With HAWKULAR-1070 "Make Command Gateway independent of Hawkular Accounts" we stopped to check the credentials of the authenticated user during the lifespan of a websocket session. Session opening is the only point in time when the credentials are validated. If the user loses the authorization after he has opened a websocket session, in theory, the session can stay forever in spite of the fact that the user cannot authenticate anymore.

Some mechanism should be introduced to solve this problem.

Closing every session after a configurable timespan is one possible option.