More info on MY problem: I believe the booking example suffers from this same flaw, because a user can login again with a different username, without being forced to logout. The session is only invalidated upon logout... Steps: Log in as user 1, make a booking Go to home.seam and log in as user 2 from same browser session, you will see the booking. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3978028#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...