I recently upgraded one of my ColdFusion 9 servers to the new Cumulative Hotfix 1 for 9.0.1. and it started causing my applications to have their session tokens reset on each refresh. This was driving me crazy because every time I would try to login to a protected area it would just return and not give me any errors (as I was using the session scope to pass back error messages as well).
I started playing with a couple of settings and one of them was setting the Use J2EE session variables on. Now this did fix the issue but I was not satisfied with it because the session tokens should remain the same even if I decide not to use jsessionid.
Now my Application.cfc had this.setClientCookies to false and once I removed it, again it worked but I was not satisfied and then I came up with this post from Pete Freitag regarding Setting up HTTPOnly Session Cookies for ColdFusion. As per his post, CF 9.0.1 added support for this by a java system property called coldfusion.sessioncookie.httponly which you can set by editing the jvm.config and adding -Dcoldfusion.sessioncookie.httponly=true or if you are running Standalone you can add this in the ColdFusion Administrator.
Once I did this it worked, so my conclusion was that if you are not setting Client Cookies in your Application then CF was not setting this httponly tokens by itself causing each refresh to act as a new connection. Hopefully this helps someone as it did me after beating my head into a wall.