Solved. I was writing an original reply, using "I think I have something conceptually wrong", when it hit my mind:
One of the components (the login/logout box) has this: final EsscAuthSession sess = (EsscAuthSession)getSession(); and the onClick() was like add( new Link("logoutLink") { @Override public void onClick() { sess.invalidate(); } } I.e. using the old request's session in onClick()'s request. It's a bit leaky abstraction, as I got used not to think much about requests, but in this case I had to realize. So now it's add( new Link("logoutLink") { @Override public void onClick() { getSession().invalidate(); } } Maybe it should be stressed in the wicket examples to call getSession() to warn beginners. Thanks for replies. Ondra On Thu, 2012-09-27 at 10:34 +0300, Martin Grigorov wrote: > Hi, > > You need to use Session#invalidate() actually. > > #invalidate() schedules a call to #invalidateNow() at the end of the > request cycle. > > By using #invalidateNow() you invalidate the current http session and > right after this your app creates a new Session because it needs to > finish the request cycle and the new one is what you see later. You > can print the hashcodes to see whether I'm right. > > On Thu, Sep 27, 2012 at 9:04 AM, Ondrej Zizka <ozi...@redhat.com> wrote: > > Hi, > > > > i am trying to implement a simple authentization. > > > > I've basically copied what's in the auth example #2 in wicket examples, > > and have a Logout button: > > > > add( new Link("logoutLink") { > > @Override public void onClick() { > > sess.invalidateNow(); > > setResponsePage( HomePage.class ); > > } > > } > > .add( new Label("label", "Logout " + > > sess.getUser().getName()) ) > > > > Which, when clicked, is performed, but in the second request, the User > > object, which set to null in my overriden signOut(), is back in my > > session object. Not sure if the same obj, but the same values. > > > > What could be wrong? > > > > Thanks, > > Ondra > > >