You can't create a new SessionID when you have received a SessionID in the request.
Thank you for reply.
I could understand it is impossible to create a new SessionID under JBoss.
Are there any recommendation way to prevent Session Fixation Attack under JBoss?
If there are any recommendation way, could you please teach it to me ?