diff --git a/cas.admin.inc b/cas.admin.inc
index b4e2279..e1885ae 100644
--- a/cas.admin.inc
+++ b/cas.admin.inc
@@ -213,11 +213,16 @@ function cas_admin_settings() {
     '#collapsed' => TRUE,
   );
 
-  $form['pages']['cas_check_first'] = array(
-    '#type' => 'checkbox',
+  $form['pages']['cas_check_frequency'] = array(
+    '#type' => 'select',
     '#title' => t('Check with the CAS server to see if the user is already logged in?'),
-    '#default_value' => variable_get('cas_check_first', 0),
-    '#description' => t('This implements the <a href="@cas-gateway">Gateway feature</a> of the CAS Protocol. The check is only performed the first time a user visits your site, so that the local drupal logout is still useful for site admins.', array('@cas-gateway' => 'https://wiki.jasig.org/display/CAS/gateway')),
+    '#default_value' => variable_get('cas_check_frequency', CAS_CHECK_NEVER),
+    '#options' => array(
+      CAS_CHECK_NEVER => 'Never',
+      CAS_CHECK_ONCE => 'Once, but not again until login',
+      CAS_CHECK_ALWAYS => 'Always',
+    ),
+    '#description' => t('This implements the <a href="@cas-gateway">Gateway feature</a> of the CAS Protocol. Enabling this may prevent logging out of Drupal without also logging out of CAS.', array('@cas-gateway' => 'https://wiki.jasig.org/display/CAS/gateway')),
   );
 
   $form['pages']['cas_access'] = array(
diff --git a/cas.install b/cas.install
index feb8e34..7c22ff3 100644
--- a/cas.install
+++ b/cas.install
@@ -89,7 +89,7 @@ function cas_uninstall() {
   variable_del('cas_auto_assigned_role');
   variable_del('cas_cert');
   variable_del('cas_changePasswordURL');
-  variable_del('cas_check_first');
+  variable_del('cas_check_frequency');
   variable_del('cas_debugfile');
   variable_del('cas_domain');
   variable_del('cas_exclude');
@@ -116,6 +116,7 @@ function cas_uninstall() {
 
   // And old (un-used) variables.
   variable_del('cas_cert_verify');
+  variable_del('cas_check_first');
   variable_del('cas_first_login');
   variable_del('cas_hijack_user');
   variable_del('cas_ldap_email_attribute');
@@ -337,3 +338,19 @@ function cas_update_6304() {
   }
   return array();
 }
+
+/**
+ * Switch from cas_gateway to cas_check_frequency.
+ */
+function cas_update_6305() {
+  if (variable_get('cas_check_first', FALSE)) {
+    // Check once, but not again until login.
+    variable_set('cas_check_frequency', -1);
+  }
+  else {
+    // Check never.
+    variable_set('cas_check_frequency', -2);
+  }
+  variable_del('cas_check_first');
+  return array();
+}
diff --git a/cas.module b/cas.module
index 463d0c2..f7708d2 100644
--- a/cas.module
+++ b/cas.module
@@ -15,6 +15,11 @@ define('CAS_LOGIN_DRUPAL_INVITE_DEFAULT', 'Cancel CAS login');
 define('CAS_LOGIN_REDIR_MESSAGE', 'You will be redirected to the secure CAS login page.');
 define('CAS_EXCLUDE', 'services/*');
 
+// Frequency of CAS Gateway checking.
+define('CAS_CHECK_NEVER', -2);
+define('CAS_CHECK_ONCE', -1);
+define('CAS_CHECK_ALWAYS', 0);
+
 /**
  * Implementation of hook_init().
  *
@@ -70,9 +75,11 @@ function cas_login_check() {
 
     // We're going to try phpCAS auth test
     if (!$cas_force_login) {
+      // -1 is check once, then not again until forced login.
+      // 0 is every time.
+      // n is every n-th time.
+      phpCAS::setCacheTimesForAuthRecheck((string) variable_get('cas_check_frequency', CAS_CHECK_NEVER));
       $logged_in = phpCAS::checkAuthentication();
-      // Set the login tested cookie
-      setcookie('cas_login_checked', 'true');
 
       // We're done cause we're not logged in.
       if (!$logged_in) {
@@ -685,16 +692,11 @@ function cas_login_block_submit($form, &$form_state) {
  *   authenticated, FALSE otherwise.
  */
 function _cas_allow_check_for_login() {
-  if (!variable_get('cas_check_first', 0)) {
+  if (variable_get('cas_check_frequency', CAS_CHECK_NEVER) == CAS_CHECK_NEVER) {
     // The user has disabled the feature.
     return FALSE;
   }
 
-  // Check to see if we already have.
-  if (!empty($_COOKIE['cas_login_checked'])) {
-    return FALSE;
-  }
-
   // Check to see if we've got a search bot.
   $crawlers = array(
     'Google',
diff --git a/cas.test b/cas.test
index b6fb165..1c0c704 100644
--- a/cas.test
+++ b/cas.test
@@ -660,7 +660,7 @@ class CasGatewayTestCase extends CasTestHelper {
 
   function setUp() {
     parent::setUp();
-    variable_set('cas_check_first', TRUE);
+    variable_set('cas_check_frequency', CAS_CHECK_ONCE);
   }
 
   /**
@@ -744,7 +744,7 @@ class CasRequiredLoginTestCase extends CasTestHelper {
     $account = $this->casCreateUser();
     variable_set('cas_test_cas_user', array('name' => $account->cas_name));
 
-    variable_set('cas_check_first', TRUE);
+    variable_set('cas_check_frequency', CAS_CHECK_ONCE);
     variable_set('cas_exclude', "node/$node->nid");
 
     // Visit an excluded page and ensure we did not try to log in.