How CAS handle session timeout

My understanding about CAS:

Have 1 CAS server and 2 CAS client,

client1 login success through CAS user works on client1, so client1's session is refreshed by user action. But CAS server session timeout. user try access client2, when check CAS found the session is timeout, so need login again, but the client1 is already login.

It does not make sense, please correct me if i 开发者_高级运维am wrong.

CAS uses "services" to differentiate the websites. Within cas there would be a "client1" service and a "client2" service, each with their own TicketGrantingTicket. The session timeout is controlled through the CAS servers ticket expiration policy for TGT's described here:

https://wiki.jasig.org/display/CASUM/Ticket+Expiration+Policy

In this way, each of the servers would have their own timeout. So when I go to client1 and click a link, this would have no effect on the session timeout for client2.

If you wanted the two websites to affect their timeouts, you'll need to make them use the same service and investigate the use of Proxy Granting tickets:

https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough

The reason Client1 might still be logged in is because you are not handling the logout post that CAS sends out when it expires a user's TicketGrantingTicket.

When a logout event happens in CAS it sends a logout post to all it's registered services. Client1 needs to handle this by looking at the request. If by chance you are using PHP you need to take a look at $_REQUEST for a logout message.