by default session management relies on j2ee session management, which uses jrunsessionid as the session cookie. It is a session cookie, when user close the browser, the cookie goes away, therefore the session is terminated right there.
If Application has client management turned off and session management is turned on using J2EE sessions you may not have CFID and CFToken variables.