ColdFusion Java System Properties

There are several ColdFusion Java System properties that have been created for various reasons. Usually they exist to work around bugs that were fixed but then cause a backwards compatibility change.


This setting was added in CF 2016+ to address issues:

The ColdFusion 2016 release notes instruct you to set -Dcoldfusion.udf.reuseTagInstances=false if you see those issues.


Set this to restrict the SSL and or TLS protocols that will be used by tags such as CFHTTP. The possible values are: SSLv3, TLSv1, TLSv1.1, TLSv1.2 and can be combined as a comma separated list.

For CF10 update 18 and CF 11+ Read more


Set this to true if you want to disable the RSA BSafe CryptoJ JCE (enterprise edition only), and use the default Oracle JCE (or another provider).


The setting controls the default algorithm for random number generation in CF 8+ Enterprise. It is set to FIPS186Random


Set this to true to disable algorithms that are not FIPS approved, such as DESX, RC5, and MD5PRNG.


Applies to CF9.0.1 only. When this setting is set to true your CFID and CFTOKEN cookies will have the httponly flag set. Does not apply to JSESSIONID cookies.

For CF 10+ Use this.sessioncookie.httponly setting in Application.cfc or ColdFusion Administrator.


ColdFusion security hotfix APSB11-04 added protection from session fixation. When you set this setting to false it disables the session fixation protection. Please read about session fixation before changing this setting.


ColdFusion 8 security hotfix hf801-77218 added this setting to block any request to /fckeditor/editor/filemanager/ unless this setting is set to true. Read more.

Fork me on GitHub