There are several ColdFusion Java System properties that have been created for various reasons. Usually they exist to work around bugs that were fixed but then cause a backwards compatibility change.
This setting was added in CF 2016+ to address issues:
The ColdFusion 2016 release notes instruct you to set
-Dcoldfusion.udf.reuseTagInstances=false if you see those issues.
Set this to restrict the SSL and or TLS protocols that will be used by tags such as CFHTTP. The possible values are: SSLv3, TLSv1, TLSv1.1, TLSv1.2 and can be combined as a comma separated list.
For CF10 update 18 and CF 11+ Read more
Set this to
true if you want to disable the RSA BSafe CryptoJ JCE (enterprise edition only), and use the default Oracle JCE (or another provider).
The setting contorls the default algorithm for random number generation in CF 8+ Enterprise. It is set to
Set this to
true to disable algorithms that are not FIPS approved, such as DESX, RC5, and MD5PRNG.
Applies to CF9.0.1 only. When this setting is set to true your CFID and CFTOKEN cookies will have the
httponly flag set. Does not apply to
For CF 10+ Use
this.sessioncookie.httponly setting in Application.cfc or ColdFusion Administrator.
ColdFusion security hotfix APSB11-04 added protection from session fixation. When you set this setting to
false it disables the session fixation protection. Please read about session fixation before changing this setting.
ColdFusion 8 security hotfix hf801-77218 added this setting to block any request to
this setting is set to
true. Read more.