Trevor Russ wrote:

Using XEM 1.9.3 or XE 2.0 M2.

If I logout and login again without closing the browser, the session resumes to the last page I was browsing. I don't know if that's a feature ("resuming your session") or a bug (not restarting at the dashboard).

But this also happens if I login as a different user using the same browser: it resumes the previous users' session.

And if that previous user had admin rights, when a user with no admin rights logs in it goes to the last page that the admin was browsing. If that page requires admin rights, it says "You are not allowed to view this document or perform this action."

Of course, it won't be often that one browser will be used for different login IDs, but it should not resume the session of another user when you log in.

This is not about the session, but a feature of our login form. When trying to view a page that requires authentication, the login form is displayed, with a hidden input that identifies the page you tried to view. This is plain HTML, no session magic. After logging in, XWiki redirects you to the page you tried to view. Now, the problem is that when logging out, you are also redirected back to the original document you were viewing. So, user A is logged in and is looking at document M. User A logs out, and since viewing the document requires an authenticated user, the login form is displayed, remembering document M as the visited document. When user B logs in, he simply sees the document which triggered the login form. I think that both features are needed for a normal wiki: logging out displays the same document, logging in displays the same document. If you don't like this behavior, then changing the login form so that it doesn't remember the previous document is easy, just edit /templates/login.vm and remove this line: <input type="hidden" name="xredirect" value="$!request.xredirect"/> -- Sergiu Dumitriu http://purl.org/net/sergiu/