Dear All
I don't know it is a bug or something else.
session.invalidate();
Its does not make sense to call session.invalidate from the login page as this is equivalent to doing a logout. It kills the session that was created for the current login process.