If data can be shared, it needs to be locked before it is used. This is especially true for SESSION and APPLICATION variables. If you do not lock these variables you can run into trouble if two users or two pages attempt to use the same variable at the same time. It can degrade performance on your server as well as crash it completely.
When you need to read one of these variables, you need to give it a "readonly" lock. This provides security but allows many people or pages to read the same variable at the same time. Examples of reading include using CFSET to set the session variable to another variable with a different scope, pulling a session ID into a database query, and even checking to see if a session IsDefined().
If you need to write to a session or in any other way manipulate its data you need to give it an "exclusive" lock. Only one person or page can have access to the data at the time of the lock, providing total security. Examples include when you initially set a session, as well as when it is getting updated or deleted.
It sounds complicated but it's fairly easy to use. "readonly" locks can look like this:
You need to be careful with CFLOCK, and read the documentation fully before implementing. If you are using sessions or application variables now, adding good locks will show immediate and sometimes drastic improvements.