Because the session variable is NOT stored on the client system. It is stored on the server.
What is sent to the client is a token that is sent with every request that lets the server know what requests belong with what session data.
By default this token is a set of cookies called CFID and CFTOKEN but one can alternately configure ColdFusion to use a different cookie called JSESSIONID. This latter has the benefits of automatically being a memory cookie that is discarded when the browser closes and being common to JRUN JSP sessions if one ever needs to coordinate with such a system.
There are known risks that if somebody can guess any existing and current tokens available on the server they can hijack that session. This is somewhat more risky if one chooses to use get (aka URL) variables for the tokens rather then cookies. But few bother with this option these days.
Ahhh thank you very much!
ColdFusion does provide options for launching pretty darned good "automatic defenses" against many forms of attacks, including the so-called "cross-side scripting" attack (where a session-variable is purloined). You would do well to carefully read the docs chapters on this and, if you are deploying a public-facing application, follow them quite religiously.