May I ask what you're doing at a higher level that makes you want to invalidate the session?
In my experience, I've always found the HttpSession.invalidate() call to be more trouble than it's worth. Generally when I want to mark a session as "logged in" I will insert a User attribute into it:
and when the user logs out, I'll remove that object:
Could this work in your situation, or are your needs different?
thanks for the quick response. We have decided to use a logical session management similar to what you have described above. So we do not use the session.invalidate() anymore.