[
https://issues.apache.org/jira/browse/WICKET-6317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855848#comment-15855848
]
Martin Grigorov commented on WICKET-6317:
-----------------------------------------
WICKET-6228 is not applied to 7.x because it might break (silently)
applications in production.
There is an entry in the migration guide for 8.x about it so hopefully the
developers will take it into account.
We should definitely improve the example in the guide!
Thank you!
> AuthenticatedWebSession#signOut() calls twice after session invalidation
> ------------------------------------------------------------------------
>
> Key: WICKET-6317
> URL: https://issues.apache.org/jira/browse/WICKET-6317
> Project: Wicket
> Issue Type: Bug
> Components: wicket, wicket-auth-roles
> Affects Versions: 7.6.0
> Reporter: Alexey Prudnikov
>
> When the user wants to log out, I call AuthenticatedWebSession#invalidate(),
> which, in turn, calls AuthenticatedWebSession#signOut() and sets
> Session#sessionInvalidated to true.
> After that, at the end of request processing, RequestCycle#onDetach() is
> called, which in turn calls Session#detach(). The last method checks
> Session#sessionInvalidated state, and because it is true, invalidates session
> again with Session#invalidateNow().
> So, if I place some business logic code in #signOut() (as in example class
> BasicAuthenticationSession from [official
> guide|https://ci.apache.org/projects/wicket/guide/7.x/single.html#_using_roles_with_metadata]),
> this code also calls twice, which may be inappropriate in some cases.
> I know about WICKET-6228 ticket - now #invalidate() doesn't call #signOut(),
> and this can be solution for issue, but that changes not ported to Wicket 7
> branch.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
