That <cflock> seems wrong. First, if you are using a fairly recent version (8, 9 or 10) I don't think it's even necessary. But if it is, the type "readonly" will actually negate the lock if you try to set session variables inside of the lock (as this codes does). Change the type to "exclusive" (or remove the type attribute as "exclusive" is the default). Then, on any other page where you read those session variables, you could wrap those calls in a <cflock type="readonly">. But I still think the whole locking thing is not necessary (unless you are running a really old version of ColdFusion, like CF6).
As far as the hidden form data or any other form data goes, none of that will survive a <cflocation>. You'd have to make sure any form data that you want to reuse across a <cflocation> is stored in a persistent scope like session or client. Are the session variables you show in the code above the ones you need to reuse? If so, you can use my previous commend about how I reuse form variables, but substitute the references to "form.variablename" with "session.variablename".
-Carl V.
