This is not an issue with CAS itself, but more of a UX problem. When our users logout of the application, we issue a redirect back to the main page which in turns redirect them to the CAS login page. If the user leaves their screen for a period of time longer than the Tomcat session timeout, when they come back in and enter their user/pass they just get a redirect back to the login page without an error message. It is pretty simple to replicate if I just go to the login page and clear my cookies:
2010-12-09 09:24:25,628 [] [] [http-8080-11] DEBUG org.springframework.web.servlet.DispatcherServlet.doService():693 - DispatcherServlet with name 'hub-cas' processing POST request for [/cas/login] 2010-12-09 09:24:25,630 [] [] [http-8080-11] DEBUG org.springframework.webflow.mvc.servlet.FlowHandlerMapping.getHandlerInternal():108 - Mapping request with URI '/cas/login' to flow with id 'login' 2010-12-09 09:24:25,631 [] [] [http-8080-11] DEBUG org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution():161 - Resuming flow execution with key 'e1s3 2010-12-09 09:24:25,633 [] [] [http-8080-11] DEBUG org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.defaultHandleException():297 - Restarting a new execution of previously ended flow 'login' 2010-12-09 09:24:25,634 [] [] [http-8080-11] DEBUG org.springframework.web.servlet.DispatcherServlet.doDispatch():824 - Null ModelAndView returned to DispatcherServlet with name 'cas': assuming HandlerAdapter completed request h andling 2010-12-09 09:24:25,635 [] [] [http-8080-11] DEBUG org.springframework.web.servlet.DispatcherServlet.processRequest():674 - Successfully completed request 2010-12-09 09:24:26,049 [] [] [http-8080-11] DEBUG org.springframework.web.servlet.DispatcherServlet.doService():693 - DispatcherServlet with name 'hub-cas' processing GET request for [/cas/login] As you can see, the flow has been considered "ended" since I cleared my session by clearing my cookies. One thing I've done in the past is use a Filter to detect expired sessions and give the user a nice warning. However, for the user this is not intuitive because they are on the login page -- it seems odd for them to punch in a username and password and get an error about an expired session. Ideally, it would be nice if the flow was created automatically when the user POSTs on the login page. It's been a few users since I did anything with Webflow, so I would appreciate it if anyone else has dealt with this or has thoughts. Thanks. -- View this message in context: http://jasig.275507.n4.nabble.com/User-experience-for-expired-flows-tp3079618p3079618.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
