cfset Variables.cfID_local = Cookie.cfID>
	<cfset Variables.cfToken_local = Cookie.cfToken>
	<cfcookie name="cfID" value="#Variables.cfID_local#" secure="Yes">
	<cfcookie name="cfToken" value="#Variables.cfToken_local#" secure="Yes">
</cfif>--->

Also, you need to set the ALL of your cookies (not just CFID and CFTOKEN) to be secure.

Basically just just call <cfcookie> tag for each cookie and make sure to set the SECURE attribute to yes.

To secure the JSESSIONID (which is important), make sure to explicitly set it with a <cfcookie> tag and set the value to be SESSION.SESSIONID (since the JSESSIONID value is the same as SESSION.SESSIONID).

Archives