[
https://issues.apache.org/jira/browse/WICKET-6317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855869#comment-15855869
]
Alexey Prudnikov commented on WICKET-6317:
------------------------------------------
Thank you for quick response!
I realize that changes from WICKET-6228 is API break, no doubt about it.
But I didn't understand about 7.x branch - it is my incorrect implementation
(probably because of the mistake in documentation) or bug? If it is the
incorrect implementation, what is the right way to process user logout with
some application-specific business rules?
> AuthenticatedWebSession#signOut() calls twice after session invalidation
> ------------------------------------------------------------------------
>
> Key: WICKET-6317
> URL: https://issues.apache.org/jira/browse/WICKET-6317
> Project: Wicket
> Issue Type: Bug
> Components: wicket, wicket-auth-roles
> Affects Versions: 7.6.0
> Reporter: Alexey Prudnikov
>
> When the user wants to log out, I call AuthenticatedWebSession#invalidate(),
> which, in turn, calls AuthenticatedWebSession#signOut() and sets
> Session#sessionInvalidated to true.
> After that, at the end of request processing, RequestCycle#onDetach() is
> called, which in turn calls Session#detach(). The last method checks
> Session#sessionInvalidated state, and because it is true, invalidates session
> again with Session#invalidateNow().
> So, if I place some business logic code in #signOut() (as in example class
> BasicAuthenticationSession from [official
> guide|https://ci.apache.org/projects/wicket/guide/7.x/single.html#_using_roles_with_metadata]),
> this code also calls twice, which may be inappropriate in some cases.
> I know about WICKET-6228 ticket - now #invalidate() doesn't call #signOut(),
> and this can be solution for issue, but that changes not ported to Wicket 7
> branch.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
