I'm using CF10 and "Use J2EE session variables" is selected in the CF admin.
When I visit an application, I get the JSESSIONID cookie, but I also get the CFID and CFTOKEN persistent cookies. The app I'm working with is older and uses Application.cfm instead of Application.cfc, but the clientmanagement and setclientcookies application attributes are set to false.
I'm not sure why CFID and CFTOKEN are still set. Are they set regardless of the client and session management settings?