Here is a question I received via e-mail over the weekend, and my response. I thought it was worth sharing.
What does the “Use J2EE session variables” ColdFusion Administrator option do, and should I use it? And if I should use it, why is that option not checked by default?
There are two ways that session data can be managed in ColdFusion MX, via ColdFusion, or via the underlying J2EE server. Regardless of which mechanism is used, session variables are created and accessed using the SESSION prefix. The difference between the two options manifests itself in two ways. 1) ColdFusion sessions are identified using a CFID and a CFTOKEN, whereas J2EE managed sessions are identified using a jsessionid. 2) The real difference is that ColdFusion managed sessions are only accessible by ColdFusion, whereas J2EE managed sessions may be shared between ColdFusion and other Java code (JSPs, Servlets, etc.). There is no reason whatsoever not to use J2EE session variables, and there is significant benefit in using them. The only reason that the checkbox is not enabled by default is because of backwards compatibility. Ideally no CFML code should be referring to CFID and CFTOKEN explicitly, but if any code did then that code would break if J2EE session variables are used (as CFID and CFTOKEN are not generated when using J2EE session variables). If your code (or any code on the server, it is a server-wide setting) does not ever refer to CFID and CFTOKEN then you can safely turn on that option. On any new development on new boxes I’d definitely check the “Use J2EE session variables” checkbox.