In the example app, you have the destroy method in the user_sessions controller. However, this method does not delete the cookie set if the user clicks "Remember me".
Therefore the user could click a logout link and think they're safely out of the application. Meanwhile, someone else could come along and get right back into the secure areas of the application and view the first user's data.
Never mind, had an old version of authlogic and was following the example too literally. You might want to update the example config/environment.rb to specify the newer version of authlogic.