I know that cfid and cftoken are things that cannot be trusted coming back from the client. Is sessionid stored serverside? Or is that to manipulated-able by the client?
I am curious because in my journey into websockets, I see that the session scope has the sessionid in it. I just do not know how safe this is. Can I use it to verify a client on the server?