It is posible to invalidate all sessions for a given user identity or an username, meaning user identity as a ticket granting by CAS. I have this features working in my CAS 3.2.1 version but to adquire this you must have your own manager for the ticket registry implementation that you are using, I have one for defaultTicketRegistry. The solution for when the browser is close and no occurs an explicit logout is working too, for this feature I wrote some messages in this list some months ago, If yoy are interesting review my lasts posts to take an idea. this are features that CAS doesn 't support and I think that a good user management increase the security and If you cannot avoid the accounts from being stealing you can kick off of your application
_______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas