In Application.cfm I have (this is ony securing on folder, not the main root directory)

and some "isDefined(session.auth.isloggedin)" security steups (based on Ben Forta's Book).
<cfapplication name="XYZOFFICE" sessionmanagement="yes">

This works great, but I want to add a logout page that would clear the session variables....

in the book it says to add a logout page with:
<CFAPPLICATION name="XYZFFICE" sessionmanagement="yes" sessiontimeout="#createtimespan(0,0,0,0)#">
<cflocation url="../XYZOFFICETEST.cfm"> <---take out of secured section--->

After I log out...and go back into secured section...it bypasses and pulls up the session variables, meaning it didn't clear them. Anythoughts?

Thanks in advance.