Emma: there is a single sign out solution. please take a look at auth-cas package. It has support for CAS 1.0 and 2.0 and yes, it is implemented as a authentication driver.
Dave: "Have you fully analyzed the cookie validation process to be sure there is no way to make it work with the already existing code?" Yes I have. But I will take another look just to make sure.
Dave: "One question on logging out users is whether they can be logged in to two computers and what happens if they log out on one of them." This is not supported in CAS. CAS is based on cookies. Thus it won't even work if you have two different browsers on a computer. CAS is only meant for the scenario where you are working on one computer with one browser but serveral systems and you want to make sure that once you log in you log into all those systems and once you logout you are logged out from all of them. Support for cross-browser and -computer scenarios go beyond that specification.
Stefan: "What happens if the the session time-outs just at the moment the reconnect happens?). Or, in the meantime, till the session is invalidated, she will appear as registered user though a third system induced her immediate log-out". CAS only works correctly if all systems have the same session lifetime. So it really doesnt matter if you cannot perform the reconnect because your session times out, because it times out for all systems. Your second example can never happen: If a user logs into system 1 via CAS and then logs out via CAS. CAS will request system 1 to logout the user next time he accesses system 1. Now if the user logins to system 2 via CAS first and goes back to system 1 he is logged out but forwarded immediately to CAS. Since the user has a fresh ticket he is redirected back to system 1 and logged in again. Thus the user is never logged out from system 2.
Again: cross-browser and cross-computer log in and log out is beyond CAS.
The one important thing is that during a logout CAS notifies all third systems to logout the user. If we have a cookie based system this won't work. Because the browser cookie of the user is not invalidated by the system since the system is notified by CAS on the server side. Therefore you have to make sure you invalidate the users cookies on the next request.
