[jboss-jira] [JBoss JIRA] Resolved: (JBAS-4436) session.getSession(true) does not create new sessionID after invalidation

session.getSession(true) does not create new sessionID after invalidation ------------------------------------------------------------------------- Key: JBAS-4436 URL: http://jira.jboss.com/jira/browse/JBAS-4436 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-4.0.3 SP1 Environment: JBoss 4.03SP1 running on java version 1.5.0_10, server is a standard SuSE 10 linux Reporter: Ludwig Adam Assigned To: Remy Maucherat It is not possible to generate new session IDs as expected and stated in the servlet specification. A call of HttpSession.invalidate() unbounds all objects attached to the session but does not set the session to invalid. Sample Code: public class SessionTest extends HttpServlet { protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException { HttpSession curSession=httpServletRequest.getSession(); String prevSession = curSession.getId(); curSession.invalidate(); // Should invalidate session curSession= httpServletRequest.getSession(true); // Should return new valid session, but returns old session instead String newSession= curSession.getId(); boolean testCondition = prevSession.equals(newSession); // is true } } EDIT: I am not sure if this affects versions higher than 4.03 as well