Invalidating another session removes the JSESSIONID cookie of the current session --------------------------------------------------------------------------------- Key: WFLY-4165 URL: https://issues.jboss.org/browse/WFLY-4165 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 8.1.0.Final, 8.2.0.Final Environment: WildFly 8.1.0.Final and WildFly 8.2.0.Final on Windows 7 x64 JDK 8u25 Session storage set to Cookie Reporter: Nicolas Grussenmeyer Assignee: Stuart Douglas When calling {{invalidate()}} on a HttpSession object of another session than the current one, the server sends back a "cookie expired" header {{Set-Cookie: JSESSIONID=XXXXXXXX; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT}} where XXXXXXXX is the session id of the invalidated session. This results in the current JSESSIONID cookie being discarded by the browser, and the current session being lost. I was able to narrow the "problem" in {{[io.undertow.servlet.spec.HttpSessionImpl:193|https://github.com/undertow-io/undertow/blob/1.0.15.Final/servlet/src/main/java/io/undertow/servlet/spec/HttpSessionImpl.java#L193]}} (in Undertow 1.0.15.Final), where the ServletRequestContext is taken from the ThreadLocal storage, returning the current request context instead of null (as the target session is not associated to the current ServletRequestContext ) A workaround is to call {{invalidate()}} in a new Thread, so the retrieved ServletRequestContext is null