Because you were on a new server I suspect that you managed to get your cookies into a state where the didn't have values that made sense.
I'm not sure fixing the code is important anyway, because it appears to be doing something nonsensical. But a quick fix of the code would be to do this:
<cfif IsDefined("cfid")>
<cfcookie name="cfid" value="" expires="NOW">
<cfcookie name="cftoken" value="" expires="NOW">
</cfif>
It's still only testing for cfid
but it's not setting the values of the cookies. The values don't matter because the code is expiring the cookies.
The reason I said the code was nonsensical is because the Cookie
scope is part of the scope evaluation order. So what the code as a whole is doing is saying "if cookies exist, remove them and then set new cookies with new values." So users will get a fresh session on every page refresh. That is the same as not having any session management in the first place. So you might as well set sessionmanagement="false"
and remove both cookie blocks of code.
It's possible, tho unlikely, that this code came about because someone wanted to provide a little bit of extra security by not allowing the session to be changed via URL/form variables, thus limiting session hijacking. However the way that it was implemented doesn't solve that issue either.