We are looking for the correct Wicket APIs to call in order to properly sign out of an application. Throughout the years / going through Wicket upgrades, we've called a number of different org.apache.wicket.Session APIs and have never been completely sure which one(s) to invoke. We're looking for guidance to ensure we're doing this correctly.
Currently, we call both invalidateNow() and invalidate() which doesn't seem to be necessary at this point, and are looking for direction in which one should be preferred, and if we should be calling anything else.
Another consideration we are taking in to account is the fact that calling these methods does not result in our JSESSIONID getting re-generated by our application server (WebSphere), which we expect to happen to prevent session fixation. We see there are Wicket APIs to forcefully do this (changeSessionId()) but are unsure if this is necessary / if this should be happening naturally.
To summarize:
changeSessionId() on login to prevent session fixation?Relevant stack: Wicket 8 / IBM WebSphere Application Server 9
invalidateNow() will invalidate the session immediately.
invalidate() will invalidate it at the end of the current request cycle, i.e. just before sending the response to the client.
In both cases the web server's HttpSession will be invalidated too. It is responsibility of the web server to invalidate the JSESSIONID by sending a cookie with negative value. If you have doubts I'd recommend you to register your own https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpSessionListener.html and log/print whenever a session is created/destroyed.