Hi Rolf,
I’m not an security expert. The example I gave is just showing a way to create those cookies with the expiration value of session. You can set those cookies in your application however it’s needed and adapt it to your requirements.
I personally like to use session rotation a lot, and I want that any possible change made in my cfml code with cfcookie to have an immediate effect to any subsequent request. If not, the cookie will keep preserved in the browser with an old setting as long as the session doesn’t expire. However, you can handle it the way you like or need, e.g. create it only when the user is going to login, or when no cookies are present in the request headers. You can move the logic as you like according to your needs. E.g. I have one app that creates those session cookies just when they are needed.