ColdFusion Java System Properties

There are several ColdFusion Java System properties that have been created for various reasons. Usually they exist to work around bugs that were fixed but then cause a backwards compatibility change.


This setting was added in CF 2016+ to address issues:

The ColdFusion 2016 release notes instruct you to set -Dcoldfusion.udf.reuseTagInstances=false if you see those issues.


Set this to restrict the SSL and or TLS protocols that will be used by tags such as cfhttp. The possible values are: SSLv3, TLSv1, TLSv1.1, TLSv1.2 and can be combined as a comma separated list.

For CF10 update 18 and CF 11+ Read more


Set this to true if you want to disable the RSA BSafe CryptoJ JCE (enterprise edition only), and use the default Oracle JCE (or another provider).


The setting controls the default algorithm for random number generation in CF 8+ Enterprise. It is set to FIPS186Random


Set this to true to disable algorithms that are not FIPS approved, such as DESX, RC5, and MD5PRNG.


Applies to CF9.0.1 only. When this setting is set to true your CFID and CFTOKEN cookies will have the httponly flag set. Does not apply to JSESSIONID cookies.

For CF 10+ Use this.sessioncookie.httponly setting in Application.cfc or ColdFusion Administrator.


ColdFusion security hotfix APSB11-04 added protection from session fixation. When you set this setting to false it disables the session fixation protection. Please read about session fixation before changing this setting.


ColdFusion 8 security hotfix hf801-77218 added this setting to block any request to /fckeditor/editor/filemanager/ unless this setting is set to true. Read more.


Introduced with ColdFusion 11 Update 4. Used to disable the dbvarname attribute in the cfprocparam tag. This attribute was deprecated with ColdFusion MX and subsequently reintroduced with ColdFusion 11 Update 3. See bug 3919479 for further details.


Introduced with ColdFusion 2018. When set to true, cfinclude inside Application.cfc will correctly resolve paths relative from the included file. By default, Application.cfc is unable to resolve nested cfincludes from outside the directory where the file resides.


Introduced with ColdFusion 2021. It defaults to false but when set to true the queryFilter function will mutate the input query as it did in ColdFusion 2016 and 2018. See bug 4203366 for further details.


Introduced with ColdFusion 2021 Update 1. It defaults to false but when set to true and the mask contains D (uppercase D), the mask treats the value as d (lowercase d), day of the month. Hence, dateformat(now(), "mm-D-yyyy") is the same as dateformat(now(), "mm-d-yyyy") when flag is set to true. See Adobe article for more details.


Introduced in March 2024 via ColdFusion 2021 Update 13 and ColdFusion 2023 Update 7, and on these versions defaults to false. When set to true unscoped variable resolution will traverse through all the implicit scopes such as form, url, cgi, cookie, when false the scope needs to be specified. This change was introduced as part of a security hotfix: APSB24-14 and Adobe recommends keeping it to false. More info about searchImplicitScopes here

Standard Java System Properties

The following system properties apply to the java runtime:

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub