Last night I gave a presentation to my local Philly CFUG, part of which covered the creation of cookies from ColdFusion. In the course of presenting I "discovered" that it is possible to set secure cookies in response to a non-secure request.
Now, the browser will not send that cookie on subsequent requests if you are not using a secure connection, however, if the cookie was set on a non-secure page the value of that cookie has already been exposed to potential hijacking.
The Lesson Learned
If you are using cfcookie with the secure attribute, make sure you are doing so over a secure connection or you may be leaving yourself vulnerable to cookie hijacking.