NOTE: I fixed this in my app by sending users that are already logged in to their desktop page if they directly request the login page. This will FORCE them to logout and invalidate the session before loggin in again. Might be nice to add that to the booking example It was easy for me because I already had a "verifyLoggedIn" action which applies to every request, and I was able to handle the logic there. If there is a more logical way I should have done this, let me know :) Dan. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3978042#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...