Hi Sohil, we solved the Problems assosiated with the principal. Our main problem was a misplaced jbosssx.jar. it was duplicated in server/xxx/libs and server/xxx/deploy/xxx/lib. Then I turned of caching in J aasSecurityManagerService mbean (jboss-Service.xml) and set flushOnSessionInvalidation="true" in jboss-web.xml and voila - the principal is reloaded on each login. The sessionId is flushed on the server side too - so everything works fine.. But is there a simple possibility to set a new sessionId (invalidate the cockie) on the client? Daniel View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963817#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...