Automatically closed - issue fixed for 2 weeks with no activity.
It seems there is no need to explicitly start session in the UserLogin form. The best piece of documentation I was able to dig out is this one - https://api.drupal.org/api/drupal/core%21core.api.php/group/session/8.6.x Though not so explicitly, but it generally suggests modules are not expected to start session in such low level way. Instead Drupal core (session API) will figure when it is appropriate to start a session and when it is appropriate to destroy it in order to squeeze the maximum out of caching.
In our case, we run a non-core session manager service (combined with a few another custom/non-standard tweaks), it produces a following error - our CAS UserLogin become multi-step form and thus has to be cached by Form API. Additionally, our non-standard session manager is having issues getting PHP serialized because of certain circular references. So at the end of the day, while the cas_server.module is not being affected directly nor it is the true source of the problem, if we remove the session manager dependency injection from the form, then things will get a bit more stable and based on my understanding of the Drupal core and based on my testing, there is no harm in removing session manager from the UserLogin form.
Let's remove the dependency injection "session_manager" from the UserLogin form and thus CAS server module would become a tiny bit simpler.
Fixed
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Automatically closed - issue fixed for 2 weeks with no activity.