After a user logs in, the ColdFusion user authorization and authentication information remains valid until any of the following happens:
cflogout tag to log out the user, usually in response to the user clicking a log-out link or button.
cflogin tag idleTimeout period.
Logging a user out by using the cflogout tag does not close the user's session, but if you use session login storage, it does remove the login information (the Session.cfauthorization variable) from the Session scope. For more information on ending sessions, see Ending a session.
Caution: If you use web server-based authentication or any form authentication that uses a Basic HTTP Authorization header, the browser continues to send the authentication information to your application until the user closes the browser, or in some cases, all open browser windows. As a result, after the user logs out and your application uses the cflogout tag, until the browser closes, the cflogin structure in the cflogin tag will contain the logged-out user's UserID and password. If a user logs out and does not close the browser, another user might access pages with the first user's login.