Hi, replaceSession's javadoc says "replaces the underlying session". That matches your observation.
You have to call invalidatNow(). Note that this doesn't prevent the session object from surviving, since it is still bound to the current thread. For that you have to call ThreadContext#setSession(null). Have fun Sven Am 23. April 2018 21:53:39 MESZ schrieb "Tom Götz" <t...@decoded.de>: >Hi there, > >one question concerning user login: what is the correct way of >replacing the session after a successful user login? Calling >org.apache.wicket.Session#replaceSession replaces the underlying web >session. But what about the Wicket session itself? Will it also be >replaced with a new instance? > >I observed the following: >* user is already logged in with an active session >* user navigates to login page >* user logs in as a different user >* underlying http session is replaced (by calling replaceSession after >login) >* but: Wicket session stays the same instance, i.e. new user uses >existing Wicket session including it’s state (properties stored in >custom Wicket session) > >Am I missing something or doing something wrong? > >Cheers, > Tom > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >For additional commands, e-mail: users-h...@wicket.apache.org
