This is exactly why you should never use session identifiers in any URL. Its very likely to be exposed to session fixation. Just imagine a logged user sharing a link with those identifiers to social media or messaging applications… it will just repost a link to his account. Using those in URL variables is very old ( formerly unknown bad) practice in web apps history. That is why the Lucee team decided to finally make some breaking changes to this old default behaviour in cfml (see Lucee 6, changing some old defaults to be secure by default)