There are several ColdFusion Java System properties that have been created for various reasons. Usually they exist to work around bugs that were fixed but then cause a backwards compatibility change.
-Dcoldfusion.udf.reuseTagInstances
This setting was added in CF 2016+ to address issues:
The ColdFusion 2016 release notes instruct you to set -Dcoldfusion.udf.reuseTagInstances=false
if you see those issues.
-Dhttps.protocols
Set this to restrict the SSL and or TLS protocols that will be used by tags such as CFHTTP. The possible values are: SSLv3, TLSv1, TLSv1.1, TLSv1.2 and can be combined as a comma separated list.
For CF10 update 18 and CF 11+ Read more
-Dcoldfusion.disablejsafe
Set this to true
if you want to disable the RSA BSafe CryptoJ JCE (enterprise edition only), and use the default Oracle JCE (or another provider).
-Dcoldfusion.jsafe.defaultalgo
The setting contorls the default algorithm for random number generation in CF 8+ Enterprise. It is set to FIPS186Random
-Dcoldfusion.enablefipscrypto
Set this to true
to disable algorithms that are not FIPS approved, such as DESX, RC5, and MD5PRNG.
-Dcoldfusion.sessioncookie.httponly
Applies to CF9.0.1 only. When this setting is set to true your CFID and CFTOKEN cookies will have the httponly
flag set. Does not apply to JSESSIONID
cookies.
For CF 10+ Use this.sessioncookie.httponly
setting in Application.cfc or ColdFusion Administrator.
-Dcoldfusion.session.protectfixation
ColdFusion security hotfix APSB11-04 added protection from session fixation. When you set this setting to false
it disables the session fixation protection. Please read about session fixation before changing this setting.
-Dcoldfusion.fckupload
ColdFusion 8 security hotfix hf801-77218 added this setting to block any request to /fckeditor/editor/filemanager/
unless
this setting is set to true
. Read more.