Alexey Prudnikov created WICKET-6317:
----------------------------------------
Summary: AuthenticatedWebSession#signOut() calls twice after
session invalidation
Key: WICKET-6317
URL: https://issues.apache.org/jira/browse/WICKET-6317
Project: Wicket
Issue Type: Bug
Components: wicket, wicket-auth-roles
Affects Versions: 7.6.0
Reporter: Alexey Prudnikov
When the user wants to log out, I call AuthenticatedWebSession#invalidate(),
which, in turn, calls AuthenticatedWebSession#signOut() and sets
Session#sessionInvalidated to true.
After that, at the end of request processing, RequestCycle#onDetach() is
called, which in turn calls Session#detach(). The last method checks
Session#sessionInvalidated state, and because it is true, invalidates session
again with Session#invalidateNow().
So, if I place some business logic code in #signOut() (as in example class
BasicAuthenticationSession from [official
guide|https://ci.apache.org/projects/wicket/guide/7.x/single.html#_using_roles_with_metadata]),
this code also calls twice, which may be inappropriate in some cases.
I know about WICKET-6228 ticket - now #invalidate() doesn't call #signOut(),
and this can be solution for issue, but that changes not ported to Wicket 7
branch.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
