Logout Doesn't Really End Session

[metaphiz]

Users get to the login form after clicking logout, but the session variables aren't really cleared/the session isn't really over.

Here's the way I set the session if they've entered a correct un/pw:

<!--- Remember user's logged-in status, plus --->
<!--- ContactID and First Name, in structure --->
<CFSET SESSION.Auth = StructNew()>
<CFSET SESSION.Auth.IsLoggedIn = "Yes">
<CFSET SESSION.Auth.UserName = FORM.UserLogin>
<CFSET SESSION.Auth.Password = FORM.UserPassword>

<!--- Now that user is logged in, send them --->
<!--- to whatever page makes sense to start --->
<CFLOCATION URL="index.cfm?bg=2">

A URL variable (LogoutNow) activates the StructClear to delete session variables, but users can still access the pages if they type in the URL. Here's the code I'm using in application.cfm to delete the session:

<cfif ParameterExists(LogoutNow)>
<cfif ParameterExists(SESSION.Auth.IsLoggedIn)>
<cfset StructClear(SESSION.Auth.IsLoggedIn)>
<cfset StructClear(SESSION.Auth.UserName)>
<cfset StructClear(SESSION.Auth.Password)>
</cfif>
<cfelse>
<cfapplication name="SMFKPay5" SESSIONMANAGEMENT="Yes" sessiontimeout="#CreateTimeSpan(0,0,30,0)#">
</cfif>

What am I doing wrong? Why doesn't the session really end?

 

[FALCONSEYE]

first, can you just do ?

<cfif isDefined('URL.LogoutNow')>
   <cfset StructClear(SESSION.Auth)>
<cfelse>
...
</cfif>

second, insert a cfdump on top of a page that they are not supposed to view:

 <cfdump var="#session#">

what do you see?

ColdFusion Ninja for hire.