CAS authenticate after session expires

[a01fe]

Adds a CAS authenticate after session expires option to plugin settings. When checked, the next request will authenticate with CAS instead of redirecting to the non-CAS login page. When unchecked (the default), it retains the prior behavior. See issue #7.

It works by overriding the session_expiration filter in ApplicationController. When it detects an expired session, it resets the session and falls through. The subsequent login check will trigger CAS authentication.

I haven't added a French translation for the new setting in fr.yml.

[pencil]

Maybe we could detect if the session was created by CAS and reauthenticate if this is the case. We wouldn't need a setting then.

[a01fe]

I could add another flag to session to indicate whether the session was authenticated with CAS or not. I'm not sure if I completely understand why your redmine_active_record_store plugin is necessary for single sign-out. I"m thinking it may be required if I add this flag.

Do you think there are sites that expect normal users to log in via the built-in login page? If not, then maybe we should always let CAS authenticate after session time out. If that's acceptable, it would avoid adding another flag to session.

[pencil]

Do you think there are sites that expect normal users to log in via the built-in login page?

Not sure if it is used, but we support it at the moment.

I could add another flag to session to indicate whether the session was authenticated with CAS or not. I'm not sure if I completely understand why your redmine_active_record_store plugin is necessary for single sign-out. I"m thinking it may be required if I add this flag.

To delete a session upon receiving a Single Sign-Out notification, the session must be stored on the server.
Adding said flag to the session does not require the redmine_active_record_store. Just use something like session[:_cas_initiated]