Dears,

I've a webapp with spring security 3.1 and CAS as authentication service. For a test, the session timeout of the webapp is 30minutes and the validity of a cas session is 2h.

If I don't configure session-management, when the webapp session expires, I click on a link that leads to a protected resource, (1) it authenticates me automatically and then redirects to homepage. Normal. But then if I click on a link to a protected resource again, it does (1). So I'm stuck ...

Now with session management, concurrent-session set to 1 and the expired-url set to "/j_spring_cas_security_logout" and the url to cas logout is set to "casServerUrl/cas/logout?service=mywebapp/j_spring_security_logout" (the success logout url is /).
When the session expires, it enters into an infinite loop /j_spring_cas_security_logout -> casServerUrl/cas/logout?service=mywebapp/j_spring_security_logout -> / -> /j_spring_cas_security_logout -> casServerUrl/cas/logout?service=mywebapp/j_spring_security_logout -> / -> ...

The problem here is when it arrives at /. It redirects again to the expired-url...

It's really strange and I don't know why it behaves like that.

If anyone has an idea and can explain me the flow, it would be be really appreciated.

Thanks.