WebSphere® caches user information and credentials in its own security cache. The Cúram login module will not be invoked while a user entry is valid in this cache. The default invalidation time for this security cache is ten minutes, where the user has been inactive for ten minutes.
For example, the first time a user logs into the application from the web client they will be requested for their username and password. The Cúram login module will be invoked, and will authenticate the information specified. If the same user opens a second new web browser and attempts to access the application, they will again be requested for their username and password. When WebSphere receives this information it will query the security cache to determine if the username and password are already in the cache. If they are, and the password matches, WebSphere will not query the login modules.
The impact of this behavior is that any modifications to a user's account restrictions or password will not take effect until the user has been invalidated from the WebSphere security cache.
For more information see the appropriate WebSphere Application Server Information Center.