I think that net.sf.acegisecurity.providers.ConcurrentSessionCo ntrollerImpl is broken. It should implement interface org.springframework.context.ApplicationListener to properly receive events. But it doesn't, and that couses this implementation not to react on HttpSessionDestroyedEvent which is published by HttpSessionEventPublisher.
Efect is that users can only login once in an application lifetime. I've managed to solve the problem by extending ConcurrentSessionControllerImpl and just adding that ApplicationListener to the 'implements' section.
My enviroment is: springframework-1.1.5, acegi-security-0.8 and jboss4.0.1.