If I delete the logged user from the database (in my case, it was because I cleared the database by reloading the fixtures), the next request sent to the site will try to authenticate this user in the ContextListener (as the browser still has the cookie) and fail (as the user does not exist anymore). But the cookie is not deleted. This leads to some weird behavior in some cases:

• remove the user from the database (without clearing the cookie in your browser)
• go to the signup page and recreate the user with this username, but as a disabled user (waiting for a confirmation sent through a mail)
• the next requests will redirect to the login page because it finds the user again but disabled, which throws an AuthenticationException (and then an infinite loop as the same occur for the request to the login page).

If the cookie were removed when the user cannot be reloaded (not found or disabled), the next requests would match an anonymous token which would work.