I have been fooling around a bit with cflogin for the past day and found an interesting note on it. In order for the cfauthorization to take effect, the cflogin take must be called on every request.

For example I was trying to do a login and implementing the cflogin on a cfc. When I returned to my template, my cfauthorization variable was set on session, but my isAuthUser() was returning blank.

After an hour of basically playing around, I returned the cflogin to the Application.cfc and wallah. The security functions return values. So that's a relief.

So if you want to implement a cflogin security, make sure you are calling the cflogin tag on every request, in order for the security variables to take effect.