Hi, i am facing a strange behaviour running the scenario below: a) user supplied valid username - password and successfully logged in b) press back button on browser c) relogin supplying invalid username or password d) successfully logs in!! it seems that seam 'remembers' that user was already logged in and doesn't call authenticate method, allowing a non existing user to enter. Is that expected? A workaround is to override org.jboss.seam.security.Identity.Identity and call login method as followes: | @Name("org.jboss.seam.security.identity") | @Scope(SESSION) | @Install(precedence = APPLICATION) | @BypassInterceptors | @Startup | public class AppIdentity extends Identity { | | @Override | public String login() { | unAuthenticate(); | return super.login(); | } | | } | | I just wonder why unAuthenticate() is not called through Identity.login() V. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4126129#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...