WebSphere Application Server for z/OS caches user information and credentials in a security cache and the application login module will not be invoked while a user entry is valid in this cache. The default invalidation time for this security cache is ten minutes, where the user has been inactive for ten minutes. The WebSphere Application Server Caching Behavior section in the Cúram Security Handbook should be consulted for further details on this.