Session mgmt: Users are not logged out of JH/RHODS when removed from rhods-users/admins group

Description of problem:

In RHODS-348 there are three scenarios concerning user sessions, scenario no. 2 listed in the original issue is still not covered as expected in RHODS.

User no longer has access to RHODS based on removal from RHODS user or admin group

When a user is removed from the rhods-users group while being logged into the JH spawner, they are not automatically logged out. Refreshing the page does not log the user out. The only way for the change to take effect is to do an "hard" refresh (ctrl+f5 or similar); in this case the user is logged out, and upon login receives a 403 Forbidden error message.

The original issue is also concerned with user session w.r.t. the RHODS dashboard, however being part of the rhods-users/admins group currently changes nothing as far as the dashboard is concerned. An OpenShift user not part of either group can always log into the dashboard, and consequently removing a logged in user from either group does not log them out of the dashboard.

Prerequisites (if any, like setup, operators/versions):

RHODS 1.1.1-41 on OSD

Steps to Reproduce

1. Install RHODS
2. Add IdPs to your cluster
3. Create user(s) in the IdP and OpenShift
4. Add user(s) to rhods-users or admins group
5. Log in the JH spawner
6. User should be able to log in
7. Remove user(s) from rhods-users or admins group
8. Refresh JH spawner page
9. User is still logged in
10. Hard refresh the page / log out
11. log in with the same user again, you should receive a 403 Forbidden error

1. Same up to step 4
2. Log in the RHODS dashboard
3. Remove user(s) from rhods-users or admins group
4. Refresh dashboard page, user should still be logged in
5. Hard refresh/log out the page
6. Log in with same user, the user should still be allowed to log in

Actual results:

User is not automatically logged out of the JH spawner when the credentials (i.e. group membership) are revoked. User session needs to expire by other means before the change is applied.

User is not automatically logged out of the RHODS dashboard. Furthermore, user can still log into the dashboard after credentials are revoked (or before they are ever given).

Expected results:

User is logged out automatically when credentials are revoked from both JH spawner and RHODS dashboard. 
RHODS dashboards checks for group membership before allowing a user to log in.

Reproducibility (Always/Intermittent/Only Once):

Always

Build Details:

RHODS 1.1.1-41 on OSD

Additional info: