It's not possible to regenerate SessionID preventing Session Fixation attack ---------------------------------------------------------------------------- Key: AS7-5315 URL: https://issues.jboss.org/browse/AS7-5315 Project: Application Server 7 Issue Type: Feature Request Components: Security, Web Affects Versions: 7.1.1.Final Environment: JBoss 7.1.1.Final, JAAS, Windows 7 Reporter: Endrigo Antonini Assignee: Jean-Frederic Clere Labels: JAAS, Security, Session, SessionFixation, SessionHijack I tried to find a way so I can regenerate the Session ID. The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId". This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has. The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss. https://www.owasp.org/index.php/Session_Fixation_in_Java