Steffen Ryll

I think, in this case you should simply remove SPNEGO from your application, not start tweak its code. The whole point of SPNEGO is authentication w/o user interaction, by using the Negotiate mechanisms. If you don't need it (any longer), don't use it.

Cyril, basically, what you described is the typical way most web app keep they authentication/authorization info, so it's sensible. However, I'd advise you to store not just a boolean flag logged in/not, but rather some more data about the current user as well: user name, permissions (that you may have retrieved from some other system), timestamp of login, etc., depending on what you need.