I do not see a clear point why it is necessary to have the session id changed or cleared after logout. Why does this requirement verify only the logout part?
Http Session session = Session(false); // Invalidate the existing session. You may want to add an additional check to see if the current user is logging in a second time, and retain the original session in that case. ) This exception occurs when the Session Times Out and same user login to the application once again using the same browser instance and starts using the functions.
If you track logged-in users in the DB as well, it's better to set a boolean there in the DB which is then checked on every request.
This way it will also work without much pain on distributes systems and won't result in surprises (exceptions) when the session get invalidated in midst of a request.thank you for your answer, I'm already storing some info for each connected user with their session ID in an Application-scoped managed bean - this already serves for getting a read-only view of all active sessions with connected users.
not tied to any user account or is holding any private data, etc).
If you were reviewing an application against the ASVS standard and you noticed that the Session ID had changed on logout you can be pretty sure that all session data has been cleared and is no longer available from the client.
// Example : When user login to the application after Session Times out,we may not need his previous session data and we need to create a new session for the user. ) and I am able to see the previous session data in the JSP pages.
I have also implemented session.invalidate in the Logout Servlet too. Dhana The best piece of advice I can give with regards to the session is not to rely on it too much.
For example, the Java Web Server has the ability to revert to using URL rewriting when cookies fail, and it allows session objects to be written to the server's disk as memory fills up or when the server shuts down.