There are several ColdFusion Java System properties that have been created for various reasons. Usually they exist to work around bugs that were fixed but then cause a backwards compatibility change.
-Dcoldfusion.udf.reuseTagInstancesThis setting was added in CF 2016+ to address issues:
cfloop to loop over a query that is defined as a var function local variablecfhttp tag is using a struct that has been passed to it via the cfthread tagThe ColdFusion 2016 release notes instruct you to set -Dcoldfusion.udf.reuseTagInstances=false if you see those issues.
-Dhttps.protocolsSet this to restrict the SSL and or TLS protocols that will be used by tags such as cfhttp. The possible values are: SSLv3, TLSv1, TLSv1.1, TLSv1.2 and can be combined as a comma separated list.
For CF10 update 18 and CF 11+ Read more
-Dcoldfusion.disablejsafeSet this to true if you want to disable the RSA BSafe CryptoJ JCE (enterprise edition only), and use the default Oracle JCE (or another provider).
-Dcoldfusion.jsafe.defaultalgoThe setting controls the default algorithm for random number generation in CF 8+ Enterprise. It is set to FIPS186Random
-Dcoldfusion.enablefipscryptoSet this to true to disable algorithms that are not FIPS approved, such as DESX, RC5, and MD5PRNG.
-Dcoldfusion.sessioncookie.httponlyApplies to CF9.0.1 only. When this setting is set to true your CFID and CFTOKEN cookies will have the httponly flag set. Does not apply to JSESSIONID cookies.
For CF 10+ Use this.sessioncookie.httponly setting in Application.cfc or ColdFusion Administrator.
-Dcoldfusion.session.protectfixationColdFusion security hotfix APSB11-04 added protection from session fixation. When you set this setting to false it disables the session fixation protection. Please read about session fixation before changing this setting.
-Dcoldfusion.fckuploadColdFusion 8 security hotfix hf801-77218 added this setting to block any request to /fckeditor/editor/filemanager/ unless this setting is set to true. Read more.
-Dcoldfusion.ignoredbvarnameIntroduced with ColdFusion 11 Update 4. Used to disable the dbvarname attribute in the cfprocparam tag. This attribute was deprecated with ColdFusion MX and subsequently reintroduced with ColdFusion 11 Update 3. See bug 3919479 for further details.
-Dcoldfusion.application.recur_resolve.includeIntroduced with ColdFusion 2018. When set to true, cfinclude inside Application.cfc will correctly resolve paths relative from the included file. By default, Application.cfc is unable to resolve nested cfincludes from outside the directory where the file resides.
-Dcoldfusion.query.filter.mutateinputqueryIntroduced with ColdFusion 2021. It defaults to false but when set to true the queryFilter function will mutate the input query as it did in ColdFusion 2016 and 2018. See bug 4203366 for further details.
-Dcoldfusion.datemask.useDasdayofmonthIntroduced with ColdFusion 2021 Update 1. It defaults to false but when set to true and the mask contains D (uppercase D), the mask treats the value as d (lowercase d), day of the month. Hence, dateformat(now(), "mm-D-yyyy") is the same as dateformat(now(), "mm-d-yyyy") when flag is set to true. See Adobe article for more details.