We get the attached NPE when a user logs out.
Apparently what happens is that there are multiple concurrent requests to one session: one "regular" request and a logout request. The logout request calls Session.get().invalidate(), so the session is invalidated at the end of the request. If this happens when "regular" request is already past the authentication check, it will retrieve the session with a now-invalid cookie, resulting in the creation of a new Session object with a null id. This is then put in a PageKey object for an EventBus subscription. When another, unrelated user logs out, EventBus iterates all PageKey-s and chokes on the one that has a null sessionId.