I blogged about this way back in 04, but I had a client who ran into this yesterday and lost a good few days trying to debug.
Folks who read my blog know that CFLOGON is probably the only thing about ColdFusion that I do not like. I was a huge fan of it, and in fact, all of my applications still use it, but after being burned by it one too many times, I'm hoping to remove the use of it completely over time.
The client that contacted me couldn't understand why their application worked perfectly in testing, but when deployed to a live site, with web server security turned on, the application threw an error. Why did it do this?
ColdFusion's roles based security does not have a way to tell you if you are logged on. (Why?) The typical way of doing it is to check the result of getAuthUser(). If it is blank, you aren't logged in.
However, one of the features of ColdFusion's system is to automatically integrate with web server security. What would happen is that the user would hit the site, logon at the web server level, and getAuthUser() would return that username. Therefore, the site thought he was logged in when he really never did.
I've fixed this myself by simply using a session flag. But then you need to make sure you use the session based version of roles based security (which is not the default). Consider this a warning if you use roles based security.