[ https://issues.apache.org/jira/browse/WICKET-6317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855884#comment-15855884 ]
Martin Grigorov commented on WICKET-6317: ----------------------------------------- OK, I see. We should not call invalidate() in invalidateNow() if the session is already invalidated. You can do the same in your signOut() in the meantime, just wrap your logic with "if (!isSessionInvalidated()) { your logic here }". > AuthenticatedWebSession#signOut() calls twice after session invalidation > ------------------------------------------------------------------------ > > Key: WICKET-6317 > URL: https://issues.apache.org/jira/browse/WICKET-6317 > Project: Wicket > Issue Type: Bug > Components: wicket, wicket-auth-roles > Affects Versions: 7.6.0 > Reporter: Alexey Prudnikov > > When the user wants to log out, I call AuthenticatedWebSession#invalidate(), > which, in turn, calls AuthenticatedWebSession#signOut() and sets > Session#sessionInvalidated to true. > After that, at the end of request processing, RequestCycle#onDetach() is > called, which in turn calls Session#detach(). The last method checks > Session#sessionInvalidated state, and because it is true, invalidates session > again with Session#invalidateNow(). > So, if I place some business logic code in #signOut() (as in example class > BasicAuthenticationSession from [official > guide|https://ci.apache.org/projects/wicket/guide/7.x/single.html#_using_roles_with_metadata]), > this code also calls twice, which may be inappropriate in some cases. > I know about WICKET-6228 ticket - now #invalidate() doesn't call #signOut(), > and this can be solution for issue, but that changes not ported to Wicket 7 > branch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)