I am using CAS authentication in one of my Moodle set ups. Sungard Luminis is being used as the CAS server. We have a 3 hour cookie time out for inactivity because of some long quizes and DSPS students. What was happening was that one student could log in, quit and another student could pick up there session and start work as the original student.
Two settings in Moodle had to be set in order to prevent this from happening:
Under Site Administration, Authentication, CAS
Set Logout CAS to yes
Under Site Administration, Security, HTTP security,
Click Only http cookies