Sessions DO NOT expire on browser close
I have interviewed quite a few people lately for a few positions at my company. An interesting thing that I have noticed is that the majority of people I interview seem to think that session variables ALWAYS expire on browser close. However in a default CF install, session variables will persist even after a browser is closed and re-opened. This could mean that your users continue to be “logged in” to your application even after they close their browser.
The default behavior of a ColdFusion installation does not use per-session cookies in a browser, it uses persistent cookies instead. The difference being that per-session cookies are stored in client memory and are destroyed on browser close where persistent cookies are stored on disk and are available after a browser has been closed an opened.
There are reasons to use both per-session cookies as well as persistent cookies, but you should be aware of the difference. In a secure application, users generally expect that their session will end on browser close so you should be careful to enforce this behavior.
How do I change this???
There are a few ways to accomplish per-session cookie management in your application. One approach is to enable “Use J2EE session variables” in ColdFusion administrator, but you can also accomplish this in code. Take a look at this knowledgebase article for an extended explanation. – (Try this updated link, not the same article, but a good explanation – Adobe KB)