Yes, that is one way to track session tokens, of which CFTOKEN is one. But I can think of a more convenient way.
Enable application and session variables in the ColdFusion Administrator. If you're using Application.cfm, apply something like
<cfapplication applicationTimeout="#createTimespan(1,0,0,0)#" sessionTimeout="#createTimespan(0,0,20,0)#" sessionManagement="yes" loginStorage="session">
If using Application.cfc, apply
Then, if you use <cflogin> and <cfloginuser> to log the user in, ColdFusion will automatically maintain the user's CFID and CFToken as the user navigates from page to page, until the user logs out or until his session expires.
The Site is not using a <cflogin> and <cfloginuser>.
How then does the site log the user in?
Do you have session management enabled? If so, the CFToken is in the user's session and is already being tracked. The CFID and CFToken cookies are already passed on each request.
If you don't have session management enabled, why not?
Passing tokens on every request is a GINORMOUS PITA. You don't want to have to do that.
Passing tokens on every request is a GINORMOUS PITA.
Let alone tying the tokens with authentication.
I think it sounds like he wants a new session for each browser/tab etc.
In my personal opinion, that is madness.
Agree, I've only ever seen real justification for this once, in my entire career.