While investigating ColdFusion server stability issues I have recently discovered what I would consider a bug and a security issue with client variables.
As I am sure you know client variables can be stored in cookies, the registry or a database. The default storage method is the registry, but this is not suitable in many cases, especially on a shared server and should be changed. In such an environment you want to disable use of the registry and you do this with a security sandbox and deny use of the CFRegistry tag. This also means that trying to set client variables to be stored in the registry in the application.cfm would also fail with an access denied error,
E.G.
<cfapplication clientstorage="registry">
However, as I have now discovered this does not apply to application.cfc, which is still able to override the admin settings and the sandbox and is able to use the registry.
e.g.
<cfcomponent name="application.cfc">
<cfset this.clientStorage = "registry">
</cfcomponent>
I have tested and verified this on CF6,7 and 8 and the caveat of this is that if customers set this attribute in their application.cfc then the registry will be used and can easily fill up with client variables which can make the server unstable. Sadly it seems that some developers enable client variables and set the clientStorage=registry even if they are not using client variables, which results in a pointless waste of system memory and resources.
Currently the only way to avoid this problem is to deny access to the user under which ColdFusion runs to the registry key where client variables are stored, which is
/HKLM/software/Macromedia/ColdFusion/CurrentVersion/Clients
Feb 1, 2012 at 6:57 PM Russ you should file a bug report with adobe.