Even if I say session.invalidate(); it is still able to display the same session Id.
How are you getting hold of the session id after invalidating the session? Can you post the relevant code? Also which exact version of JBoss AS?
I am using JBOSS AS version # 4.0.3
here is what I did:
String name1 = (String) request.getParameter("dropDown");
String myName1 = (String) request.getAttribute("myName");
alert("session id is <%=session.getId()%>");
alert("name1 & myName1 is <%=name1%> , <%=myName1%>");
I'm able to see the values of the session Id and name1 and myName1!
Is there any news to this, I am experiencing the same issue: even if the session is invalidated and a new session is created the session id stays the same as long as the same browser is used.
I run into this while trying to fix the "Portal session expiration should invalidate portlet webapps sessions" (https://jira.jboss.org/jira/browse/JBPORTAL-2030) by applying http://fisheye.jboss.org/changelog/Portal/?cs=11742 on JBoss Portal 2.6.2GA. I added session id logging to the SessionListener's sessionCreated and sessionDestroyed methods and when the portal session for user1 expires the following happens:
- the SessionListener reports that session with ID1 has expired
- when requesting protected page, JAAS kicks in redirecting me to my login page (I'm using FORM authentication), the SessionListener reports that a session with the same id as previously destroyed session is created
- after successful login the page requested by user1 is displayed, also when the login is made by a different user
Why is the session id kept the same (is that normal or not)?
Is maintaining the redirection url even if the user changes considered normal?