Those of you who use CFLOGIN should check out this TechNote. The long story short is - unfortunately - using session based cflogin is not safe. This is really, really unfortunate as the ability to tie cflogin to the session scope was one of the really nice things in 6.1. I'm very sad to this, but at the same time, I'm happy Macromedia posted about it as it is a security risk folks should know about. The next release of BlogCFC will revert back to using cookie-based cflogin.