Hi, we recently migrated to 6.17 from 4.x. Something we are now experiencing is an odd session problem in production.
We have 2 tomcats load balance running the front end wicket code. We have a certain flow that goes like this: 1. User goes to : my.example.com/login (LoginPage.java) 2. They log in 3. We invalidate the session and do a redirect to : foo.example.com/login passing some parameters 4. In the constructor of LoginPage we verify the parameters and if valid setup up the new current session with the user's details 5. LoginPage then does a setResponsePage(Application.get().getHomePage()); This on a single node/machine/instance of tomcat works great and with Wicket 4 it also worked great in a 2 node/instance load balanced situation however we have a problem. Problem: If at step 3 the redirect gets load balances to a different instance of tomcat, step 4 works fine (the request is read the the new session is got and the user info set on it). But this is when it gets really odd. Step 5 is executed fine, but when the home page is constructed our MetaDataRoleAuthorizationStrategy.isInstantiationAuthorized() is called as normal, and when we check the session to see if the users details are ok, there is no user in the session at all and we have a different session ! Any ideas at all what is happening here? Did something change around the session handling? I'm wondering if its something to do with the 302 redirect to the new URL with parameters? many thanks