Same sessionid after invalidating session


Would you like to answer one of these unanswered questions instead?

Hi, I have an issue related to the change of JSESSIONID on login.

I am working on an ATG ecommerce application, where I am using jboss-eap-4.2 server and ATG9.1.

It is necessary to have the session invalidated so after logging out no protected resources can be accessed. The Session ID itself can be viewed as a piece of private information that was associated with the authenticated user session.

I will still need to change it again after logging in to be secure.

Struts2, JSP , Java are technologies , i m using for my apps.