To elaborate on what Andrew said...
In ACF yes it (still) does use the combination of cfid and cftoken for sessions, however as Andrew noted the fact that these are available in cookies (or if programmed poorly, the URL), SSL or not, doesn't make how ACF handles session cookies any more secure. Frankly, cfid could be removed from both engines as far as I'm concerned - it adds nothing to security and is only present in Lucee for ACF compatibility. That said, I believe Lucee still uses cftoken for session generation, it's just always zero.
More robust session management can be done using your own cookies in a hybrid way with cfid - your cookie maintains the authorization state while cfid maintain the session scope (and the authorization state uses the session scope. See:
http://cfdocs.org/security - scroll down to 'Code Security' and follow the links).
Just a couple observations/pointers about sessions and session management in CFML. HTH!
-- Denny