CAS 7.3.5 migration - TGT timeout configured for 2 hours but application logs out after 1 hour

32 views
Skip to first unread message

Mohamed Iheb JEMAI

unread,
Jul 1, 2026, 12:56:48 PM (3 days ago) Jul 1
to CAS Community

Hello,

I need urgent help regarding a CAS migration from CAS 6.6.15 to CAS 7.3.5.

We configured the TGT session duration with:

cas.ticket.tgt.hard-timeout.time-to-kill-in-seconds=7140

The goal is to keep the CAS session alive for almost 2 hours.

After the migration, one external application integrated with our CAS server is still logging users out after 1 hour, even though the TGT ticket in the new cas_tickets table is created with an expiration time of around 2 hours.

I noticed the following in the cas_tickets table:

  • creation_time is correct
  • expiration_time is correctly set to about 2 hours later
  • last_used_time does not change
  • last_used_time remains almost the same as creation_time, even when the user is still active in the application/session

My questions are:

  1. Is cas.ticket.tgt.hard-timeout.time-to-kill-in-seconds still the correct property in CAS 7.3.5 to define the CAS session duration?
  2. Why is last_used_time not updated while the user is still active?
  3. Can this explain why the external application logs out after 1 hour?
  4. Is there another CAS 7.3.5 property that should be configured for sliding/session inactivity timeout?
  5. Could the 1-hour logout be caused by the service application session timeout instead of the CAS TGT timeout?

Any advice or recommended configuration for CAS 7.3.5 would be appreciated.

Thank you.


cas_prop.JPG
cas_ticket.JPG

Ray Bon

unread,
Jul 1, 2026, 2:52:06 PM (3 days ago) Jul 1
to cas-...@apereo.org
Mohamed,

The cas session (TGT) is for SSO only; it has nothing to do with any other application.
2. The last_used_time should update when a user logs in to a subsequent application using SSO
3. The external application must be configured for a 1h session
5. Yes

If the external application is sending a logout to cas, after its hour session expires, then that is a defect in that application.

Ray

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Mohamed Iheb JEMAI <mohamedi...@gmail.com>
Sent: July 1, 2026 02:18
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.5 migration - TGT timeout configured for 2 hours but application logs out after 1 hour
 
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/932db814-7031-428e-8476-ad90f31433ean%40apereo.org.
Reply all
Reply to author
Forward
0 new messages