As I guess there is known issues with jsession id. JBoss does not genereate a new session id after logout(in the same brwoser) or browser uses same session id for all user's login. Session id is alive till max session period specified in web.xml. Actually I am using Seam framework, and while logout we call Seam.invalidateSession() method to invalidate session but after debuuging I found that browser was using same session id after logout and all the session variables are alive (that must be unbounded after logout). I have also tried Identity.instance().logout(), unfortunately it is also not working.
I want to know how can we unbound all session varible and avoid session hijack or cookies theft.