Hi sundartri, After you invalidate the session, also delete the cookie that is tracking the session. This way you will get a new sessionId when the next time you call request.getSession(true). In my case, I'm using JBoss 4.0.3SP1 and the cookie name is JSESSIONID. use cookie.setMaxAge(0) will delete the cookie. That should do the trick. Good Luck. Dave. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957871#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...