Session data lives in the RAM memory of the ColdFusion
server. There is
not direct way for a client machine to access this memory.
The hacker
would have to have access to the ColdFusion server machine or
code on
that machine that interfaces with the session data.
That being said, sessions are spoofable. The only way the web
server
knows what client belongs to a set of session data is through
the cfide
and cftoken cookies. If a client request provides the correct
combination of cfide and cftoken values it will be associated
with that
session data.
Finally, if you send a user a link with a random value to
validate them,
they may not do it right away in the same browser from the
same computer
that they were using. Any of these factors and more will
cause them to
have a different session then the original request came from.