Ok, so I recognize that while using BASIC auth, the browser controls the login session, and nothing on the server side can logout a "BASIC" authenticated client. Just FYI, I'm calling a JBoss webservice from an Adobe FLEX Flash application running in the browser. So, I turned BASIC auth OFF on my webservices EJB endpoint, and am now using WSSE UsernameToken to authenticate the Flash client to my JSR 181 EJB endpoint. However, for whatever reason, if I make some WS calls as User A, then make some WS calls as User B (essentially, changing the WSSE username/password tokens), Jboss still thinks I'm user A. I did some digging on my JBoss server (DEBUG mode), and noticed that the WSSE client calls are happening via Http POST. Since my username is being "remembered" by the JBoss server, there must be some sort of session getting established? (This seems to be functioning a lot like FORM-based authentication). In a typical servlet, I could simply "logout" by invalidating the session. HOW does one do that with an EJB? I don't see anyway to get access to the Session....so I don't know how to invalidate it. Any ideas? Thanks! David View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3976111#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...