Tomcat not invalidating sessions
If the old session id was stored in a cookie it creates a new session using the old session id: The only way to prevent this is to call request.
Requested Session Id(null) befor calling Session Internal(true) This causes a manager.create Session(null) call in the Get Session(), which generates a new session ID.
When I say life cycle, I can hear you murmur “Oh no not again, how many life cycles I have to deal with”!
For example, the Java Web Server has the ability to revert to using URL rewriting when cookies fail, and it allows session objects to be written to the server's disk as memory fills up or when the server shuts down.At the end of that article I have given a preview about “5. An elite way to manage the session in servlets is to use API.Any web server supporting servlets will eventually have to implement the servlet API.But we believe, as your teacher probably did, that you better understand the concepts after first learning the traditional approach.The Session Tracking API, as we call the portion of the Servlet API devoted to session tracking, should be supported in any web server that supports servlets.