"fguerzoni" wrote : forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session. | In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests. I think the changes for this JBSEAM-1361 cover Gavin's proposal in this forum topic, but note that existing session data might not be preserved. The session is invalidated using Seam#invalidateSession(), and I think at that point any old session data is lost. But: I'm not sure; comments welcome! Arjan. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050742#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...