Invalidating a session of an SSO on a different node than where the session was created does not logout the user ---------------------------------------------------------------------------------------------------------------- Key: WFLY-5932 URL: https://issues.jboss.org/browse/WFLY-5932 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 10.0.0.CR5 Reporter: Richard Janík Assignee: Stuart Douglas Priority: Blocker See steps to reproduce for description. Additional scenario with a failover where we don't need to authenticate with the last request (but where we should be required to authenticate): * Access A1, authenticate, fail A1 (e.g. shutdown the server), access A2, invalidate session on A2, access A2 Scenarios where the SSO context is destroyed (where we need to authenticate with the last request as expected): * Access A1, authenticate, invalidate session on A1, access A1 * Access A1, authenticate, access A2, invalidate session on A1, access A1 Possibly related to JBEAP-1228, JBEAP-1282. Note that we always only have a single session bound to an SSO. I'm not flagging this as a blocker, since the issue usually doesn't manifest thanks to sticky sessions on a load balancer.