Setting Session Cookies Secure In ColdFusion

Author: Steven Neiland

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

If you have a site that you want to enforce the use of ssl on, one way of doing this is to mark cookies as secure. The secure flag tells the user's browser to only send back the cookie over ssl (HTTPS) connections. This means that the browser will never send a cookie marked secure over a http connection.

This Is A Server Wide Setting

Warning: This setting will affect all sites on that cf instance on your server. This means that all sites must be using ssl as any site which is not will not be able to maintain state using cookies. I was caught by this recently when we setup a new site which did not require or possess an ssl cert onto a server that had originally been configured for ssl only.

A solution to this problem is to create a dedicated cf instance for ssl only websites and another for non ssl enforced websites.

Locate The Jrun-web.xml Config File

To set cookies secure in ColdFusion you need to edit the jrun-web.xml file. If you are using a multi instance setup then you will have one file per instance. Assuming the default install locations the file can be located here:

ColdFusion Standard


ColdFusion Enterprise


Setting The Secure Flag

To set the secure flag on session cookies locate the session-config section of the file and add or modify the cookie config section with the cookie-secure rule so that your config looks something like this.


Now restart ColdFusion to load the new configuration and test using something like the web developer plugin for firefox to inspect the cookies sent.

Related Blog Postings

Reader Comments

Eric Davis's Gravatar
Eric Davis
Monday, April 11, 2016 at 3:10:08 PM Coordinated Universal Time

Hi Steven,
Thanks for the article. Very helpful. I did make the change to my jrun-web.xml file for a specific instance. I restarted the instance but I don't see the Secure flag being added the CFID and CFTOKEN cookies. Any insight is appreciated.

Steven Neiland's Gravatar
Steven Neiland
Saturday, April 23, 2016 at 10:54:58 AM Coordinated Universal Time

Can you provide more information. What version of CF you are running, 7,8,9 etc and standard/enterprise.

Also the contents on the jrun-web.xml file.

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing