B and E. To secure complete applications, the login code must be executed on each request, so it should be placed in an Application. file.
A and C. Users are logged out when a time-out occurs or when the browser closes (or when <cflogout> is invoked).
B. 401 triggers the display of a login form.