For anyone that has set up their application(s) so the session ends when the last browser window is closed, that uses CF session variables (but not J2EE session variables), you need to read this. The old way (as described in the book Web Application Construction Kit & various websites)  of doing this will not work in CF10. Yes, I understand that technically the session does not end until the session expires on the server. OK then, in order for your code to continue working in CF10, you need to set THIS.sessioncookie.timeout to “–1” (under the CFComponent tag). One other thing to note, if your using a shared server, make sure to set THIS.sessioncookie.disableupdate to false, which will override the corresponding setting in the Administrator “Disable updating ColdFusion internal cookies using ColdFusion tags/functions” (in case its checked) & enable you to set CFID & CFToken as session cookies. For specifics about “Ending the Session when the Browser Closes”, see page 612 in ColdFusion 7 Web Application Construction Kit or ColdFusion 8 Web Application Construction Kit, Volume 1 (around page 539).

Is there a way to expire session cookies using <cfcookie> tag or by any other way, to end the user session. We have been having problems with expiring user session after upgrading to CF-10. The <cfcookie> tag ignores the expire attribute and uses the default value. Also, another issue that we have been facing is that session cookies should be host-only by default, but in our case it always has a domain attribute and is being shared across the domain even if we add 'setdomaincookies="no"' to the <cfapplication> tag. Any response is highly appreciated.