My guess is you have a caching issue, not a auth issue. If you hit refresh on foo.cfm, I'd bet it asks for a password.
Similarly if you check the apache logs, either no request is sent, or it sends back a 304 instead of a 200. (please verify)
You can eliminate such things in Apache by sending pragma no-cache headers, or deal with it in coldfusion:
<cffunction name="expirePage" access="public" output="false" returntype="void">
<cfif Not StructKeyExists(Request, "PageExpired") or not Request.PageExpired>
<cfheader name="Pragma" value="no-cache" />
<cfheader name="Cache-Control" value="no-cache, must-revalidate" />
<cfheader name="Last-Modified" value="#rfc822DateTimeString(now())#" />
<cfheader name="Expires" value="Mon, 26 Jul 1997 05:00:00 GMT" />
<cfset Request.PageExpired = true />
</cfif>
</cffunction>
<cffunction name="rfc822DateTimeString" access="public" returntype="string" output="no">
<cfargument name="dateTime" required="yes" />
<cfset var gmtTime = '' />
<cfif not IsNumericDate(arguments.dateTime)>
<cfreturn "" />
</cfif>
<cfset gmtTime = DateConvert("local2utc", arguments.dateTime) />
<cfreturn "#DateFormat(gmtTime, 'ddd, dd mmm yyyy')# #TimeFormat(gmtTime, 'HH:mm:ss')# GMT" />
</cffunction>
Of course doing it in coldfusion only protects your cfms. :) But that's where the data requiring auth is most likely to be anyway.
-G