Same sessionid after invalidating session
My request object flow to 1st page to 2nd page and 2nd page to 1st page again 1st page to 2nd page and again same 2nd page to 2nd page ....request page can not be change but every time request 1st page to 2nd page we need to fetch detail to session and invalidate it and again created it..
They fear a scenario where a different user can do a back and refresh on same browser and use previous user's session.
If you were reviewing an application against the ASVS standard and you noticed that the Session ID had changed on logout you can be pretty sure that all session data has been cleared and is no longer available from the client.
Yes, technically it is possible to code a system to migrate any session data to the new session, but as there is no real reason to do this it is a good measure of the quality of the application's session handling.
User enters his user id and password and is logged in.
He then browses to another page and clicks Exit to logout.
So let me know of a way of invalidating the existing JSESSIONID cookie once session.invalidate has been called.