Hi, Currently [1] uses a volatile boolean "signedIn" to control the state. org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() tries to make use of it. IMO this implementation is a bit weak. There are big windows this state to change in the meantime.
Usually this shouldn't be a big problem, the application will authenticate the same user twice. But if the application does something in ISessionListener#onBind() then it becomes a problem [2]. Do you think this is a problem in Wicket or the applications should deal with it? 1. https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java 2. https://issues.apache.org/jira/browse/ISIS-1481 Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov
