I just upgraded from JBoss AS 4.0.5 to 5.1.0 and I'm experiencing some strange behavior. Our user login process calls HttpSession.invalidate() on any existing session, followed by HttpServletRequest.getSession(true) to create a new session for the new login.
However, the getSession() call is returning the same session ID as the previous (invalidated) session, whereas every session ID is supposed to be unique. This causes problems when we insert the session ID into our database login history table, and means that the user can't login a second time.
Is there a reason why the server is re-using session IDs when it shouldn't?