I had an issue about a month ago with using cflogin on a site where special cflogin structure was outliving the session. After the session died, I wanted the user to be logged out so they could go back to the login screen and re-establish the session.
The answer seemed to be to set the loginstorage attribute of the cfapplication tag to "session". That way whenever the session timed out, the authentication credentials would be gone as well. It seemed to work great.
Except for one thing: Because I'm using j2ee sessions, the thought goes that after the last browser is closed, the current session is destroyed. That works as expected. The problem arises in that unless a cflogout was executed before closing the last browser, it seems like the authentication credentials survive.
The next time the user opens the application, the special cflogin structure is not detected, so the application throws the login screen (as expected). But, when the user authenticates, it appears to authenticate the user without executing any code inside the cflogin block. Very strange.